Monday 15 October 2012

Rebuild MiniPwner

Hi,

I just wanted to use my MiniPwner again after some months where it was just placed on my desk and unfortunately I forget the password and I also didn't wrote it in my KeePass File.

So I had to reinstall it. Luckily there is a rebuilding instruction of the MiniPwner in case there went something wrong with your MiniPwner (or you just forget about the password ;-) ).

In the rebuilding instructions it is mentioned to get the "squash-sysupgrade.bin". I couldn't get it on this URL as the folder is empty. So I used the latest firmware "openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory" for the TP-Link router from this directory on openwrt. The MD5Sum I got was:


root@Pulse:/tmp# md5sum owrt.bin
5d7bac7b467c42e215c60fcd0a00cc01
The image is available again.

On your Client where you've placed your openwrt image, you just start your netcat server.

# nc -l -p 3333 < openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin

On your TP-Link now just get the image via netcat:

# nc 192.168.1.2 3333 > /tmp/owrt.bin

The file should be on your TP-Link within a few seconds so you can abort the netcat session on it. After that just install the firmware:

# mtd -r write 703.bin firmware

After the installation of the firmware is done, which shouldn't take longer than one or two minutes, you need to configure your interface of the client that is connected to TP-Link to DHCP. The IP of TP-Link should be 192.168.1.1. You can now telnet to this IP:


$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------

BusyBox v1.19.4 (2012-08-26 12:49:54 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (12.09-beta, r33312)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:/# 
You should now change your root password so that you can login via ssh in the future. Then you can ssh to your TP-Link and can continue the installation instructions on minipwner.org at step 12.

You can also navigate now to the Webgui under http://192.168.1.1/cgi-bin/luci.

IMPORTANT:


Right now it is not possible to execute "opkg update" as all the files in http://downloads.openwrt.org/snapshots/trunk/ are missing. There are several tickets about this issue, here and here.

But they are both almost 2 weeks old and it's not clear when the files are coming back. So here is what I did (thanks to flyingstar16, who posted this hint in one of the tickets):

1. Comment out the lines in /etc/opkg/xwrt.conf

root@Pulse:/etc# vim opkg/xwrt.conf
#src/gz X-Wrt http://downloads.x-wrt.org/xwrt/snapshots/trunk/ar71xx/packages

2. Comment out the line to http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages as it is not working and add the line "src/gz attitude_adjustment http://downloads.openwrt.org/attitude_adjustment/12.09-beta/ar71xx/generic/packages"

root@Pulse:/etc# vim opkg.conf


src/gz attitude_adjustment http://downloads.openwrt.org/attitude_adjustment/12.09-beta/ar71xx/generic/packages
#src/gz snapshots http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay

3. Now you can execute opkg update.


Some other hints:

When copying all the files in Step 19 in /etc/ to make a backup of them, I hadn't a firewall config and fstab. See my output:


root@OpenWrt:/usr/share# cp -f /etc/config/network /etc/config/network.orig
root@OpenWrt:/usr/share# cp -f /etc/config/wireless /etc/config/wireless.orig
root@OpenWrt:/usr/share# cp -f /etc/config/firewall /etc/config/firewall.orig
root@OpenWrt:/usr/share# cp -f /etc/profile /etc/profile.orig
root@OpenWrt:/usr/share# cp -f /etc/config/fstab /etc/config/fstab.orig
cp: can't stat '/etc/config/fstab': No such file or directory
root@OpenWrt:/usr/share# cp -f /etc/opkg.conf /etc/opkg.conf.orig
root@OpenWrt:/usr/share# cp -f /etc/config/system /etc/config/system.orig
root@OpenWrt:/usr/share# cp -f /etc/config/dhcp /etc/config/dhcp.orig
root@OpenWrt:/usr/share# cp -f ./network.1 /etc/config/network
cp: can't stat './network.1': No such file or directory
root@OpenWrt:/usr/share# cp -f ./wireless.1 /etc/config/wireless
cp: can't stat './wireless.1': No such file or directory
root@OpenWrt:/usr/share# cp -f firewall.1 /etc/config/firewall
cp: can't stat 'firewall.1': No such file or directory


But everything worked fine. I also skipped step 20 and 21 as the right MAC-Address for WiFi was already in the config. 

Here is a good explanation how to configure WiFi in OpenWRT.

Have fun.

