0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for the ‘attack’ Category

Scripting Post-Exploitation

with 5 comments

A common question that comes up with post-exploitation is the need to run multiple things when a meterpreter session is initiated.

You can easily run a single command using the ‘AutoRunScript’ option. For example:

msf (psexec) > set AutoRunScript killav

However, if you need multiple things to run, there’re a couple multi-runner scripts that you should know about: multiscript, multicommand, and multi_console_command. They can take either a -c or a -rc option, which will provide the list of items to run. These scripts were provided by dark0perator.

Sidenote: If you’re using the multi* scripts, it’s better to use the -rc option. The parsing for the multi-command scripts doesn’t handle spaces well.

msf (psexec) > set AutoRunScript multi_console_command -c ‘command, command, command’ ## Don’t do this

It’s much better to use an external rc file where commands.rc is just a list of commands one-per-line like:

help
run killav
migrate
shutdown

Then call it like:

msf (psexec) > set AutoRunScript multi_console_command -rc commands.rc

Another (non-recommended) trick is to set the InitialAutoRunScript option ie ‘set InitialAutoRunScript killav’ if you only need two scripts to run – but generally InitialAutoRunScript shouldn’t be touched except by exploits. It’s intended for exploits that know the target process is going to die, so they can migrate. (thanks to egyp7 for the info).

Written by jcran

July 2, 2010 at 5:51 PM

New DOS attack technique: sockstress

leave a comment »

The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack bandwidth (read: cable modem).

According to the podcast,  the tool does “some evil things” during the negotiation of the handshake. It’s definitely not a SYN flood or a SYN cookie.

The attack uses a concept called ‘reverse SYN cookies‘ to encode information about the client’s TCP session in the packets. This allows the attacker to attack without ever keeping track of state. The packets themselves keep track of state and what phase the attack is in.

Approximately 10 packets are needed to disable a single service. No system is known to withstand the attack.

The podcast is the best source of information at this point. (English starts after 5 mins)
More information here:

Written by jcran

October 1, 2008 at 11:46 PM

Posted in attack

Tagged with , , , ,

Framing via Facebook ==> FaceFraming?

with 3 comments

So, i was posting on the wall of a friend in facebook today, alluding to how we should steal my car back from the fascist towing company who took it. I realize it’s probably a bad idea to even hint at this, but what the hell. I can account for my time, and i truly have no intentions of stealing it.

Regardless, it occurred to me that it’s getting easier & easier to damage a reputation online, or to frame someone for a crime they didn’t do.

Imagine if i wanted someone knocked off. If i wanted to create a convincing argument for another person, i could simply log into the framed person’s account, and post a menacing statement like: “I hate everybody today. I think i’m gonna snap soon. @#$# _______” Cheesy? Sure. But convincing enough for a jury? We will see.  It’s now a matter of a public record (how much so depends on your privacy concerns / settings), and can be used against you.

I think we’re going to see a lot more of this type of evidence in the future. Here are a couple examples of it being used in court (drunk driving cases):

Written by jcran

September 30, 2008 at 3:02 AM

Posted in attack, web2.0

Tagged with , , ,

The future will be 0day.

leave a comment »

Browsing through my collection of papers & presentations and ran across these:

The IPO of 0day by Justine Aitel and 0day – How hacking really works by Dave Aitel

They’re both quite old (the latter is 3 years old), but relevant.

Reading them brings the interesting observation that the product space simply can’t address the 0day threat. You really need to hire a hacker or hire a pentesting team if you’re concerned about addressing the possibility. Did your last pentest address the threat??

Justine brings up the fact that there are 3 types of pentesters (and if you hire the lower tier, you might as well do the work yourself, heh):

  • Top tier: Can find / exploit 0day.
  • Middle tier: Can utilize tools that exploit 0day.
  • Bottom tier: Run a scanner.

Many companies I’ve worked with don’t even consider 0day as a threat. (In fact, i’m trying to think of a single one…) Maybe it’s viewed as a too remote a possibility, maybe it’s not considered relevant for the typical organization, or maybe it’s just too damn difficult to protect against.

Should you? I’m not convinced that every company needs to. But who does? Surely financial organizations, banks, insurance companies, government institutions. Who else? Anyone running financial transactions over custom (probably old / lightly maintained) software…

Is it valid to consider as a real threat? How much time / money should be invested to mitigate the risk?

