Where your every desire is catered for, and you never have to go without. If there’s another place on earth with so many flashy lights, then I’ve certainly never heard about it!

Still, When I saw that this year Blackhat had gone to 11 tracks, I couldn’t help but think they’d were going a little bit too far, even for Vegas!

There’s a fine line between offering good content and swamping visitors with just too much choice…  and no matter how much I try, I just can’t help but get the feeling that Blackhat Las Vegas just jumped the shark!

I go to more than my fair share of conferences, and one thing that connects them all for me is the excitement and anticipation I get when looking over the list of speakers and talks. Picking out the ones I really want to see, the people I want to meet and the things I want to learn about, are one of the highlights of a conference for me. The build-up is almost as important as the event after all. When I saw the schedule for this years Blackhat however, I didn’t feel excited. It wasn’t because there were no good talks, because there were a lot of great talks and great speakers. It was just too much. In my mind Blackhat had hit that point where it just didn’t matter what talks people went to anymore. It was just too big, too complex, and too confusing to me. I couldn’t help but get the feeling that no matter what talk I saw, I’d always be thinking about the other 10 tracks and what I was missing out on!

Maybe it’s just me, maybe everybody else thinks this was the best Blackhat ever. Everybody has his/her own opinion, and mine is that Blackhat (at least in Vegas) is dead to me. I doubt I’ll be attending next year for the new improved 12 track program (they have to make it more impressive next year after all… there’s no backing down now!). If you want to find me, I’ll be sitting by the pool at BSides talking to people who do this for the love of it, and not the money.

SHODAN for Penetration Testers – Michael “theprez98″ Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

• after/before
  • Limit results by date
• country
  • 2 letter country code
• hostname
  • Filters by text in the hostname or domain
• net
  • Specific IP range or subnet
• os
• port
• SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

• apache hostname:.nist.gov
• iss-5.0 hostname:.edu

Port filtering

• FTP 21
• SSH 22
• Telnet 23
• HTTP 80
• SNMP 161
• HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

• CISCO Devices
  • By searching for CISCO with a 200 OK, you will find devices without authentication
  • Some of these are probably test labs….. but not ALL of them!
  • 5-6,000 of such systems on the internet
• Default Passwords
  • Search for the words “default password”
  • Find… a printer accessible from the web using the default password as displayed in the headers
• HAUWEI
  • Exclusion of all 4XX codes –> We just want 200 OK
  • Most responses where all in the same Subnet
  • Lots and lots of VoIP phones public facing
  • However…. they needed a password. Most hauwei have easy to guess default passwords
  • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
• Infrastructure Exploitation… or “How to pwn an ISP”
  • A number of CISCO devices discovered in the earlier section
  • Allow LEVEL 15 access (full admin)
  • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
  • ISP located in the US (small regional)
  • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
  • SNMP server IP address and community strings

Other interesting info

• Some IIS searches
  • iis/5 –> 362695
  • iis/4 –> 9977
  • iis/3 –> 381
  • iis/2 –> 42
  • iis/1 –> 152
• Wireless network cameras… with movement features
  • In Firefox you can do snapshots..
  • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links:

• Twitter –> @theprez98
• Theprez98 slides –> LINK
• SHODAN –> LINK

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

• Firewalls are commonplace (perimeter and host based)
• Anti-virus is smarter
• Intrusion Detection / Prevention systems are hard to detect, let alone bypass
• NAC Solutions are making their way into networks
• IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

• Server Header
• Time/Date
• …

Use DNS queries and Netcraft.com

Tools to do this

• Load Balancer Detection – lbd.sh
• Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.

Example:

DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit

SQLNinja

• Written in Perl, but still good.
• Great from going from SQLi to shell

SQLMAP

• Written in Python
• Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu

PHPIDS

• Smoketest
  • check your encoding and bypass techniques
  • find something that will bypass a lot of the rules

MOD_Security

• Also now offers a smoketest
• Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions

No DHCP

• Use Static

DHCP MAC Address REservations

• Find a system, steal MAC

Port Security

• Find a printer….

NAC Solutions

• Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

• net commands on Windows are great for finding network information
• Script output and find the Administrators
• Escalate to SYSTEM/Administrator
• Run commands using psexec, pskill, …
• Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!