Sunday 23 September 2012

Setup a Mailserver

Hy,

this post is not about pentesting, but this weekend I had to move a domain of a friend of mine to my Debian server. After moving the domain I needed also to setup a (IMAP-) mail server. I'm not so good into configuring a whole mailserver system, but I found this really great tutorial:

http://workaround.org/ispmail/squeeze/

It worked just like a charme. And even if you have a problem just look in the comments, there is for sure someone that already had the same problem. If not, look in /var/log/mail.log ;-)

Cheers.

Thursday 6 September 2012

Perl and https requests

Hi there,

today I was in the mood in writing some little perl script that I need for a project. To get the perl script running it was needed to execute some https requests.

First I was installing LWP::UserAgent and HTTP::Request via cpanm. Then I was writing a basis script that was executing a http request. I'm only interested in the header, so I don't want to print out the body content (I've found this litte code snippet here).

 #!/usr/bin/perl  
 use LWP::UserAgent; 
 use HTTP::Request;  

 my $URL = 'http://www.example.com/';  
 my $agent = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1, timeout => 30);  
 my $header = HTTP::Request->new(GET => $URL);  
 my $request = HTTP::Request->new('GET', $URL, $header);  
 my $response = $agent->request($request);  

 if ($response->is_success){  
     print "URL:$URL\nHeaders:\n";  
     print $response->headers_as_string;  
 }elsif ($response->is_error){  
     print "Error:$URL\n";  
     print $response->error_as_HTML;  
 }  

This worked for me very well, but I needed to create a https request. When I was executing the same script with https instead of http I was getting the following error:

 Error:https://www.example.com/  
 <html>  
 <head><title>An Error Occurred</title></head>  
 <body>  
 <h1>An Error Occurred</h1>  
 <p>501 Protocol scheme 'https' is not supported (LWP::Protocol::https not installed)</p>  
 </body>  
 </html>  

So, I need to install LWP:Protocol:https, but this wasn't working:

 $ sudo cpanm LWP::Protocol::https  
 --> Working on LWP::Protocol::https  
 Fetching http://www.cpan.org/authors/id/G/GA/GAAS/LWP-Protocol-https-6.03.tar.gz ... OK  
 Configuring LWP-Protocol-https-6.03 ... OK  
 ==> Found dependencies: IO::Socket::SSL  
 --> Working on IO::Socket::SSL  
 Fetching http://www.cpan.org/authors/id/S/SU/SULLR/IO-Socket-SSL-1.76.tar.gz ... OK  
 Configuring IO-Socket-SSL-1.76 ... OK  
 ==> Found dependencies: Net::SSLeay  
 --> Working on Net::SSLeay  
 Fetching http://www.cpan.org/authors/id/M/MI/MIKEM/Net-SSLeay-1.48.tar.gz ... OK  
 Configuring Net-SSLeay-1.48 ... OK  
 Building and testing Net-SSLeay-1.48 ... FAIL  
 ! Installing Net::SSLeay failed. See /root/.cpanm/build.log for details.  
 ! Bailing out the installation for IO-Socket-SSL-1.76. Retry with --prompt or --force.  
 ! Bailing out the installation for LWP-Protocol-https-6.03. Retry with --prompt or --force.  

Openssl was installed, but I needed to install "build-essential libssl-dev" to get the installation of LWP:Protocol_https working:

 $ sudo apt-get install build-essential libssl-dev  

Now https requests can be made with perl:

 #!/usr/bin/perl  
   
 use LWP::UserAgent;  
 use HTTP::Request;  
   
 my $URL = 'https://www.twitter.com/';  
   
 my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 1 });  
 my $header = HTTP::Request->new(GET => $URL);  
 my $request = HTTP::Request->new('GET', $URL, $header);  
 my $response = $ua->request($request);  
   
 if ($response->is_success){  
     print "URL:$URL\nHeaders:\n";  
     print $response->headers_as_string;  
 }elsif ($response->is_error){  
     print "Error:$URL\n";  
     print $response->error_as_HTML;  
 }  
   

Response of twitter.com on port 443:

   
 $ ./hsts.pl   
 URL:https://www.twitter.com/  
 Headers:  
 Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0  
 Date: Thu, 06 Sep 2012 21:22:33 GMT  
 Pragma: no-cache  
 ETag: "f7a8e95e2978ac6f73209336152b9495"  
 Server: tfe  
 Vary: Accept-Encoding  
 Content-Length: 47126  
 Content-Type: text/html; charset=utf-8  
 Expires: Tue, 31 Mar 1981 05:00:00 GMT  
 Last-Modified: Thu, 06 Sep 2012 21:22:33 GMT  
 Client-Date: Thu, 06 Sep 2012 21:22:33 GMT  
 Client-Peer: 199.59.148.10:80  
 Client-Response-Num: 1  
 Content-Base: http://twitter.com/  
 Link: <http://a0.twimg.com>; rel="dns-prefetch"  
 Link: <http://api.twitter.com>; rel="dns-prefetch"  
 Link: </favicons/favicon.ico>; rel="shortcut icon"; type="image/x-icon"  
 Link: <http://a0.twimg.com/a/1346884958/t1/css/t1_core_logged_out.bundle.css>; media="screen"; rel="stylesheet"; type="text/css"  
 Link: <https://twitter.com/>; rel="canonical"  
 Link: <http://a0.twimg.com/a/1346884958/t1/css/t1_more.bundle.css>; media="screen"; rel="stylesheet"; type="text/css"  
 Refresh: 0; URL=/?_twitter_noscript=1  
 Set-Cookie: k=10.36.21.101.1346966553057924; path=/; expires=Thu, 13-Sep-12 21:22:33 GMT; domain=.twitter.com  
 Set-Cookie: guest_id=v1%3A134696655306150737; domain=.twitter.com; path=/; expires=Sun, 07-Sep-2014 09:22:33 GMT  
 Set-Cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCOaBdp05AToMY3NyZl9p%250AZCIlNThkNmZkYjY2ODJjNTc0MzY0YTY2Y2M0YjI0OGU2NWE6B2lkIiUwMmUz%250AZTJjY2VkMjFiYWNmZjQ5MmI2MjQyNWU5ZTJiMw%253D%253D--7d08430b6a85e0006ac4c062a4218d5cf841f564; domain=.twitter.com; path=/; HttpOnly  
 Status: 200 OK  
 Title: Twitter  
 X-Frame-Options: SAMEORIGIN  
 X-Meta-Charset: utf-8  
 X-Meta-Description: Verbinde Dich sofort mit den Dingen, die für Dich am wichtigsten sind. Folge Freunden, Experten, Lieblingsstars und aktuellen Nachrichten.  
 X-MID: e88c4d8fc53fc1466f24f3cbc905d24fd89af901  
 X-Runtime: 0.07026  
 X-Transaction: 4998cc5789e9b2c0  
 X-UA-Compatible: IE=edge  
 X-XSS-Protection: 1; mode=block  
   


First step is done :-)

Sunday 2 September 2012

Vulnerable Web Applications

Hey there,

really a long time without a new post, but hopefully this will change in the future.

In this post I was listing some vulnerable VMs that can be used for pentesting at home. There are also several vulnerable Web Applications available, that can be used for pentesting. I've found a really great overview of vulnerable Web Applications.

I will use for local testing now Damn vulnerable Web Application (DVWA)

Here is a short description about DVWA copied from the DVWA website:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
So the only thing you will need, after downloading DVWA is Apache/PHP/MySQL environment. This      can be easily realized with XAMPP, as it is a full package containing Apache Webserver with PHP and a MySQL Database and is available for a lot of plattforms (Mac OS X/ Windows / Linux / Solaris).

Hopefully I will have some time to execute a pentest against DVWA and to post some findings about it :-)


Tuesday 13 March 2012

MiniPwner

Hey folks,

after waiting for two months my TP-Link Router has finally arrived yesterday. I'm not quite happy how the order was processed by volumerates.com. I ordered the TP-Link on 16th of January and volumerates gave an information in the automated E-Mail (after buying the router) that customers should write an E-Mail to them if they didn't get any response by volumerates.com within one week.
I didn't get any response within one week so I decided to write an E-Mail to them. => No Answer.
After another 4 weeks (I was in vacation abroad) still no answer. So I wrote another E-Mail => No Answer.
Then I openend a ticket on http://www.volumerates.com/. => No Answer.
I had no information at all for two months and there were also no E-Mails in my Spam Folder. Just one respond to my E-Mail that it will take one or two months would have been very good. I already thought my money is lost...

The happy part though is that it finally arrived and the installation instruction on MiniPwner.com worked as a charm.

Now I've got a fully working pentesting device with a RJ45 port, Wi-Fi and one USB-Port running OpenWRT. The USB-Port is already used by a 8 GB USB Flash-Drive.