Written by jcran

September 26, 2008 at 6:41 AM

Posted in attack

Tagged with , , , ,

Firefox Extensions Dump

leave a comment »

This is a dump of my current set of Firefox extensions. Some of these are absolutely critical for pentesting: HackBar, TamperData, FireBug and ModifyHeaders. Some are not so critical, but helpful: Shazou (Geolocation), FormFox (See where forms submit to), PDF Download (yeah.), etc.

Aardvark – aardvark.xpi
Powerful and user-friendly selector utility for selecting elements and doing various actions on them. It can be used for cleaning up a page prior to printing it (by removing and isolating elements), for making the page more readable, and (most appreciated by web developers), for analyzing the structure of a page.

Add N Edit Cookies – add_n_edit_cookies-0.2.1.3-fx+mz.xpi
Cookie Editor that allows you add and edit “session” and saved cookies.

AS Number – asnumber-1.0beta9-fx.xpi
The AS Number Extension displays interesting information the Internet Service Provider of every website visited. Along with it come some additional statistics for those who want to know what happens behind the Webs shiny surface.

Book Burro – bookburro.xpi
An extension for FireFox & Flock web browsers to save you time and money when browsing books.

Cert Viewer Plus – cert_viewer_plus-1.4-fx+tb+sm.xpi
Certificate viewer enhancements: PEM format view, file export

Cookie Monster – cookie_monster-0.94-fx.xpi
Cookie Monster features: – Temporary Permission for sites to leave cookies (permission removed and cookies deleted for site with temporary permission upon restart of Firefox) – New option to set general Firefox setting to block all cookies – Updated menu structure – Menu options to view cookies for current site or all sites – A panel indicating the current status of cookies for the current site and domain appears while hovering over the cookie status indicating icon in the status bar In a nutshell, Cookie Monster allows for easier managing of what sites a user allows to set cookies and what sites cannot. It works best for users who do NOT accept cookies by default, although this is not necessary.

Cookie Safe – cookiesafe-3.0.3-fx+tb+sm.xpi
This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies. You can also view or clear the cookies and exceptions by…

Cookie Watcher – cookie_watcher-0.7-fx.xpi
It is a simple extension. It helps testing web applications – it quickly can wipe ‘session’ cookie or it helps to identify cluster node in clustered environments using cookie value.

Delicious Bookmarks – delicious_bookmarks-2.0.104-fx.xpi
Delicious Bookmarks is the official Firefox add-on for Delicious, the world’s leading social bookmarking service (formerly del.icio.us). It integrates your bookmarks and tags with Firefox and keeps them in sync for easy, convenient access.

Download Statusbar – download_statusbar-0.9.6.3-fx.xpi
View and manage downloads from a tidy statusbar – without the download window getting in the way of your web browsing.

Edit Cookies – EditCookies.xpi
Edit your cookies right in Firefox!

Extended Cookie Manager – extended_cookie_manager-0.9-fx.xpi
Easier cookie managment for Firefox

FasterFox – Fasterfox{2.0.0}.xpi
Performance and network tweaks for Firefox

FireBug – firebug-1.2.1-fx.xpi
Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

FireCookie – firecookie-0.6-fx.xpi
Firecookie is an extension for Firebug that makes possible to view and manage cookies in your browser

FlagFox – flagfox-3.3.1-fx.xpi
Displays a country flag depicting the location of the current website’s server and provides quick access to detailed location and webserver information.

FormFox – formfox-1.6.2-fx.xpi
Do you know where your form information is going? This extension displays the form action (the site to which the information you’ve entered is being sent.)

FoxyProxy – foxyproxy-2.8.5-fx.xpi
FoxyProxy is an advanced proxy management tool that completely replaces Firefox’s limited proxying capabilities. It offers more features than SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, TorButton, etc.

GreaseMonkey – greasemonkey-0.8.20080609.0-fx.xpi
Allows you to customize the way a webpage displays using small bits of JavaScript. Hundreds of scripts, for a wide variety of popular sites, are already available at http://userscripts.org. You can write your own scripts, too. Check out http://wiki.greasespot.net/ to get started.

HackBar – hackbar-1.3.2-fx.xpi
Simple security audit / Penetration test tool.

HeaderSpy – HeaderSpy{1.2.2}.xpi
Shows HTTP headers on statusbar.