Links:

• Twitter –> @j0emccray
• Talk Information –> LINK
• Learn Security Online –> LINK

Hacking Oracle From Web Apps – Sumit Siddharth

Exploitation techniques for exploit SQL Injection attacks on Web Applications with Oracle databases

Because it’s Defcon… and we love SQL Injection!

No free tools for hacking Oracle Databases from the web

• Even commercial tools like Pangolin have outdated techniques

Oracle Privileges

Oracle comes with a number of default packages. This has reduced a lot with the latest 11g release

By default these packages run with the privileges of the definer

This can be changed to the caller of the function, but must be set in the function/procedure (AUTHID CURRENT_USER)

Owning from the network is easy

• Enumerate SID
• Enumerate common users
• Connect to the Oracle DB
• Exploit SQL Injection in a procedure owned by SYS
• Become DBS
• Execute OS Code

Demonstrated by Chris Gates last year using a number of Metasploit plugins

In Oracle there are 2 classes of Injection

• PL/SQL
• SQL
  • Limited
  • Doesn’t allow chained statements

OS Code execution is also not as simple as it is in Microsoft SQL Server

PL/SQL Injection

• Injection in Anonymous PL/SQL Block
• No Restriction
• Execute DDL/DML

SQL

• Common SQL Injection
• Limited capabilities
• No chained statements

eExploitating PL/SQL Injection

Using David Litchfield’s exploit from Blackhat DC 2010 –> Enable JAVA IO Permissions

OS Command Injection can then be obtained by calling a JAVA function (DBMS_JAVA_TEST) and calling a command on the local system

Exploiting SQL Injection

This could mean many thing… do you want data from the DB or a shell –> depends on the goals of a test/attacker

Extraction of Data

• Error Messages Enabled
• Error Messages Disabled
  • Union Query
  • Blind injection
  • Time delay / Heavy queries
  • Out-of-band channels
• Privilege escalation
• OS Command Execution

Is your SQL Injection Privileged or unprivileged?

Are you executing with DBA privileges or something else

• Privileged SQL Injection
  • Happens more often when the application connects to a database with DBA privs
  • SQL Injection is in a procedure owned by the DBA (regardless of the connection string)
• Unprivileged SQL Injection

To exploit the Os we need Functions executable by public and vulnerable to :

• PL/SQL Injection
• Allows PL/SQL execution as a feature
• Buffer overflow

There are a few functions known but the exploit is not publicly available

e.g. DBMS_JAVA_TEST (10g) buffer overflow

Of those known the following are popular:

• DBMS_EXPORT_EXTENSION
• GET_DOMAIN_INDEX_TABLES()
  • Function vulnerable to PL/SQL Injection
  • Runs with definer (SYS) privileges
  • Allows privilege escalation
  • OS Command Execution

Privileges needed to execute code on the OS

• DBA Privileges
• JAVA IO Privileges

Versions prior to CPU April 2006 there are a number of exploits in Pangolin and CoreImpact

Functions to execute code on the OS

• DBMS_JAVA.RUNJAVA()
• DBMS_JAVA_TEST.FUNCALL()

These take an Oracle class as input and cannot be executed without JAVA IO Privileges.

DBA can grant himself the required privileges, however even without he can use the SYS.KUPP$PROC.CREATE.MASTER_PROCESS() function on 10g/11g to execute code on the remote OS.

Bsqlbf 2.6

Supports these new attack types and can be downloaded from Google Code.

Includes the ability to upload and execute a Metasploit payload through these vulnerabilities

Supports JAVA IO and DBA execution as required

Has a cleanup mode for nice penetration testers

Non-interactive second order injections

Even if a field is not injectable it could be that the code is executed if for example, an administrator views the injected code through a second vulnerable application (for example a logging tool, or administration screen).

The malicious user will never see the response however, as the secondary user is running the injection. This means any output will be returned to the secondary user and not the malicious user.

Another possible scenario is a trigger or automated nightly process that acts on the injected code when run.

So how can we make these non-interactive attack vectors interactive ?

Encode and upload a binary (Metasploit payload) to the remote server and wait for the secondary user/process to trigger the exploit –> Shell –> WIN

webraider tool implements this style of attack to upload a Metasploit module

You’ve been hacked… so what?

