Posts

Showing posts from April, 2015

Analysis of scans.io - Rapid7 UDP Scans - UPnP

Image
I pulled from the scans.io "Internet-Wide Scan Data Repository" the dataset provided by Rapid7 about UPnP.  This download was 1GB in size then when it was uncompressed to being 14GB.  My intent of analyzing this information is to identify the number of IP Addresses that respond to the UPnP scan then identify which internet service providers have the largest concentration of the vulnerabilities.

Below is the first command that I used to parse out the IP Address of the responding device:

cat 20150420-upnp-1900.csv | awk -F "," '{print $2}' > ipAddr.raw

Then I found that some hosts responded multiple times on the UPnP request.  So I sorted the IP Addresses and then wrote back to a file only the unique addresses with the following command:

cat ipAddr.raw | sort | uniq > sorted_ipAddr.raw

With that file I was able to derive the following number that shows how many IP Addresses responded to the UPnP scan:

2,991,548

Wow! Then I took the list of IP Addresses …

Analysis of scans.io - University of Michigan · Full IPv4 FTP Banner Grab

On this post I have downloaded from the "Internet-Wide Scan Data Repository" located at scans.io the data set from 4/17/2015 for "Full IPv4 FTP Banner Grab".  My intention of analyzing this information is only to analyze the headers.  I am curious what percentage of the headers have published exploits for them and the most common headers.

After downloading the file and extracting it to be the size of 5GB I then parsed it with the following command to only grab the FTP Banner.  Then I also parsed it to only give me the first line:

cat b70f5n9ffx49j6g8-zgrab-results-21-ftp-banner-full_ipv4-20150417T160718.json | sed 's/^.*response":"220//' | sed 's/"},"error.*$//' | grep -v "host" | sed 's/\\r\\n.*//' | sed 's/^$//' > ftp_banner_raw.txt

With the above information I did a count on the number of lines to identify the number of FTP servers in the dataset that either responded on port 21 or timed out trying …

0.7% or 311,026 IP Addresses found continue to be vulnerable to Heartbleed

Image
As I was glancing through the logs of my honeypots I spent some time to look at the following logs.  In the past I have just overlooked them:


The URL in the "User Agent" section of the log turned out it was legit.  So I went to the following site "project25499.com".

I found the two publications published to be of value at Rapid7: Legal Considerations for Widespread Scanning and ZMAP: Scanning Best Practices.
If you follow to the ZMAP site where a tool can be acquired to do this sort of scanning it lists the following as best practices:
Through looking further at the home page you notice the University of Michigan is involved in this research and the maintenance of the tool.  From here you can find the site "https://scans.io".  
This is an internet-wide scan data repository.  Here is where they publish the raw output of the scans that they conduct.  The section that again caught my eye was on "Heartbleed".  After clicking on the title I found a 1…

Send an Image in-line using Python

Referencing the following site I created an HTML email with an image inline.
http://code.activestate.com/recipes/473810-send-an-html-email-with-embedded-image-and-plain-t/

Below is the source code from the above site:

from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
from email.MIMEImage import MIMEImage

strFrom = 'user@domain.com'
strTo = "user@domain.com"

msgRoot = MIMEMultipart('related')
msgRoot['Subject'] = 'Email'
msgRoot['From'] = strFrom
msgRoot['To'] = strTo
msgRoot.preamble = 'This is a multi-part message in MIME format.'

msgAlternative = MIMEMultipart('alternative')
msgRoot.attach(msgAlternative)

msgText = MIMEText('&nbsp;&nbsp;Email Text<br /><br /><img src="cid:image1"><br /><br />Email Text</body></html>', 'html')
msgAlternative.attach(msgText)

fp = open('pic.png', 'rb')
msgImage = MIMEImage(…

What's in the honeypot? Advanced Information Security Shellshock Scanner

Image
In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-2014-6271.


After using google to identify some of the "cgi" files I noticed a tool that they had utilized to scan the honeypot.  The tool is located on packet storms site at the following location.

The tool is called the "Advanced Information Security Shellshock Scanner" or AIS.  It is a c program that can be compiled to then scan multiple computers based on IP Addresses.  The program was authored by "Nicholas Lemonias" and posted Oct. 3, 2014.

A little about "Nicholas Lemonias".  I was able to find his Google+ page as shown below:
Also viewing his author page at packet storm and many other pages he has created quite the collection of exploits.