Hide Navigation Bar – hide_navigation_bar-1.2-fx.xpi
This extension enables you to hide the navigation bar through a toggle button. Currently the toggle button is the F2 key. You can change the key in the extensions options, as well as configure whether you want the Navigation Bar to be displayed on an initial Firefox launch. Also allows you to enable an Auto-Hide mode if you wish to use that instead.

HttpFox – httpfox-0.8.2-fx.xpi
An HTTP analyzer addon for Firefox

IETab – ietab-1.5.20080618-addons
This is a great tool for web developers, since you can easily see how your web page displayed in IE with just one click and then switch back to Firefox.

IMacros For Firefox – imacros_for_firefox-6.0.7.5-fx+mz+sm.xpi
Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***

JSView – jsview-2.0.5-fx+sm.xpi
ll browsers include a “View Source” option, but none of them offer the ability to view the source code of external files. Most websites store their javascripts and style sheets in external files and then link to them within a web page’s source code. Previously if you wanted to view the source code of an external javascript/stylesheet you would have to manually look through the source code to find the url and then type that into your browser.rnrnWell now there’s a much easier way.

Live HTTP Headers – live_http_headers-0.14-fx+sm.xpi
View HTTP headers of a page and while browsing.

Live IP Address – live_ip_address-1.82-fx.xpi
Retrieves your Live IP Address and displays it on Firefox’s status bar… Additional features: i) Easy copy of IP address to the clipboard, ii)Set update interval iii) Force update option

LocationBar – Locationbar{0.9.1}.xpi
Puts emphasis on the domain to reduce spoofing risk. Linkifies URL segments (press Ctrl, Meta, Shift or Alt). More URL formatting options configurable.

Modify Headers – modify_headers-0.6.4-fx+mz+sm.xpi
Add, modify and filter http request headers. You can modify the user agent string, add headers to spoof a mobile request (e.g. x-up-calling-line-id) and much more.

NoScript – noscript-1.8.1.3-fx+mz+sm.xpi
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS attacks.

PDF Download – pdf_download-2.0.0.0-fx.xpi
Use PDF Download to do whatever you like with PDF files on the Web. Regain control of them and eliminate browser problems, view PDFs directly in Firefox as HTML, and use the all-new Web-to-PDF toolbar to save and share Web pages as high-quality PDF files.

Poster – poster-1.7.1-fx.xpi
A developer tool for interacting with web services and other web resources that lets you make HTTP requests, set the entity body, and content type. This allows you to interact with web services and inspect the results…

RefControl – refcontrol-0.8.11-fx.xpi
Control what gets sent as the HTTP Referer on a per-site basis.

ReloadEvery – reloadevery-2.0-fx.xpi
Reloads web pages every so many seconds or minutes. The function is accessible via the context menu (menu you get when you right click on a web page) or via a drop down menu on the reload button

Shazou – shazou-2.1-fx.xpi
Finally mapping is integrated with the Firefox browser. The product called Shazou (pronounced Shazoo it is Japanese for mapping) enables the user with one-click to map and geo-locate any website they are currently viewing.

ShowIP – showip-0.8.08r14b0251-fx+mz.xpi

Show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right mouse button) and hostname (left mouse button), like whois, netcraft. Additionally you can copy the IP address to the clipboard.

SQL Inject Me – sqlime-0.2.xpi [Doesn’t Work with FF3]
SQL Injection vulnerabilites can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

Tab Mix Plus – tab_mix_plus-dev-build.xpi
Tab Mix Plus enhances Firefox’s tab browsing capabilities. It includes such features as duplicating tabs, controlling tab focus, tab clicking options, undo closed tabs and windows, plus much more. It also includes a full-featured session manager.

TamperData – tamper_data-10.1.0-fx.xpi

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters.

TrashMail.net – trashmail.net-1.0.12-fx.xpi
Create free disposable email addresses and paste them directly in forms. This helps to protect you from spam mails and could be useful when subscribing to forums or newsletters

TwitterFox – twitterfox-1.7-fx.xpi
TwitterFox is a Firefox extension that notifies you of your friends’ statuses of Twitter.

User Agent Switcher – user_agent_switcher-0.6.11-fx+sm.xpi
Adds a menu and a toolbar button to switch the user agent of the browser.

Web Developer Toolbar – web_developer-1.1.6-fx.xpi
Adds a menu and a toolbar with various web developer tools.

XSS Inject Me – xssme-0.2.1.xpi [Doesn’t Work with FF3]
Cross-Site Scripting (XSS) is a common flaw found in todays web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS

you can download them all as one big zip here.