PCI compliance mandates the card data must be stored encrypted –> So the output is encrypted

PCI doesn’t specific if the encryption happens at the DB or App level

If it’s at the DB level, then the App decrypts the data when requesting –> Passing the encryption key means an attacker could extract them

• v$sql table logs statistics on shared SQL area
• Typically stores last 500 queries –> including the encryption details

Links:

• Blog –> LINK
• Twitter –> @notsosecure
• bsqlbf –> LINK
• webraider –> LINK

Exploiting WebSphere Application Server’s JSP Engine – Ed Schaller

Note: Apologies for the notes…. Ed talks REALLY fast!

WebSphere Application Server

IBM’s JEE Application Server

One of the top 3

Not cheap –> free trial available

Common Network Architecture

Client Browser –> Web Servers –> WebSphere AS

Web server plugin –> Extension module for common HTTP servers (IIS, Apache, etc…)

• Communicates with WAS via HTTP
• Load Balancing
• Fail over
• Not Security!

Plugin URL Handling

Not all requests get forwarded back to the WAS.

• Based on URL mappings in web.xml and ibm-web-ext.xmi (simple file globs)

If a match occurs the request is forwarded, if not its handled by the local HTTP Server

JSP & NUL

Strings

• OS under Java is written in C
  • NUL terminates strings
  • Cannot contain NUL
• Java
  • Counted
  • NUL Allowed

What about the JSP engine inside WAS. How does it handle NULs

1. Locate and read file
2. Translate .jsp to .java
3. Compile
4. Run as servlet

This means you can reading (some) specific files through the JSP engine. As long as it’s a valid JSP

What’s a valid JSP?

• Anything starting with <%
• HTML
• XML
• Most Text files
• ….

What about directories… well you can read them to?

• /root/dir/%00.jsp
• /root/dir/.%00.jsp
  • Sometimes you need “..”

Web Server Plugin & NUL

Although not intended for security, it can get in the way of insecurity!

%00 works great on WAS, but getting it through the C compiled plugin isn’t

The next challenge is how to get %00 past the plugin

Character Encodings

UTF-8 is how Java reads strings natively

• Multi-byte character encoding
• Single byte values can be encoded as multiple bytes
• Explicitly forbidden in the spec
  • Nobody follows the spec!

A fix for this issue was implemented… but the fix didn’t work!

It is however fixed in the latest JVM release (no direct patch from IBM as yet)

Encoding to bypass the plugin and get a NUL to the WAS –> %C0%80.jsp instead of %00.jsp

Web-INF & META-INF

Servlet specification says Return 404

Checked many places in WAS… but the missed one!

Fixed by IBM… but badly.

To bypass…

• /ctxroot/%C0%AE/WEB-INF/web.xml

This also works for META-INF

The Whole Truth

JSP Strikes back

1. Locate and read file
2. Translate .JSP to .JAVA
3. Compile
4. Run

Doesn’t this mean we can get remote code-exec?

SOAP With attachments lets us read a file that we what to compile and execute

Anything over 32KB gets cached to a location readable….

Not many SOAP services however, handle attachments!

This makes it a lot less useable

SOAP Encoding

This allows you to reference attachments through the href in a SOAP message

When used with AXIS 1, it parses the attachment and caches the larger ones to the disk

AXIS 1 provides an interesting feature, A client can send a fault to the server as the first request… which is parsed

Faults use SOAP encoding and can therefore can be used to send an attachment

Putting it all together

Attachment filenames are random.

To bypass this .:

1. Get the directory listing first
2. Uploads the JSP
3. Get another directory listing to find the filename
4. …

This process however is pretty noisy and can cause a large amount of logs.

An example exploit code that performs this will be made available

Affected platforms

• WAS runs on a lot of platforms
• AIX and Linux tested and vulnerable
• Case insensitive file systems are not vulnerable to %00.jsp –> e.g Windows
• …

Fixes

Fixes are out for 6.x, and 7.x

Took IBM 2 weeks to fix this flaw (16 different variants)

Providing security reports as a PMR works!

Fix from IBM is very elegant

• Double checks the file being opened to make sure it’s really the end file being opened
• WEB-INF doesn’t appear in the patch –> Not so elegant

Workarounds

• Disable runtime compilation and reloading of JSPs
  • disableJspRuntimeCompilation
• Block access to .jsp before WAS
  • Not always possible
  • JSP Extensions such as jsv, jsw, etc….

