Archives

All posts by SNM

We have been so busy that we haven’t been getting content onto the website. Here is a quick rundown of what is going on.

 

We are giving the keynote address on emerging threat trends at New Mexico Technology in Education November 20th. http://nmtie.net/2014-conference/

 

We will be presenting ‘Why you don’t need a pen test’ to the Albuquerque Chapter of ISACA on December 9th. http://www.eventbrite.com/e/why-you-dont-need-a-penetration-test-plus-sandworm-demo-tickets-14154631885?aff=eorg

 

And because we hate free time we are partnering with Albuquerque Health Care for the Homeless to provide a vulnerability assessment of their network. Being part of the InfoSec community is important, but helping those in need in our local community is part of being a good citizen.

 

Once all the dust settles, we will be posting more tutorials and content.

With the SandWorm 0day (CVE-2014-4114) and POODLE being released this week we are working on integrating it into our testing as well as developing good mitigation for our clients. We had discussed internally how Heartbleed would probably focus other researchers on SSL and it seems to be holding true. We also think that Shellshock with lead to a number of other parsing vulnerabilities being found in other shells and operating systems.

I was able to use the bash shellshock vulnerability last week to manually find a vulnerability in a web server through the HTTP User-agent. If you can do something manually there is a good chance that it can be done programmatically. This python program is an extension of that belief.

This program has three simple parts: an ICMP network listener, a urllib2 HTTP request generator, and a simple parser that displays the results. Why ICMP? 5 ping packets generated from a vulnerable server should not be a huge burden. Isn’t urllib2 pretty dated? It really is, but it ignores SSL certificate issues so I didn’t have to handle HTTPS requests differently from the HTTP requests.

This isn’t weaponized at all, while it can be weaponized pretty easily that is up to you and we don’t recommend testing this on an address that you aren’t authorized to use. Metasploitable2 has a shellshock User-agent vulnerability if you want to test this on a controlled network.

Usage – python shellshockUAScanner.py -r <CIDR range> -t <number of threads *default is 16> -i <interface *default is eth0>

shellshockUAScanner – source code

I was on an assessment this week just second checking some scanner results and I ran across an interesting page (Figure 1).

cgi-bin in URL

Figure 1: cgi-bin in URL

I saw the cgi-bin and thought that it might be worth giving it a second look for shellshock. Shellshock is the awesome brand name for CVE-2014-6271 which is a GNU Bash vulnerability. The client had placed significant restrictions on actual exploitation on the network; this was truly a vulnerability assessment with validation instead of a penetration test. The first thing I needed to do was see if the web server might be running on a vulnerable OS so I did a simple Nmap scan (Figure 2).

Nmap results for web server

Figure 2: Nmap results for web server

Now I had a potentially vulnerable OS and application vector to attack so I fired up Burp Suite and captured a request to the application (Figure 3).

Request to R2 web application

Figure 3: Request to R2 web application

Knowing that I couldn’t due a Bash one-liner or upload any code to the system due to the restrictions I decided to start a tcpdump session looking for traffic from the remote host tcpdump host 192.168.14.61 (Figure 5) and modified the User-Agent string ( ) { :; }; /bin/bash “ping 192.168.30.54 -c 10” before forwarding the request on.

Shellshocking the User-Agent

Figure 4: Shellshocking the User-Agent

tcpdump filtered for vulnerable host

Figure 5: tcpdump filtered for vulnerable host

Look at all those glorious packets! Just a reminder that *nix systems will ping until cancelled so the -c 10 option instructed it to only send 10 instead of pinging until the end of time. If this was a true penetration test instead of sending a ping command I would have used a bash one-liner to get an interactive shell. This was my first in the wild shellshock so it was still pretty fun.

 

The assumption is that you are here because you are either trying to learn about web app pen testing or you are stuck on one of the challenges. Everyone has their own way that they like to approach web applications. This is mine. We will end up at the same place so don’t get too hung up on style, focus on content.

All of the posts here are spoilers

To setup for all of the different challenges in DVWA you need to set the security level. This is relatively simple, just click the DVWA Security button and set the level through the interface.

