Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: defcon

My picks for BSidesLV and DefCon 2011

Now that I have confirmed 100% I’ll be in Las Vegas (family stuff…) here are some of my picks for the top talks I’m looking forward to seeing this year.

To be honest if I get to even half these I’ll be happy! This time of year is more about the hallway track and meeting new and old friends… Still, here’s my top picks for BSidesLV and DefCon / DC SkytTalks this year!

BSidesLasVegas Top Picks

  • Siemens / SCADA 0day – Dilion
  • Hacking webapps is more fun when the end result is a shell! – Joshua Abraham
  • Something Awesome(TM) – HD Moore

DefCon Top Picks

  • Hacking your victims over power lines – Dave Kennedy
  • Don’t drop the SOAP – Tom Eston, Joshua Abraham, Kevin Johnson
  • Metasploit vSploit modules – Marcus J. Carey, David Rude, Will Vandevanter

DefCon Skytalks top Picks

  • Hacking with QR Codes – Pyr0, Tuna
  • Walking the Green Mile: How to Get Fired After a Security Incident – Brian Baskin
  • Planes Keep Falling On My Head – Chris Roberts

Well, there you have it. I tried to keep it to 3 picks per “con”. Realistically I know I’m never gonna see all of them, but it’s nice to dream!. See you in Vegas!

As always, I’ll be the ugly British guy with no hair and orange glasses ;)

Links :

[Defcon] SHODAN for Penetration Testers

SHODAN for Penetration Testers – Michael “theprez98″ Schearer

What is SHODAN

SHODAN is a search engine designed to crawl server and gathering banner information from specific ports.

A search engine of banners instead of content.

We can use this information to fingerprint the type and/or version of system

Basic Operations

Accessible through the website –> http://www.shodanhq.com

There are also a number of browser add-ons that allow you to search directly from a browser without using the main interface.

The search engine supports standard things such as boolean operators, as you’d expect

Login –> Either a free access search (a few features restricted) or create an account for full access.

Filters

Typing “CISCO” into SHODAN will come up with a lot of results. To filter this, you can use specific filtering values.

  • after/before
    • Limit results by date
  • country
    • 2 letter country code
  • hostname
    • Filters by text in the hostname or domain
  • net
    • Specific IP range or subnet
  • os
  • port
  • SSL

Filters can be specified through the interface using the map/checkboxes. Alternatively, you can directly enter the filter text into the search box.

The map is also interactive, showing the number of scanned hosts when you mouseover a country.

example: apache country:CH –> search for all systems in CH with the match on apache

Knowing what the banner returns is very helpful for finding systems you want to locate.

Other Examples :

  • apache hostname:.nist.gov
  • iss-5.0 hostname:.edu

Port filtering

  • FTP 21
  • SSH 22
  • Telnet 23
  • HTTP 80
  • SNMP 161
  • HTTPS 443 –> Requires an SSL add-on

The SSL/HTTPS searches requires an add-on. More information on the SHODAN homepage.

Search history is optional and disabled by default

By creating an account you can have personal history and save searches that you wish to repeat.

Export

Can export up to 1,000 results in XML format

Requires an account, and add-on

New section called Network Radar that shows newly added data.

Extended searches available with add-ons

Penetration Testing

Originally a marketing and research tool. However things have changed.

Basic knowledge of banners and status codes is important to be able to make sense of results and configure filters.

When searching for web-servers or domains, a 200 OK message is the best result as no further authentication is required to access the page.