A Note on Browsers

• Browsers may normalize the characters
• Could cause issues with exploitation

Links:

• Talk Information –> LINK
• Slides –> LINK

It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications – Zach Lanier

Mobile Application Themes

Broad Observations

The web pushed content to the browser

• Centralization of apps and data
• Always a push for MORE (ActiveX, applets, …)

Now, everyone gets their own app!

• Code (not HTML) gets pushed to the endpoint
• App for things like XKCD

Authorization

Carriers only authenticate to the network. Once you’re on the carrier, it’s free access with almost no checks.

Third-party applications are sometimes better than carrier apps with support for better auth

Some stupid client-side auth issues (admin=1)

Many apps are syncing data between the device and cloud using simple HTTP

At that point it’s just like pentesting a webapp

Platform Security

Quick Overview of the common platforms

Many disparate platforms

• Android, iPhone Os, RIM, WinMo, Brew, ….

Different platforms handle security differently

Concerns

• Shared user accounts
• Native Code
  • Obj-C, JNI)
• Certificate Validation
  • SSL, Code Signing
• Support for Emerging Technologies
  • Flash, WebKit, HTML5

Testing Techniques

• Whitebox
  • Sometimes it’s trivial to get app source-code
• Blackbox
  • Acquiring application binaries
  • Reverse Engineering
    • Dissassembly
  • Network Analysis
    • Protocol Analysis
    • Fuzzing
    • MITM

Protocol analysis is often the easiest method. A lot of applications tunnel over HTTP and make it easier for testers.

Tools commonly used .:

• undx, coddec, JAD
  • decompilation
• Smali / baksmali
  • (dis)assembly, patching
• Native Code?
  • IDA with ARM support
  • Strings

adb –> Android Debugging Bridge

Not everybody can by a RE ninja.. sometimes the easiest way is to listen to it’s traffic

Become the MITM using tools like WAPT, WebScarab/Paros/Burp

Issues include things like requirement to be on the carrier connection and string SSL Certificate checks

Solutions including the use of mobile broadband cards and emulators to sit on the carrier network and still run the app

Wifi isn’t always an option as not all phones support it, applications may not connect over Wifi

Intrepidus have released a tool called mallory for MITM on TCP and UDP connections. This is useful for MITM mobile device testing

Case Studies

Foursquared

Application for 4square

Usage of Basic Auth instead of OAuth

• Cleartext transmission of username/password

4square are starting to enforce OAuth and SSL in the future

Why is this a problem –> Most applications prefer WIFI over carrier. Easy to sniff at your local Starbucks

A Storage Application

Multi-platform application

Developed by a third-party, branded for major carriers

Problem –> Simple crash in the storage quota viewer

Attacker needs to MITM and alter the server response –> Client crashes

Application has DRM, but allows you to share between friends.

Enforcement occurs on the client-side when viewing (XML response from the server detailing DRM info) –> FAIL

Embedded Device #1

Mix of HTTP and HTTPS content

MITM on HTTP traffic to enable hidden Admin content

Strict SSL Validation prevents SSL MITM

The big problem was command injection by injection of commands into the SSID –> SSID; <insert your command here>

Embedded Device #2

Typical XSS flaws in interface

Also command injection flaw allowing access

BREW Picture Upload

Designed to upload data from the phone to the cloud

BREW != Smart Phone

- No Wifi

Application Directed SMS

• SMS Client can parse messages and identify specific control messages for distinct applications
• Debug code: SMS instruction to change remote upload destination
• Traffic was plaintext HTTP/SOAP

Authentication uses a static token for the lifetime of the app on that device.

Authentication token was an MD5 hash created server-side –> Able to recreate the data used to create the MD5 hash

Able to hijack other users accounts based on this information and creation of valid MD5s

POST-Mortem

• No SSL
• No Real Auth Scheme
  • Wh would you lie about your phone number
  • If they’re on our network they’re trusted
• No authorization controls on the server

RIM Picture Upload

Similar to the BREW upload

Extract binary using JavaLoader.exe and run it in an emulator

Main app in a COD file.. simple ZIP format produces files to be decompiled

Decompilation didn’t give a clean output.