Here a short overview of the installed tools so far:

root@OpenWrt:~# opkg list
aircrack-ng - 1.1-3
base-files - 104-r30857
base-files-network - 3
blkid - 1.42-1
block-mount - 0.2.0-7
busybox - 1.19.3-10
bzip2 - 1.0.6-1
crda - 1.1.1-1
dnsmasq - 2.59-2
dropbear - 2011.54-2
dsniff - 2.4b1-2
elinks - 0.11.7-1
firewall - 2-47
hotplug2 - 1.0-beta-4
iptables - 1.4.10-4
iw - 3.3-1
kernel - 3.2.9-1-7ca3c65ac3709dabad42d460596851da
kismet-client - 2010-07-R1-1
kismet-server - 2010-07-R1-1
kmod-ath - 3.2.9+2012-02-27-1
kmod-ath9k - 3.2.9+2012-02-27-1
kmod-ath9k-common - 3.2.9+2012-02-27-1
kmod-cfg80211 - 3.2.9+2012-02-27-1
kmod-crypto-aes - 3.2.9-1
kmod-crypto-arc4 - 3.2.9-1
kmod-crypto-core - 3.2.9-1
kmod-fs-ext4 - 3.2.9-1
kmod-gpio-button-hotplug - 3.2.9-1
kmod-ipt-conntrack - 3.2.9-1
kmod-ipt-core - 3.2.9-1
kmod-ipt-nat - 3.2.9-1
kmod-ipt-nathelper - 3.2.9-1
kmod-leds-gpio - 3.2.9-1
kmod-ledtrig-usbdev - 3.2.9-1
kmod-lib-crc-ccitt - 3.2.9-1
kmod-lib-crc16 - 3.2.9-1
kmod-mac80211 - 3.2.9+2012-02-27-1
kmod-nls-base - 3.2.9-1
kmod-ppp - 3.2.9-1
kmod-pppoe - 3.2.9-1
kmod-scsi-core - 3.2.9-1
kmod-tun - 3.2.9-1
kmod-usb-core - 3.2.9-1
kmod-usb-ohci - 3.2.9-1
kmod-usb-storage - 3.2.9-1
kmod-usb2 - 3.2.9-1
kmod-wdt-ath79 - 3.2.9-1
libblkid - 1.42-1
libbz2 - 1.0.6-1
libc - 0.9.33-104
libcom_err - 1.42-1
libext2fs - 1.42-1
libgcc - 4.6-linaro-104
libgdbm - 1.9.1-2
libip4tc - 1.4.10-4
liblzo - 2.05-1
libncurses - 5.7-5
libnet0 - 1.0.2a-8
libnids - 1.18-1
libnl-tiny - 0.1-2
libopenssl - 1.0.0g-1
libpcap - 1.1.1-1
libpcre - 8.11-2
libpthread - 0.9.33-104
libreadline - 5.2-2
librpc - 0.9.32-rc2-0a2179bbc0844928f2a0ec01dba93d9b5d6d41a7
libstdcpp - 4.6-linaro-104
libuci - 2012-02-24.1-1
libuuid - 1.42-1
libxtables - 1.4.10-4
mtd - 17
nbtscan - 1.5.1
netcat - 0.7.1-2
nmap - 5.51-3
openssh-sftp-client - 5.9p1-4
openvpn - 2.2.1-5
opkg - 618-2
perl - 5.10.0-7
ppp - 2.4.5-4
ppp-mod-pppoe - 2.4.5-4
samba2-client - 2.0.10-8
samba2-common - 2.0.10-8
snort - 2.8.4.1-3
swap-utils - 2.13.0.1-4
swconfig - 10
tar - 1.23-1
tcpdump - 4.2.1-1
terminfo - 5.7-5
uboot-envtools - 2011.06-4
uci - 2012-02-24.1-1
uclibcxx - 0.2.2-3
wireless-tools - 29-4
wpad-mini - 20111103-3
yafc - 1.1.1-2
zlib - 1.2.5-1

Tuesday 17 January 2012

Pentesting Devices / Gadgets

There are three devices I have found, that can be very useful if you're executing a (physical) security pentest:
All of these devices are just as big as a cigarette packet and to make a long story short they can be described like this:

They are designed as a small, simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network.
(Quote from "What is the Mini Pwner")


The great thing about the Mini Pwner is, that you can easily build one on your own. I just purchased yesterday the TP-Link TL-WR703N router and hopefully I will get it next week. When I have time, I will build it in the next week and post about it here in my blog.