Well back to the curiosity of the cgi files.  I wanted to go through some of them and search google and try and identify what software, hardware, or device that it may…

OWASP Broken Web Apps - Broken Wordpress - Reset Password Flaw

Image
I started to observe the password reset function of the wordpress blog and found a flaw in the generation of the md5 hash.

Starting on line 141, you can observe the function that is executed to generate a new password for a user as shown below:


The utilization of the microtime, uniqid, and the md5 functions in conjunction with each other was a clever way of generating the $new_pass or the new password.  However observe that the value created is then truncated to 7 characters.

The truncated password of 7 characters leads to a password with 16^7 possible password combinations that are then md5 hashed.  This equates to less than 300,000 possibilities that the password could be.  Why are there only 16 character possibilities? An MD5 hash is composed of 16 characters consisting of the numbers 0-9 and the letters a-f.

A typical alpha-numeric password using upper-case, lower-case, and numbers that is 7 characters long consists of 62^7 possibilities that the password could be.  This is much s…

OWASP Broken Web Apps - GetBoo Walkthrough

Image
Here is a quick walk through of GetBoo.  The first item that I found was you can harvest the usernames of the existing users that are registered.  First click on the register link in the upper-right area of the screen:



Though the window pops up for only a few seconds you can capture the URL in a proxy.  Then by clicking the availability link then the URL comes up as follows:

http://172.16.102.135/getboo/checkUsername.php?usernameToCheck=test

Doing a quick check with sqlmap and placing a single apostrophe does not detect sql injection but it still could exist.  However I noticed you can use OWASP-Zap and fuzz the username field.  After loading ZAP and accessing that URL you see the following:



Now you can highlight test on the first line and then right-click and select Fuzz.  Then if you have created a username list you can select it and begin fuzzing.  Then by looking at the results below we can derive a few things:
If you observe the size of the response from the webserver for the use…

OWASP Broken Web Apps - Broken Wordpress Walkthrough

Image
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM.

The first one I thought I would walkthrough is the "Broken Wordpress" site.  To begin the analysis I am trying to gather information about the site using nikto and wpscan.  The results with the commands executed I have placed below:

# nikto -h http://172.16.102.135/wordpress/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.102.135
+ Target Hostname:    172.16.102.135
+ Target Port:        80
+ Start Time:         
---------------------------------------------------------------------------
...snip...
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
...snip....
+ mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which …

peepdf - Quick Reference

Recently I had to pull apart a PDF to investigate if it contained malware.  I wanted to record a few of the sites that I visited and gathered information from to accomplish the task.

The homepage and download location for the peepdf tool is located at the current time here:
http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases

Here is a walkthrough of some of the commands:
http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#usage

This entry is how to save to an external file javascript, shellcode or other information out of the PDF file:
http://eternal-todo.com/blog/extract-streams-shellcode-peepdf

Other resources that I happened upon:
https://zeltser.com/peepdf-malicious-pdf-analysis/
http://www.insinuator.net/2014/02/analyzing-a-cve-2013-3346cve-2013-5065-exploit-with-peepdf/

vulnhub - Pandora's Box by c0ne Level 1 - Following walkthrough by strata

I was looking through the boot 2 root vulnerable images that they have on vulnhub.com and Pandora's box caught my eye.  I wanted to follow and experiment with this timing attack described in the walkthrough done by strata.  I am using code that resembles that used by strata.

To briefly describe what is occurring to gather the first password.  You can connect on port 54311 and you are prompted for a password.  strata determined through some testing that if you guessed the correct letter in the password it would return quicker than if you did not.  I wanted to be able to see this so I created the following script:

#!/usr/bin/python

import socket
import time
import sys

server="172.16.102.137"
dstPort=54311
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, dstPort))

def returnDuration(sentStr):
p = time.time()
while True: 
infoRecv = s.recv(1024)
#print infoRecv
if 'Passw…

What's in the honeypot? Frequency of SSH Login Attempts based on Country of Origin

Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country they have come from:


Occurances Country 511 China 149 Australia 6 Vietnam 4 Russia 3 South Korea 3 Thailand

I noticed that most of the occurrences of failed login attempts are from China, again no attribution to them or any other country listed.

I was curious which of the IP Addresses came from the country of Russia:
31.184.194.115
78.109.142.184
122.225.38.23
195.94.234.86

The only IP with a little history on virustotal.com is 195.94.234.86 but no trace to malicious files have occurred at this time.