What was visible was a hard-coded 3-DEs key in the Java Bytecode. All devices use the same key!

Every encrypted image sent out on the wire was prefixed with an auth header

The WebApp at the server-side was vulnerable to a number of flaws including injection, and information disclosure

LAX permissions: Allowed to do whatever it wanted on the device itself –> What ever happened to least privilege?

POST-Mortem

• Broken, Hard-coded crypto
• Lack of input validation
• LAX permissions and no defense in-depth

Links:

• Quine Twitter –> @quine
• Mallory –> LINK
• Mallory BH Talk –> LINK

Fun with VxWorks – HDM

VxWorks Basics

• Started off as a generic vulnerability analysis
• VxWorks –> embedded, real-time OS. Now owned by Intel
• Most widely deployed embedded OS (based on 2005 info)
• Supports various hardware platforms
• Each application run as kernel threads
• Little memory protection between applications
• Everything runs with the highest privileges…
  • not necessarily the highest priority

Used in systems from VoIP phones through to Fibre Channel switches. Lots of SCADA companies us this in monitoring systems.

Spacecraft and cars also run it!

There’s not many companies that don’t ship products with VxWorks

VxWorks Security

Only 12 CVEs mention VxWorks

Only 2 CVEs refer to flaws actually in the core of VxWorks

• CVE-2005-3715
• CVE-2005-3804

VxWorks debug server (default port 17185) Found to be running on a number of devices in production.

Mentioned in 2002, 2004, 2005.. but no info on how to abuse it

Basic API mentioned in the dev docs

VxWorks source-code is available by searching on Chinese wares-sites (use Google)

By looking at the source-code you can see the initial comments date back to 1995

Metasploit

Created WDBRPC Protocol library

Allows for scanning of a target

• use auxiliary/scanner/vxworks/wdbrpc_version

Allows for completing a FULL memory dump from the device

• use auxiliary/admin/vxworks/wdbrpc_memory_dump
• Progress meters incase you’re dumping from a system located in China

Performing strings on the full dump gives lots of great information

Debugger however lets you read and WRITE to memory –> direct memory write to goatse everybody

Identify affected devices

At least 5 vendors have flubbed this

Only way to deactivate fully is to reflash

This is 2010…. finding devices by scanning the web

• Just scan the whole internet
• use wdbrpc_bootline as a scanner
• use tcpdump to capture replies
• use a VPS with a nice provider
• scan… scan … scan
• parse

3.1 millions IPs…. 250,000 found vulnerable!

Rescanned those with SNMP –> active on 25% of devices

Checking score

Somebody must have done this before right!

Looking through DShield data

• Traffic back in 2006, somebody did a mass scan for this port
• Nothing major since then

So somebody already knew, they probably already had their fun!

The number of devices ave probably declined since then….

Exploiting the debug service

We can read/write memory, but how do we get a shell?

Just like hacking old games….

• Take a memory image before
• Make config changes to enable remote admin
• Take another snapshot
• Rollout changes to the remote devices

Memory Scraping

Locate sensitive information in memory

Write a scanner to find it

Have Fun !

Example: Pulling the Admin password out of the memory (Apple Airport used to suffer from this until it was patched)

Advisors for all vendors goes out on August 2nd… no specific exploits until September 2nd

<kill the cameras>

Note: In respect of the private nature of this section of the talk, I’ll leave it there. Sorry.. sometimes you’ve just gotta be there!

Links:

• HD Moore Twitter –> @hdmoore

Beyond r57 – Eygyp7

There are a thousand PHP shells on the web, either by design or simple stupidity.

• PHP Background
• PHP Payloads
• Meterpreter Background
• Difficulties

PHP Background

PHP is retarded. Objects are an afterthought (15 years later!)

Sometimes they return 1, sometimes they return true –> WTF!

PHP Payloads

r57 (PHP Shell)… is a clusterfuck of forms. Ugly as hell.

It’s intended to be used on a webserver only for access to the local site. There’s not much in r57 or other shells to go beyond the local and move on to connected systems.

A whole bunch of r57 shells on the web currently are backdoored –> base64 encoded section at the end sends a shell back to an IP in Russia.

c99 (PHP Shell)… pretty much the same as r57.