An comparision between Pwnie Express and Mini Pwner can be found here.

Monday 16 January 2012

Increasing virtual disk in ESX 3.5

My installation of BackTrack has only a 10 GB virtual disk, because I was using the default settings when I installed it. Now I want to increase it to 25 GB.

This can be done through opening the VMware Infrastructure-Client (only available for Windows). After it has started, you have to right-click on the virtual machine that needs a bigger virtual disk and choose "Edit Settings" in the context menu. Then you have to select "Virtual Disk" Now you can increase the size of the disk and confirm the new size with "Ok".


All the steps I just described can also be done, when the VM is still running. As a next step we need to increase the partition, so that the VM will recognize the new space and that the disk size has changed. For this task we will use GParted. We just need to download the GParted ISO and upload it to the ESX server so that we can select it in the VM settings as "Datastore ISO File". With this settings the VM will boot up GParted when the VM is starting:


If GParted won't boot (in my case I had this problem), you have to force the VM to go into the BIOS settings and change the boot order (CD-Rom should be first, at least before HD ;-)



After a new try to boot GParted, we can see now that GParted is actually booting :-)


After selecting the key-map I couldn't just start X. I had to configure it through the wizard first, otherwise I was getting this error (see also screenshot):

Virtual width (1184) is too large for the hardware (max 1180)
Screen(s) found, but none have a usable configuration.


You have to select "Run Forcevideo to config X manually" and click through the wizard. You should take a resolution of 800x600.



Now GParted should have started and you just have to make a right-click on the unused space and create a new partition with an ext4 filesystem.


After the changes have been applied, there is a new partition with 15 GB.


After a reboot we just need to modify /etc/fstab. With fdisk -l we can see all harddisks and partitions:


/dev/sda3 is my new partition with almost 15GB and will now be added to /etc/fstab as new partition for /root. We just need to find out the UUID to insert it into fstab:




That's it :-)


URL
VMware Increasing virtual disk size

Sunday 15 January 2012

Information Gathering of Apache on Metasploitable

After bruteforcing Postgresql and MySQL, it's now time to prepare an attack to the Apache Webserver. I will try to get as much information about the webserver as possible to prepare an attack. The IP of my Metasploitable VM is 192.168.178.65.

First we're starting the burp interception proxy. You can find burpsuite in the Backtrack Applications directory:


The version of burp used within BackTrack is of course only the "Free Edition" and not the "Professional Edition". Here you can get a comparison of both versions. In the future I will use the ZAP proxy provided by OWASP, but for this phase the capabilities of the burp "Free Edition" is sufficient.

To use burp as an interception proxy you just need to configure your browser to use the burpsuite as a proxy server.


When you're browsing now to the IP of Metasploitable, you will see the HTML request under the proxy Tab "intercept" in burp. This HTML requests can now be modified, forwarded or dropped.

As we already know from our successful MySQL Brute Force attack, there should be a tikiwiki installation available. And we already know the login credentials (admin:admin). So let's just give it a try:

http://192.168.178.65/tikiwiki

And there is an installation of tikiwiki available :-) Now you just need to login via the  login form in the tikiwiki with the credentials admin:admin. After the successfull authentication we have to change the password, and we are already admin in the tikiwiki:


It is version 1.9.5 of TikiWiki



Now we should spider the directory of tikiwiki, to see what files and directories are available. This can be done when clicking on the "target" tab in burp. There you will see all the files and directories you just have been browsed manually. By clicking the right mouse button, a context menu will appear:


When you click on "spider this branch" burp will run through all links he can find in this branch and will create an index with all available directories and files he is finding. Through this commando you can get an overview of the web application and know what frameworks and programm languages and so an are used.

Another good method to get information about the installed webserver and modules or programming languages that are used, is to force an error. By just requesting a website that is not available, the default error pages are generating very informative error messages:


Know we know that Apache version 2.2.8 with PHP version 5.2.4 is used and that the OS is very likely an Ubuntu installation.

Nmap did also find another webserver on Port 8180:



A default installation of Tomcat version 5.5 is also available by Metasploitable. I can login via tomcat default credentials (tomcat:tomcat) to Status,  Tomcat Administration and Tomcat Manager.

