security.crudtastic.com

In case you’ve missed the news lately .. there’s been a few little issues with the way Microsoft handles some dll’s. A quick look on exploit-db will show a tonne of new dll hijacking exploits. HD from Metasploit has released version 2 of his DLLHijackAudit Kit that will basically check all the file associations on your machine for DLL hijack vulnerabilities, if it finds that a DLL is vulnerable, it will then create a POC and save it for you.

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

 

Full posting on the Metasploit blog

A new GUI for Metasploit has been added by ScriptJunkie to the Metasploit SVN Repository. This new GUI is multi-platform and it is based on Java!

Over to you Carlos for a full rundown!! – http://pauldotcom.com/2010/07/metasploit-new-gui.html

So I got a new HTC phone with Android – Awesome! Well .. yes and no

I went to set the email component up for Exchange 2010 ActiveSync and it all fell apart on me. I’ve spent the last 3 days bashing my head against a wall until all of 5 minutes ago. Everytime I set the account up it would authorise and then turn around and give me an error of “Failed to create the account. Please try again later”. LAME!!

So after a lot of googling I came up with nothing .. talk of SSL certificates and so on .. I bought an SSL cert, installed it .. nothing

Then I decided to think straight .. I looked at the Windows Event logs and saw a bunch of errors – the one in particular that cracked this case for me was the event id 1053 for MSExchange Activesync. It basically said that the account didnt have permission. What?? The account is a Domain Admin!! BZZZT!!! That’s the problem!! STUPID!! Apparently that is an AD Protected Group and it will never work.

So enough blabbering already .. How did I fix it!

There is an awesome post at http://blog.nick.mackechnie.co.nz/post/2009/11/20/Exchange-2010-Active-Sync-Issue.aspx which explains this all very well! The basics are though

1. Log onto Domain Controller
2. Start AD Users and Computers
3. Click on View – Advanced Features
4. Double-click on the user who’s account wont work with ActiveSync
5. Go to the security tab and then select the advanced button
6. Select Exchange Servers, and tick the Include inheritable permissions toggle then Apply and OK.
7. Reconfigure your phone and walk away happy

Anyway .. this isn’t really a security thing .. but I think if it’s annoyed other people as much as it’s annoyed me .. people may want to know how to fix it.

Good luck

Yet another awesome email that I received this morning (what a great day it’s been for email – haha)

The guys at Offensive Security have put together a short presentation on a real-world penetration test. The video is super edited to show you just the important bits, but you get the picture of what they’re showing you.

You can see the full blog posting at http://www.offensive-security.com/videos/penetration-testing-in-the-real-world/

I personally have to say that the Offensive Security – Pentesting with Backtrack course was THE best course I have done to date! It was so intense and had an awesome lab to refine your skills in. I have gone from strength to strength since doing this course. I am in the process of rebuilding my testing lab at home so that I can continue to push my newly learnt skills and build upon what these guys have taught me. If there is any thought in your head about this particular course, all I can say is, DO IT! You will not regret it!

By no means is this information useful to many people at all! This is the insane ramblings going through my head that I want to keep handy for when I get a rush of blood and start going totally off course. There are probably a few mistakes in some of the stuff here (it was written in haste) – but I’m sure if you’re interested, or know about what is written here, then you’ll know the correct syntax for the commands (or be able to work it out).

If you do find some of this information of any use to you … AWESOME!! Otherwise, move along, there’s nothing to see here.

These notes are just brain jerkers for my OFFSEC101 / OSCP exam that I will be taking on Monday the 21st December. It’s a 24hr lab challenge where you are meant to be hack 5 separate machines and gain root/admin/system access. All in all I feel ok about it .. I’m more worried about the unknown factor in these types of exams (it’s not a learn and repeat type thing) where you’re thinking outside of your normal boundaries, there’s also the fact that it goes for 24hrs and fatigue can make people do silly things!

I’ll let you all know how I go after the event! Now, back to the notes …

Notes

Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.