No methods to go beyond the local server.

Uploading a shell to a remote server leaves logs and files. If you’re not getting detected, then they’re not even trying!

Some of them even call home to the authors.

The essence of payloads is to create some form of communication

Simple PHP shells in Metasploit .:

• PHP/Exec
• PHP/DownloadExec

These do simple execution and nothing more

Something more useful would be a remote shell and in/out to and from the box.

• PHP/reverse_tcp
• PHP/bind_tcp

Most commands (except cd) don’t hold state between commands. It’s easier to deal with commands one at a time!

So it gets better

• PHP/meterpreter/reverse_tcp
• PHP/meterpreter/bind_tcp

More flexible, extensible and capable.

This doesn’t have to be on disk. Bypassing issues of traditional PHP shells uploading files and executing them.

Uses the same protocol as the traditional meterpreter. This means the same client-side connector can be used

Does as much as possible through PHP without calling a shell. Not everything is possible however (ps for example). Works in a chroot and doesn’t need /bin/sh

Anywhere PHP runs, PHP/meterpreter runs…. Windows, Linux, ….

In restrictive environments you can still use the meterpreter PHP shell… not limited to installed commands.

Programmatically automatable –> Scriptable and extensions to make things easier on the fly –> Use of existing scripts

Flexible extension system… loading external PHP (through eval)

Designed for modular extension.

The modular scripting capabilities including tcp, udp, process and file channels.

e.g. client.sys.config.sysinfo (not 100% the same format as std. Meterpreter)

Challenges of writing this in PHP

1. Magic Quotes
2. Size restrictions
3. Safe mode
4. Disable_functions setting in PHP.ini
5. PHP is stupid

Magic Quotes

• Base64 encode and decode! No need for quotes
• increases size 1/3

Size restrictions

• Limits (Apache 4000 bytes). Solution was to use a stager
• Stub to load further data
• Entire PHP meterpreter is around 8k

Safe Mode

• Restricts opening of files unless your UID owns that file
• No restrictions on sockets!
• Not a big issue

Disable_functions

• Can disable functions that we need
• Can try a bunch of possible workaround functions
  • There are 14 functions that can run a command!
  • shell_exec, passthru, system, popen, …
• Esser’s memory corruption

PHP is stupid

• Stream and socket resources
  • They don’t play well together….
• Difference in output for system commands
  • Each of the 14 ways to exec code return different output!
• Operator precedence
• Can’t assume anything newer than 4.3

What’s good in PHP

Don’t need /bin/sh –> chroot env still works

Running system commands through extensions –> perl for example

Win32std gives you direct access to Windows system calls

PHP Meterpreter – What Works

• Upload/Download
• Editing files
• Read files
• Process interaction (execute -i)
• Pivoting, tcp/udp, portfwd

PHP Meterpreter - Not working

• Screenshots
• UI Fiddling
• Incognito / token manipulation

PHP Meterpreter - Might work later

• Registry editing
• Log modification (Windows)

The Future

Java Meterpreter and JSPterpreter

• Already have working code…… should be integrated soon

ASPterpreter

• An unknown… need an SAP guru to take up the challenge

MACterpreter/POSIX Meterpreter

• Most code present, not yet usable
• Compiles!

Implement Esser memory corruption exploits for use with a getsystem command in PHP meterpreter

New features going into the regular meterpreter will also be implemented in the PHP version if they make sense (not everything does)

What should it be called?

• PHP Meterpreter / PHP-terpreter
• Meterphpter
• phpterpreter
• phpsucksmyballsterpreter

Links:

• Egypt Twitter –> @egyp7

Fierce v2 – Joshua “Jabra” Abraham

I’m Jabra… I do a lot of programming in Perl

What is Fierce?

Written by Robert “rsnake” Hansen, designed to do lots of DNS recon techniques

Since then, it’s been rewritten into a brand new tool, more options, better….

Version 2 – README .:

*******************

What is new in 2.0?
*******************
Fierce v2.0 is a complete rewrite of version 1.0. Fierce 1.0 was a combination
multiple network enumeration techniques in a single large Perl script. With
Fierce v2.0 the techniques have been abstracted from the main fierce script so
that it is easier to read, modify and maintain. This will enable faster
development and greater flexibility.