So let's just sum up what we have found till now:

SoftwareVersion
Apache2.2.8
PHP5.2.4
TikiWiki1.9.5
Apache Tomcat5.5

With this information, we should be able to find some vulnerabilities for this pretty old software in known ressources and of course some public available exploits :-)

Brute Forcing Postgres

After brute forcing MySQL I wanted to brute force the next service, this time PostgreSQL. Again the output of the nmap scan against Metasploitable:

PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.1

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1



This time, I'm just using Metasploit to brute force:

#msfconsole
#search postgresql
#use auxiliary/scanner/postgres/postgres_login
#show options
#set RHOSTS <Target IP>
#set VERBOSE false
#exploit

Metasploit ships already with a default user and password list for brute forcing, so we don't have to specify other lists. If you wan't to use another user- and password lists, see my post about MySQL Brute Forcing. There I'm explaining where to get and how to use user- and password lists within Metasploit and THC Hydra.


There is no postgresql-client available in BackTrack, so we have to install it to check the finding:

#apt-get install postgresql-client

Then psql can be started:


Seems like a default postgres installation with no data inside. 

Brute Forcing MySQL

I just did my first nmap scan against the Metasploitable Virtual Machine. There are several open ports and a lot of services running on the VM. Here is a listing of the services found by nmap:



PORT STATE SERVICE VERSION

21/tcp open ftp ProFTPD 1.3.1

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13?
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1



First I wanted to execute some brute-force attacks against the MySQL database that is running in Metasploitable. There are different ways of brute-forcing it, but your scanner is just as good as you're wordlist or wordcombination files for usernames and passwords are (here are username and password lists for a first shot).

As password list, I'm using elitehacker.txt.bz2 provided by skullsecurity.org and I defined six different users:


root@bt:~/test_environment/brute_force# cat username.txt 
admin
root
mysql
db
test
user


I inserted also all of these six users and a blank line into the elitehackers.txt password file.


1. Using Metasploit

#msfconsole
#search mysql
#use auxiliary/scanner/mysql/mysql_login
#show options
#set RHOSTS <Target IP>
#set USER_FILE /root/<your_username_file>
#set PASS_FILE /root/<your_password_file>
#exploit


The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:

a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.

Conclusion => #set VERBOSE false



2. Using THC Hydra

#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql



3. Result

So here is an overview of the results (all scans were executed with the same user- and passwordfile).

mysql_login (verbose mode activated)5 Minutes 5 Seconds
mysql_login (verbose mode deactivated)2 Minutes 5 Seconds
THC Hydra4 Minutes 8 Seconds

It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.

If verbose mode is deactivated it is by far the most effective way to brute force mysql.

I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.

So let's check this finding manually:


So now we have another login, for a new attack :-)

tcpdump and Wireshark and permission to test

When executing a pentest, it is necessary to document every step that is made during the pentest. This doesn't just mean to make screenshots of every step, input, output and results during the pentest but also to start tcpdump or Wireshark in the background to log every of your steps when executing attacks especially when you're executing exploits or an automated scan (nmap or nessus for example).

This has two reasons:

1. When executing a pentest you just have a short timeframe agreed between you and your customer, and sometimes you don't have time to execute an attack a second time. When you have a dump of the network traffic during pentesting you may be able to get the information you're looking for even after the agreed time frame. If you just have a screenhost you may have the result, but can't describe and understand in detail what has happened. To understand what has happened, is very important to define countermeasures to close the findings.

2. An agreement or permission memo that allows pentesting should always be made and signed BEFORE pentesting (you can find a template here). But even with this agreement, you are much more safer when you have a dump of you activity. Especially when a server or web application of the customer is having problems and the customer is blaming you. It's much better to show the customer your activities afterwards if problems occur, as when you got no evidence at all and can't prove that you were not the trigger for certain problems.

Also the output by burp, ZAP or whatever interception proxy you are using, should always be saved completely afterwards.

Saturday 14 January 2012

Update BackTrack Installation

Before you execute a pentest, you should always update your BackTrack installation. It's pretty easy to update it, as it can be done via apt-get.

#apt-get update
#apt-get upgrade

This will install the latest applications and changes to BackTrack.

Metasploit will not be updated via apt-get, but you can update Metasploit nowadays via a simple msfupdate in BackTrack. Quite easy :-)

Searching for reported vulnerabilities

During the information gathering phase of a pentest, it is very important to check for already reported vulnerabilities. If you know the exact version of the application, operating system, framework, $foo after the usage of different tools (like nmap for example), this version string should be checked on different public available ressources:


Exploit-db.com (is using the exploit archive of milw0rm.com, that was shout down in late 2009)


You can search all of these sites after a vendor or product and you've got a free search. 