CASE Studies

  • CISCO Devices
    • By searching for CISCO with a 200 OK, you will find devices without authentication
    • Some of these are probably test labs….. but not ALL of them!
    • 5-6,000 of such systems on the internet
  • Default Passwords
    • Search for the words “default password”
    • Find… a printer accessible from the web using the default password as displayed in the headers
  • HAUWEI
    • Exclusion of all 4XX codes –> We just want 200 OK
    • Most responses where all in the same Subnet
    • Lots and lots of VoIP phones public facing
    • However…. they needed a password. Most hauwei have easy to guess default passwords
    • Able to reconfigure the device…. even change the URL for software updates (want to load new firmware?)
  • Infrastructure Exploitation… or “How to pwn an ISP”
    • A number of CISCO devices discovered in the earlier section
    • Allow LEVEL 15 access (full admin)
    • Included 2x CISCO 3750 and direct access to a Cisco 7606 router!
    • ISP located in the US (small regional)
    • VLAN IDs for internal networks, hotels, apartments, convention center, public backbone, etc…
    • SNMP server IP address and community strings

Other interesting info

  • Some IIS searches
    • iis/5 –> 362695
    • iis/4 –> 9977
    • iis/3 –> 381
    • iis/2 –> 42
    • iis/1 –> 152
  • Wireless network cameras… with movement features
    • In Firefox you can do snapshots..
    • In IE you get an extra feature –> CONFIG!

Conclusions

Aggregates a lot of information not already available

Allows for some passive vulnerability analysis –> based on banner version information

Not going to take over the world, but a good tool for penetration testers

Links:

[Defcon] You Spent All That Money And You Still Got Owned…

You Spent All That Money And You Still Got Owned… – Joe McCray

You often run up against all sorts of defensive measures when penetration testing (Firewalls, IDs/IPS, WAF, …) and the testers still get in!

Often you get in, only to find that the company is already owned (enter Incident Handling mode)

More and more security measures are being implemented on company networks.

  • Firewalls are commonplace (perimeter and host based)
  • Anti-virus is smarter
  • Intrusion Detection / Prevention systems are hard to detect, let alone bypass
  • NAC Solutions are making their way into networks
  • IT Hardware / Software vendors are integrating security into their SDLC

Still. Companies get owned.

Comments like “We can’t patch those! Those are our development servers” don’t help.

“Always go for the quick shell” –> Google dork search for anything that hints at SQL Injection, remote/local file includes.

Identify Load-Balancers

Figure out if it’s load balanced

DNS or IP load balanced –> it makes a difference

Check the returned headers to see if things are different

  • Server Header
  • Time/Date

Use DNS queries and Netcraft.com

Tools to do this

  • Load Balancer Detection – lbd.sh
  • Halberd

Identifying Intrusion Prevention Systems

Most are still in detection only mode

See if it’s blocking…. break out CURL and try ../../../../winnt/system32/cmd.exe?d

Did you get blocked, is your IP banned –> If so it’s an IPS in blocking mode

Look for RST and other hints

Does the IPS monitor SSL traffic –> Many don’t

Attacking through TOR

Push attacks through TOR to help with IP-Banning

Clients should be blocking TOR proxies

Identifying WAFs

Due to PCI, there are a lot of WAFs being implemented

Send almost any special character it will respond

Often easy to identify

Check in return headers for hints and information.

Tools like wafwoof can also be used –> waffun is a project being worked on currently

Examine / Request all possible std return codes (200, 404, 301, ..) and then see what gets returned if you try an XSS attack… are they identical?

Encoding is sometimes dealt with by a WAF… double encoding not so often.

Example:

DotDefender WAF –> Simple unencoded SQLi gets through. Blacklist on specific words and commands

Blocking the word SELECT –> Easy to bypass using UNICODE

FIXED by the vendor –> Only blocks unicode –> FAIL

SQL Injection to Metasploit

SQLNinja

  • Written in Perl, but still good.
  • Great from going from SQLi to shell

SQLMAP

  • Written in Python
  • Allows you to drop to a shell

Filter Evasion

Client-Side filtering == BAD

Do not use JavaScript that does filtering without server-side checks

“You’re going to put all the security on the hackers laptop!”

Restrictive Blacklist

Blocking things like = sign doesn’t stop SQLi

Encoding things bypasses these blacklists

Rules in IDS/IPS are sometimes looking for specifics like 1=1

Wait… doesn’t 2=2 as well!