Each technique has been coverted into a Perl module that they can be used used
by the main fierce script. There are also several new techniques that been
added with version 2.0, such as virtual host detection, extension bruteforcing
and subdomain bruteforcing. Version 2.0 also included the addition of
a template based output system. We have included stdout/text, html  and xml
formats. Leveraging the xml format is very easy, since we have even built an
xml parsing module that is available on CPAN.

http://search.cpan.org/~jabra/

(click on Fierce::Parser, this will bring you to the latest version of the
 Fierce::Parser module.)

Fierce Version 2 is a lot more complex than the simple brute-force that was used in the earlier versions.

Each technique is a module that’s included in the main script. This allows you to break out the functionality you require and develop modules without changing the core of the script.

Allows for prefixes to be passed through the command line… If none is passed, use default list

Support for top-level domain brute-forcing (i.e check .co.uk, .com, .xxx, …)

Ability to blacklist techniques that shouldn’t be run! Good to avoid triggering alarms on things like Zone Transfer attempts

New technique added to find virtual-hosts based on the IP search through MSN.com

FindNearbyHosts –> By putting in the domain and company name, you can identify PTR records that point back to the same domain

Code is much more readable that Fierce v1 –> Even I can read it…. and I don’t know Perl

Erin Lookups on company names to find possible domains

Modules that use threading are marked with a t at the start of the module name. This allows them to be easily identified.

Threading handled by setting a queue of tasks and iterate through them.

Note: This talk was 100% live demo… no slides. Much respect for that! Checkout the video for the true Fierce v2 Experience

Links:

• Joshua Abraham Twitter –> @jabra
• Blog –> LINK
• Fierce (CPAN) –> LINK
• Fierce v2 SVN –> http://svn.assembla.com/svn/fierce/fierce2/trunk/

Fuck Tools – frank^2

Doing stuff on your own makes you learn stuff.

Tools Rule

• They make things easier
• They make things faster
• They make it so that you don’t have to learn the deep details

but….

• They make it so you don’t know the deep details
• They also force you to think in a very controlled environment
• Tools are sometimes too focused

At the end you end up with a bunch of tools that don’t do quite what you need unless you string them all together

Why write your own tool? You could be smarter, you could be cleverer, or the tool might not exist.

So you could write your own tool…

But that could be SLOW, maybe you don’t have the experience either… do you have the right resources to accomplish this?

So what do you do?

By developing a tool you’re learning things. Some things stay in memory after all.

This means next time you’ll be better, quicker!

plus you get to learn how the program, flaw and tool really works. Knowledge is power.

Knowing the ins and outs of how to exploit something will always be better than knowing how to use a tool.

Why?

Because you want to learn

A toolkit cluster fuck is much less elegant than a custom coded script to do the job

Other tools are buggy

Why wait for another sucker to write your tool?

Why shouldn’t you?

Because sometime reinventing the wheel isn’t worth it?

How will your tool be better? Maybe it won’t!

Do It Yourself vs riding that tool

OllyDBG vs PyDBG

Stuck in the boundaries of what the coder wants, vs doing what you want!

PyDBG lets you control what you want and how you want to do it.

PyDBG simple presents you with the tools by which to perform debugging, then expects YOU to write what you want next!

You get to learn how programs really run

You open your mind!

Fuzzers vs Peach v You

If you download a fuzzer you’re doing it wrong!

If you run another persons fuzzer, you’re finding the same bugs he found

Peach however lets you tailor what you want to fuzz and how you want to do it.

But Peach is still a tool, doing its things, its way

There are all sorts of bugs that fuzzers won’t find… Maybe it’s best to write your own fuzzer?

Fuzzers: Great for low hanging fruit

Peach: When you’re looking for fuzzable bugs

You: When you want to be a ninja

Metasploit

How does point-click-own make you a better tester!

Metasploit gives you a lot of other features… use them

Great framework for creating shellcode and creating PoC

Metasploit can help you become a ninja

The Bottom Line

There’s a fine line between using a tool and writing your own

When there’s no time and resources to learn or there’s nothing to learn, then just use a tool

When you have the time, want to learn and be a ninja, write your own tool

If you learn how a task is solved, instead of learning how a tool works you’ll be better for it!