Set Security Level

Set Security Level

XSS Reflected – Low

I have security set to low and I have clicked on the XSS Reflected button. Nice test box huh? Well now what are you doing to do? I like to jump right in and start stuffing things in there. No foreplay or anything.

HTML Injection Test

HTML Injection Test

Why didn’t I go right for an alert(‘XSS’)? I like to see if HTML injection is possible at the same time. Feel free to skip that step and go straight to <script>alert(“XSS”)</script>. Look at that! HTML injection is possible. Let us go back and see if we can get a script to run.

HTML Injection Sucess

HTML Injection Sucess

XSS Script Success

XSS Script Success

TL;DR <script>alert(“XSS”)</script>

XSS Reflected – Medium

Set the DVWA Security to Medium and throw that script back in there.

Medium XSS Failure

Medium XSS Failure

Why didn’t that work? Time to dig into the page source. If you read the PHP by clicking on the View Source button the fumction checks for a null string. Then replaces the string <script> with ‘’ if it is found. That is super effective tools or testers that only use the exact string <script>. If you change it up a bit by adding capitalization <SCRipT> or <ScriPt> it doesn’t match and str_replace just passes it through. The PHP function is case sensitive but HTML is not.

PHP Function

PHP Function

TL;DR <SCRipt>alert(“XSS”)</scrIPT>

XSS Reflected – High

The High challenge uses the PHP function htmlspecialchars function to escape special characters. I have tried to encode the string in multiple ways and have not figured out a way to run a script. This is the correct way to handle user inputs and might be breakable but I haven’t found a way around it yet.

Normally, I use Burp Suite to do everything because it does everything. That is because I have the pro version. If you have the community version you know that some of the attacks are throttled and the vulnerability scanner just doesn’t exist. If you don’t have the pro version of Burp or just want to try a different toolset this tutorial will take you through attacking the initial login page of the Damn Vulnerable Web App (DVWA site, DVWA ISO).

Once the application is up and running you will be presented with the initial page.

DVWA Login Page

Home page for DVWA

Now what? You can either skip to the bottom and find it or we can brute-force the password and learn something. First thing we need to do is figure out what to attack. The easiest way is to look at the source code for the page.

Souce Review

Souce Review

 

A second way is to capture a request to the page using a proxy, in keeping with the spirit of not using Burp, I grabbed this one using OWASP Zap.

Zap Proxy Request Capture

Zap Proxy Request Capture

The three fields are username, password, and Login. The next crucial piece is knowing what a bad login displays. This gives Hydra a way of discriminating between valid and bad login attempts.

Failed DVWA Login

Failed DVWA Login

I’m going to use xHydra but will give the command to run Hydra from a shell if that is the only access that you have on a system. Launch Hydra, on Kali Linux it is under the /usr/bin directory. The following images show all of the options being set.

OWASP Target Setup

OWASP Target Setup

Set the IP of the DVWA server and the protocol in use, for this we are attacking the web form so http-post-form. To attack a login of any type you need two other things, a username and a password. The rockyou word list exists at /usr/share/wordlists. I created a short list of usernames to use also.

User List

User List

User Name and Password for Hydra

User Name and Password for Hydra

The next step is to tune the brute force attack. I can use 32 threads and a 1 second timeout because both of the virtual machines, a Kali Linux attacker and the DVWA target, are on the same local LAN segment and there is no concern of causing a denial of service. Also, piping the attack through the Zap proxy is optional and not necessary.

Hydra Tuning

Hydra Tuning

The next tab is where all of the heavy lifting happens. The http / https url field contains the ‘:’ separated string /login.php:username=^USER^&password=^PASS^&Login=Login:Login failed. Breaking out the string the /login.php is the login page. The username and passwords fields are linked to the ^USER^ amd ^PASS^ variables; these are the options set in the Passwords tab. The Login field is not linked to a variable but is used in the login string that we found in image 3. The last string Login failed is what we determined indicated a bad attempt.

Hydra HTTP Setup

Hydra HTTP Setup

Once you are all set to go just click Start on the last tab and watch it go. If you look really closely at password setup you’ll see that I cheated a bit and just ran a single password. I started running the rockyou wordlist and then realized that it would take a significant amount of time to complete.