Written by jcran

September 23, 2008 at 7:16 PM

Posted in attack

Tagged with , , , ,

webFileScanner.pl – simple file & directory brute-force utility

leave a comment »

Here’s a simple utility i coded up using perl + lwp to blindly request files from a webserver + print the status code that’s returned. Functionally, it’s similar to the excellent ‘Dirbuster,’ but without the overhead of Java.

Usage:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl
Usage: ./webFileScanner.pl [ip or hostname] [file with urls] [https?])]

Example:

jcran@marzban:~/toolkit-new/nix/brute-web$ ./webFileScanner.pl http://0x0e.com ../../wordlist/directory-list-1.0.txt

Output:

jcran@marzban:~/toolkit-new/nix/brute-web$
...
url: http://0x0e.com/healthyliving - status: 404
url: http://0x0e.com/healthy_living - status: 404
url: http://0x0e.com/pl0p - status: 200
url: http://0x0e.com/relationships - status: 404
url: http://0x0e.com/his - status: 404
url: http://0x0e.com/history - status: 404
url: http://0x0e.com/ancient - status: 404
url: http://0x0e.com/family - status: 404
...

The output is grep-able & LWP makes it quite simple to add additional features as needed. For instance, you could quickly instruct LWP to save ‘status: 200’ pages to disk.

You can download the file here.

Written by jcran

September 1, 2008 at 4:30 PM

Posted in attack

Tagged with , , ,

HTTP Response Splitting Explained

leave a comment »

j0e of LearnSecurityOnline.com recently mentioned that he was actively looking for examples of ‘HTTP Response Splitting.’ I was aware of the vulnerability, but always considered it somewhat theoretical, and didn’t fully understand the concepts. OWASP has a good blurb on it, and this is how I had initially become aware of it.

After examining it closer, I discovered that the vulnerability is nothing more than a more powerful version of XSS. In this case, you’re allowed to inject to the response HEADERS as opposed to (simply) the BODY with XSS. Response Splitting is a more dangerous vulnerability because of this. It will allow you to take full control of the body, and depending on the injection point, set arbitrary values in the HTTP Response header.

How does the vulnerability work? Fundamentally, it’s just an untrusted input and un-encoded output problem (though you can be vulnerable to certain payloads even if you encode output). When unverified input is used to set a value in the HTTP Response Headers, the vulnerability can be used.

For instance, suppose there are 2 pages: http://www.0x0e.org/page1.php and http://www.0x0e.org/page2.php.

  • First, a form value (lets call it ‘x’) from page1.php is passed to page2.php and accessed via $_POST[‘x’], $_REQUEST[‘x’], $HTTP_POST_VARS[‘x’], or $x (if register globals is on). If this value is used without verification, we have a problem.
  • To make a HTTP Response Splitting vulnerability, x must be used to set a value in the HTTP Response. This can be done in PHP using the Header(“Arbitrary-Header-Example: $x) call.

Now, an attacker can use this to his advantage by placing input in the form variable x on page1.php which is passed to page2.php. This input might look something like:

Value of Arbitrary Header%0d%0A
<html><body> 0wned. </body></html>%0d%0A

which would be placed before the original (correct) response, be parsed by the victim’s browser, and displayed on their screen. The full HTTP response would look something like:

GET /page2.php HTTP/1.1
Host    http://www.0x0e.org
User-Agent    "SparkyBrowse 2.0"
Accept    */*
Accept-Language    en-us,en;q=0.5
Accept-Encoding    gzip,deflate
Accept-Charset    ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive    300
Connection    keep-alive
Referer    http://www.0x0e.org
If-Modified-Since    Thu, 21 Aug 2008 00:10:17 GMT
Cache-Control    max-age=0
Arbitrary-Header-Example: Value of Arbitrary Header
<html><body> 0wned. </body></html>
--------------------------------------------------------------------------
[original page2.php body -- not processed by the browser]
--------------------------------------------------------------------------
<html>
<head> Page2.php </head>
<body> This is the original Page2.php </body></html>

Notice how the %0d%0A disappeared in the full response? It’s being processed by the webserver, and depending on the OS, the attacker must tailor the input (just LF on *nix, CRLF on win*)

The most important thing to take away from this: HTTP Response Splitting is a stronger form of XSS. Nothing More.

Written by jcran

September 1, 2008 at 6:58 AM