Also a good ressource for researching public available exploits is securitytube.net. You can find a lot of different attacks and their descriptions to exploit known vulnerabilities, presented in a video.

There are also some mailing-liste available that can be searched through:

Full Disclosure (very good source for the latest vulnerabilities)

Security Focus (BugTraq archive, not possible to search mail archive)


The search engine at nist.gov is quite useful if you are looking for a certain CVE number. You will get all the information associated with this vulnerability. 

cvedetails.com is also a great ressource if you're looking for a particular CVE number. You will get even more information as on nist.gov and also a link to an exploit, if available. The most important thing for me is, that you can execute a search of a specific product version. 

For example let's say you discover an apache webserver during information gathering phase, that is also supporting PHP in version 5.3.5. Now you want to know what vulnerabilities are known for this PHP version. Just click on "Version Search" and enter the data. 


As a result you will get a listing of all CVE results that are related to PHP 5.3.5 (21 vulnerabilities right now). In this view you can also see if there is an exploit available (marked with a red circle).



But there is more to discover. If you click on PHP (red circle in screenshot above) you will get a lot of statistics about all the vulnerabilities in PHP. When we click on "Browse all versions", the next view will list a table with all versions of PHP that are known for vulnerabilities. 





If you know more public available resources, leave a comment. Thx.

Monday 9 January 2012

Useful Chrome Extensions regarding Pentesting

There are really a lot of different and useful Extensions for Google Chrome that can be used when executing a Pentest. Right now there are more pentesting Add-Ons available for Firefox, but the pentesting Extensions are growing pretty fast. So here is a short overview:

A good starting point is the project KromCAT (Google Chrome Catalog of Auditing exTensions). KromCAT is providing a Mindmap that is categorizing security and audit Extensions regarding Google  Chrome. You can download this catalogue in HTML, the actual Mindmap or a JPG of it. The result of the KromCAT project is also the basis for Mantra on Chrome. Mantra is a special Chrome version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Extensions of the KromCAT Mindmap.

As there is already a catalogue of Extensions maintained by KromCAT I don't want to start my own list here. I just want to point out some Extensions that are quite useful for me. I'm not using Extensions for XSS scanning or tampering HTTP data (especially because Extensions like XSS Rays never worked for me). There are better tools like burp that can do this kind of things. All of these Extensions are still working with the latest version of Google Chrome and are making my life easier when testing a web application:

Session Manager
This Extension is quite useful to save all your open tabs in one session to open it later in the same alignment.

Firebug Lite
Firebug for Google Chrome

Web Developer
A web developer Toolbar

IP Address and Domain Information
Quite useful Extension in information gathering phase to discover a big amount of information by one click about a certain IP or Domain.

Awesome Screenshot
Great Extension to take and modify a screenshot.

Proxy Switchy!
Proxy Switchy! is an advanced proxy manager for Google Chrome, it allows users to manage and switch between multiple proxy profiles quickly and easily.

With this ext, you can make notes on any web page, any position. when you open that page again, the notes get loaded automaticly.    

Saturday 7 January 2012

Useful Firefox Add-ons regarding Pentesting

There are really a lot of different and useful Add-ons for Firefox that can be used when executing a Pentest. 

A good starting point is the project FireCAT (Firefox Catalog of Auditing exTensions). FireCAT is providing a Mindmap that is categorizing security and audit Add-ons regarding Firefox. You can download this catalogue in HTML or the actual Mindmap. The result of the FireCAT project is also the basis for  Mantra. Mantra is a special Firefox version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Add-ons of the FireCAT Mindmap.

As there is already a catalogue of Add-ons maintained by FireCAT I don't want to start my own list here. I just want to point out some Add-ons that are quite useful for me. I'm not using Add-ons for XSS or SQL Injection scanning or tampering HTTP data (especially because Add-ons like XSS Me or SQL Inject Me never worked for me). There are better tools like burp that can do this kind of things. All of these Add-ons are still working with Firefox 9.0.1 and make my life easier when testing a web application:

HackBar
This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain.

Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

Web Developer
The Web Developer extension adds various web developer tools to a browser.