Scan network for live hosts

(nmap/zenmap)

For NMAP –

nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt

cat hosts_up.txt | grep -i “up”

nmap -PN 192.168.9.200-254

(this will also show open ports for each host)

Identify OS

(nmap/zenmap)

For NMAP –

nmap -O 192.168.0.100 (just OS fingerprint)

nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)

Check hosts for services

(nmap/zenmap)

For NMAP

- nmap -sS 192.168.9.254 (TCP)

- nmap -sU 192.168.9.254 (UDP)

(Could be better to do this in zenmap and group servers by services)

FOR SNMP

-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f

For a known port

- nmap – p 139 192.168.9.254

DNS Lookups/Hostnames

host -l <domain> <dns server>

e.g. host -l acme.local 192.168.0.220

Banner grab/Version services

(nmap/zenmap/SNMP)

Check versions of software/services against milw0rm and security focus)

For NMAP

- nmap -sV 192.168.9.254

For SNMP

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)

For SMTP

nc -v <mailserver> 25

- Will give mailserver version. Can also VRFY to find valid usernames/email accounts

Netbios/SMB

- smb4k (graphical interface – lists shares)

- smbserverscan

- metasploit auxiliary scanner

./msfconsole

show

use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run

Enumerate Usernames

(SNMP/SMTP/SMB[NETBIOS]/Add others here)

For SMB

- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)

(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)

For SNMP

- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)

- ./smtp_VRFY.py <mailserver IP>

** NEED TO MAKE THREADED – VERY SLOW **

SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

- ./samrdump.py SNMP server

*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***

*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***

Crack Passwords

(hydra/THC bruter)

(need mil-dict.txt from Milw0rm – cracked hashs)

FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V

POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)

SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V

MS VPN – dos2unix words (whatever word list)

cat words | thc-pptp-bruter VPN server

Look for known vulnerable services

(refer nmap/zenmap output)

Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com

Compile exploit code if possible

(milw0rm archive)

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep “#include”

Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h

Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u

LINUX

So firstly, let me just say that this is by no means a “How To” post on SQL Injection. This is more of a very basic primer, or an introduction to SQL Injection. Secondly, I would like to thank the guys at Offensive Security for the following information (I hope this isn’t stepping on anyone’s toes – this is my take on the whole concept), it’s a topic covered in the Pentesting with BackTrack course they have on offer. Finally, please don’t try this on anyone’s systems!! If you want to learn more about this please get something like webgoat or configure your own server to practice this on!! One last thing, I will not go into detail here with how/why some of these things work, wikipedia and a host of other sites can explain this all a lot better then me (i’m no SQL injection expert) and there are many many books (big scary books) that will walk you through this concept. With that out of the road .. let’s move on

continue reading…

So, I guess this isn’t really a security related post … but someone will find it useful I hope! Earlier today I wanted to upgrade my little notebook to the latest version of Windows 7 .. but of course most netbooks don’t have a DVD drive so you need to boot it off a USB stick.

You will need the following to create this bootable USB stick

• USB stick (4GB will do just fine)
• Vista or Windows 7 installation
• Windows 7 media (can be used with Vista as well)

So first of all we need to format the USB stick .. Insert the usual rubbish about it wiping everything on the drive and to back it all up etc etc (LAME). You do this by doing the following

1. Plug in your USB Flash Drive
2. Open a command prompt as administrator (Right click on Start > All Programs > Accessories > Command Prompt and select “Run as administrator”
3. Find the drive number of your USB Drive by typing the following into the Command Prompt window:
   diskpart
   list disk
   The number of your USB drive will listed. You’ll need this for the next step.  I’ll assume that the USB flash drive is disk 1.
4. Format the drive by typing the next instructions into the same window. Replace the number “1” with the number of your disk below.
   select disk 1
   clean
   create partition primary
   select partition 1
   active
   format fs=NTFS
   assign
   exit
   

When that is done you’ll have a formatted USB flash drive ready to be made bootable.

OK .. next we need to make the drive bootable .. this is pretty easy!

1. 1. go to your Windows 7 install directory (on the DVD).
   2. Change directory to the DVD’s boot directory where bootsect lives:
      d:
      cd d:\boot
   3. Use bootsect to set the USB as a bootable NTFS drive prepared for a Vista/7 image. I’m assuming that your USB flash drive has been labeled disk G:\ by the computer:
      bootsect /nt60 g:
   4. We’re done for this part

The final step (apart from actually runing the install) is to copy the contents of the Windows 7 DVD to the USB stick. You can use Windows explorer for this .. too easy huh?

Shove that USB stick into a netbook, power it up, make it boot from the USB stick and watch the magic of Windows 7 begin!!

That’s the basics .. if you have trouble with that you should see if there’s some video tutorials on youtube or something. Good luck team!