Brute Force Success

Brute Force Success

To run this from a shell instead of the GUI use:

hydra –L UserNameFile –P PasswordFile –e ns –t 32 –u –f –m /login.php:username=^USER^&password=^PASS^&Login=Login <IP> http-post-form

-e ns checks for passwords that are the same as the username (s) and null (n)

-f exits after the first pair is found

-u is supposed to make the attack faster according to their readme but it doesn’t really say how. I think that it is a unique switch but I don’t have any proof.

Stay tuned for more DVWA updates on the challenges you now have access to since you brute forced this password.

Converting dd image to vmdk for analysis

Setup

Astute readers will notice that the names for the images used in this part are not the same as in Part 1. Good for you, astute reader. I pulled a 16GB Quantum Fireball out of an old desktop that had not spun up in at least two years. When I last booted the system it was a fully functional Windows XP SP3 desktop.

I imaged this drive using the method in Part 1. Verified the image and copied it from the Kali Linux laptop that I dropped the initial image onto to an external USB drive. Why? Because in forensics you NEVER want to work with the initial image. The entire process was about 45 minutes for all three steps. The external drive is USB3 and that definitely made the copy phase faster.

Converting this dd image to a vmdk file and then booting it is obviously going to change the hash. Just booting a Windows system adds multiple entries to the event log which is more than enough for verification to fail. Not to mention that the OS is going to install drivers for all of the new devices that are used by VMWare. In summary, NEVER WORK OFF OF THE INITIAL IMAGE.

Before we get to the actual conversion there is no reason this conversion couldn’t be from dd to VHD or VDI. I have VMWare Workstation installed on my laptop and not VirtualBox or Virtual PC. I have used all of these and can’t say I have strong feelings for any one over the others.

The Good Stuff

Get the qemu utils apt-get install qemu-utils

Next we use the qemu-utils to convert to vmdk qemu-img convert -O cmdk /path/image.dd /path/output.vmdk

qemu-utils conversion

Qemu-utils conversion

Get yourself a drink and stretch your legs. Forensics is a time consuming process. The conversion of this ~16GB dd file to vmdk took about 90 minutes.

The next step was to attach the disk to an existing virtual machine to ensure it would spin up. I happened to have a Windows XP virtual machine that I keep around mostly to run old software. Depending on how you plan on testing this hard drive you can take a snapshot of the drive to allow any changes to be rolled back; I didn’t do this simply because I could always convert the copy of the dd file again if I made some catastrophic change. If you wanted to boot directly into the XP operating system it would probably be necessary to run a repair install off of either a disk or ISO image containing the installation files. The chances that the underlying physical hardware is the same as the virtual hardware are just about zero. That is why VMWare has a physical to virtual converter.

Attachedh to VM

Attached to VM

Here is where the pen testing part comes in. I spun the VM up and opened the drive in Windows Explorer to ensure that it worked. Oh look right at the root. The Tax Backup folder. If this wasn’t my own drive I’d probably start there.

Pen Test Gold

Pen Test Gold

What next? Well we have covered acquiring the image and converting it to a virtual disk format. The next article in this series will cover juicy places to look in both the file system and Windows registry. It will probably have a cheat sheet for different operating systems to find data that will help you look good during the report writing phase of penetration testing. You know that phase? The one that everyone hates doing? Might as well look good doing it.

 

Version two just rolled out of the python sweat shop.

Usage is python pypecia.py -p <port> -r <CIDR range> -t <threads> -h <usage and help>

 

The highlights:

Threading makes it fast. Like a /20 CIDR  network in 10 seconds fast.

CTRL+C is handled nicely now.

IP addresses are scanned randomly to attempt firewall evasion.

The program give a little more feedback now so you know it is working.

Known issue:

On my Kali Linux VM running with more than 256 threads throws an error. But 256 threads?!? I think I can live with that.

pypeciaV2 source code


 

 

I got some great feedback on the original code. I made a few of the quick and easy changes and am putting it out with those now. Send in your feedback using email or Twitter, the goal is to have a fast tool that is useful for the info sec community.