Session Manager saves and restores the state of all or some windows - either when you want it or automatically at startup, after crashes or periodically. It can also automatically save the state of open windows individually.

Persistent and private sticky notes for Firefox. This can be very useful as a reminder or just to take a note to a certain area of a website or input field.

Capture the whole page or any portion, annotate it with rectangles, circles, arrows, lines and text, blur sensitive info, one-click upload to share. During a pentest it's very important to document everything (like error messages for example)

WorldIP
A great Add-on for a first scan in the information gathering phase of a pentest to collect some information about an IP or domain.

FoxyProxy
FoxyProxy is a great tool to switch very convenient between different proxies and is replacing the proxy function provided by Firefox.

Friday 6 January 2012

Remote Administration of BackTrack

As a next step I wanted to install a remote adminstration software to BackTrack that is supporting a client running natively on Mac OS X. I don't want to start everytime my Windows VM to use Vsphere Client to connect to my ESXi and then jump to the console of BackTrack just to get the GUI of it. SSH is sufficient for most of the tasks in pentesting, but some tools as Burp or Nessus for example need a GUI so I had to choose a remote  administration software.

I did choose (Free-)NX as it is tunneled via ssh and available for a lot of operating systems and is providing a native client for Mac OS X. Another feature of NX are "seamless connections". This means you can reconnect to a previous connection you already closed.

First I installed the latest stable server, version 3.5 that can be downloaded on nomachine.com. I downloaded the client, the server and node packages for Debian and installed everything with dpkg on my BackTrack 5 R1 VM. My client is a MacBook with the latest Mac OS X Lion and after downloading the client (also version 3.5) and installing it, this message appeared:


So the Client didn't work, because nomachine.com is still compiling PPC binaries for Mac OS X m(. Fortunately there is a new version of NX-Server available, with a native Intel Client for Mac OS X that can be used with Lion.

Finally I deinstalled the whole NX-Server apps in my BackTrack VM with apt-get autoremove, and installed everything with the latest NX Virtual Desktop Workstation for Linux version 4.0.132-7 (still a preview).

root@bt:~# dpkg -i nxserver_vdw_4.0.132-7_i386.deb

After installation the nxserver service is already running and no update-rc.d has to be executed as this was already done during installation.

The new client is also working on my Intel-Mac. Now it just runs as a charme, and I'm on bleeding edge :-)


To activate sshd in Backtrack when booting up, that is mandatory when using NX, just do the following:

root@bt:~# update-rc.d -f ssh defaults

Before you can start ssh you should generate the dsa and rsa key:

root@bt:~# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
root@bt:~# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key


To activate sshd immediately do the following:

root@bt:~# /etc/init.d/ssh start




Optional:

If you want to configure a secure login to NX via a authentication key instead of username and password you have to do the following steps:

1. Generate a new user in BackTrack (the same username as you are using on your client machine to log in):
#adduser <Username>

2. Create the .ssh directory and authorized_keys2 file in the home directory of the new user in BackTrack:
#su <Username>
#mkdir ~/.ssh
#touch ~/.ssh/authorized_keys2

3. Generate a key-pair on your client machine:
#ssh-keygen -t rsa

4. Copy the content of ~/.ssh/id_rsa.pub on your client machine to ~/.ssh/authorized_keys2 in the home directory in BackTrack
#cat ~/.ssh/id_rsa.pub | ssh root@xxx.xxx.xxx.xxx "cat - >> /home/<Username>/.ssh/authorized_keys2"

5. ssh to BackTrack. It should work now after entering your password for your key, or you just have been logged in if you have not provided a password for you key ;-)

If the authentication via your key is working you just have to place your private key in the NX Player on your client. This can be done when creating a new connection by clicking on the three dots after "Use the system login".


Then you just have to select the private key and the login should work. The private key should end with the file extension "key" otherwise you can't select it:

#mv ~/.ssh/id_rsa ~/.ssh/id_rsa.key

When you can't see ".ssh" directory you have to show hidden files.

If you don't mind about login as root via NX you just have to configure step 1 to 5 for the user root. Then you just have to change /usr/NX/etc/server.cfg in BackTrack and set "EnableAdministratorLogin" to 1 and restart nxserver with

#service nxserver restart

Then you are able to login as root via NX. Have fun :-)


URL:
Linux Server: NX Virtual Desktop Workstation for Linux (Version 4.0.132-7, 06-01-2012)
NX Player for Mac OS X