Changes in V1:

  • Added a start/end messages
  • Added progress counters to give better user feedback when scanning large ranges

Changes coming in V2:

  • Threading to make it faster in large ranges
  • IP randmization to prevent firewalls from blocking the tool due to sequential scans
  • Graceful handling of CTRL+C

pypeciaV1 source code


 

I really like the network scanner propecia. But from the date in the program it was written in 1999. I wanted the same speed and simple use that also included IPv6 checks. My C programming isn’t that great so I decided to port it to python. propecia…pypecia…see what I did there?

The reason I needed to add the additional functionality was to check a firewall for proper rules restricting both IPv4 and IPv6 traffic. Hint, it wasn’t. Having a server in a DMZ locked up tight on the IPv4 interface and unsecured on the IPv6 interface is like locking half of the doors on your car and wondering why things got stolen.

pypecia scans a single port across the given CIDR network range: python pypecia.py -p <port> -r <CIDR range>


pypecia original version source code

Geographic Information Theory

There are two main types of geographic information found in files. Geotagging is the information placed in a file with the GPS coordinates of the location. EXIF (Exchangable Image File Format) contains the geotagging information as well as device type and speed. EXIF contains more information and is normally limited by the capabilities of the device creating the file.

What are the common weaknesses? Data leakage from the geographic information can pin point the exact location of where a file created. This information can be used to find detailed maps using software such as Google Earth or create detailed patterns of movement.

What are you trying to do? We are going to connect to Twitter and do geolocation on the @FIFAWorldCup  account.  Why the FIFAworldcup account? We know where the world cup is happening so it is easy to see if the information is correct.

 Getting Started

Get creepy from here: http://ilektrojohn.github.io/creepy/

Ready to Go

For this tutorial it is installed in a Windows 7 virtual machine. The Kali apt-get repositories was not the latest version when this was written. Besides, the OS is just a tool we don’t need to get caught up in an ideological battle about how somebody has to use a certain tool to be a ‘real’ hacker. Being effective is more important than being a zealot.

Edit the configuration: Edit -> Plugins Configuration then select Twitter Plugin -> Run Configuration Wizard -> Next. Enter your Twitter ID and password to authorize creepy by clicking Authorize APP.

Creepy Twitter Authorization Screen

Authorize Creepy

Wouldn’t this also be a great time to follow us @SecureNM? I’m not trying to make you feel guilty but you are here reading our stuff. Copy the PIN that Twitter generates into the text box at the bottom of the window and click the finish button.

Creepy Twitter Plugin  Configuration Complete

Creepy Twitter Plugin Configuration

Creepy should now be authorized but just to be sure select Twitter Plugin and then click the Test Plugin Configuration button. Yay, we are ready to get started. Click OK a few times to get back to the main screen.

Twitter Plugin Success

Twitter Plugin Success

From the file menu select Creepy -> New Project -> Person Based Project. This will start the project wizard. Fill in the information as you see fit.

Creepy Project Configuration

Project Configuration

Add the information and select the proper plugin then select Search. In this case we used @FIFAWorldCup.

Creepy Search Results

Search Results

Click the ID or IDs that you want to creep on, see what I did there? Then select Add to Targets. I added all of the IDs that were found to ensure data for this tutorial.

Select Next -> Next -> Finish.

Analyze the project by selecting the project and clicking the Analyze button

There are many analyze buttons like it but this one is mine

Sao Paulo, Rio de Janeiro, and the Maldives are all among the locations of texts sent by the twitter IDs that creepy analyzed. Select one of these locations on the map and through the power of google and GPS you can see the location and possibly a street view.  In the immortal words of Keanu Reeves, Whoa!

Full Map of Tweets

Full Map of Tweets

Location of Maldives Tweet

Location of Maldives Tweet

I know what you’re thinking, wow that was cool but so what. So what you say? This is how you would use it on a real life security engagement. You get a black box test with nothing but a URL. You find the companies twitter account on the website. Feeding this information into creepy gives you locations that are potential targets for social engineering, physical infiltration, and WiFi attacks. See how just a little information can turn the tide in an assessment?