Blacklist rule-sets are a loosing proposition as encoding can bypass the rules

Practice your kung-fu

PHPIDS

  • Smoketest
    • check your encoding and bypass techniques
    • find something that will bypass a lot of the rules

MOD_Security

  • Also now offers a smoketest
  • Implements core ruleset, PHPIDS and Snort

Lots of companies have IDS… how many actually look at it though?

Getting in via the Client-Side

Email a client-side exploit exported from Metasploit

Use reverse HTTPS to bypass some detections

SET (Social Engineering Toolkit)

“Real hackers aren’t scanning your network anymore”

Pivoting into the LAN

Metasploit offers a pivot

Compile programs so they don’t need an install, upload to remote system and run

Common LAN Security Solutions

No DHCP

  • Use Static

DHCP MAC Address REservations

  • Find a system, steal MAC

Port Security

  • Find a printer….

NAC Solutions

  • Find a non-NAC supported system

See a pattern here

Tools like VOIPhopper are perfect for going from one VLAN to another.

Looking around the network for a user

  • net commands on Windows are great for finding network information
  • Script output and find the Administrators
  • Escalate to SYSTEM/Administrator
  • Run commands using psexec, pskill, …
  • Kill protections, stop services

Certain AV/HIDS have blacklist filenames that aren’t checked… not hashes… filenames!

Use the new getsystem in Metasploit

Owning the Domain

Use token stealing (in Metasploit / Incognito)

Find an admin, steal the token, win!

Links:

[Defcon] Hacking Oracle From Web Apps

Hacking Oracle From Web Apps – Sumit Siddharth

Exploitation techniques for exploit SQL Injection attacks on Web Applications with Oracle databases

Because it’s Defcon… and we love SQL Injection!

No free tools for hacking Oracle Databases from the web

  • Even commercial tools like Pangolin have outdated techniques

Oracle Privileges

Oracle comes with a number of default packages. This has reduced a lot with the latest 11g release

By default these packages run with the privileges of the definer

This can be changed to the caller of the function, but must be set in the function/procedure (AUTHID CURRENT_USER)

Owning from the network is easy

  • Enumerate SID
  • Enumerate common users
  • Connect to the Oracle DB
  • Exploit SQL Injection in a procedure owned by SYS
  • Become DBS
  • Execute OS Code

Demonstrated by Chris Gates last year using a number of Metasploit plugins

In Oracle there are 2 classes of Injection

  • PL/SQL
  • SQL
    • Limited
    • Doesn’t allow chained statements

OS Code execution is also not as simple as it is in Microsoft SQL Server

PL/SQL Injection

  • Injection in Anonymous PL/SQL Block
  • No Restriction
  • Execute DDL/DML

SQL

  • Common SQL Injection
  • Limited capabilities
  • No chained statements

eExploitating PL/SQL Injection

Using David Litchfield’s exploit from Blackhat DC 2010 –> Enable JAVA IO Permissions

OS Command Injection can then be obtained by calling a JAVA function (DBMS_JAVA_TEST) and calling a command on the local system

Exploiting SQL Injection

This could mean many thing… do you want data from the DB or a shell –> depends on the goals of a test/attacker

Extraction of Data

  • Error Messages Enabled
  • Error Messages Disabled
    • Union Query
    • Blind injection
    • Time delay / Heavy queries
    • Out-of-band channels
  • Privilege escalation
  • OS Command Execution

Is your SQL Injection Privileged or unprivileged?

Are you executing with DBA privileges or something else

  • Privileged SQL Injection
    • Happens more often when the application connects to a database with DBA privs
    • SQL Injection is in a procedure owned by the DBA (regardless of the connection string)
  • Unprivileged SQL Injection

To exploit the Os we need Functions executable by public and vulnerable to :

  • PL/SQL Injection
  • Allows PL/SQL execution as a feature
  • Buffer overflow

There are a few functions known but the exploit is not publicly available

e.g. DBMS_JAVA_TEST (10g) buffer overflow

Of those known the following are popular:

  • DBMS_EXPORT_EXTENSION
  • GET_DOMAIN_INDEX_TABLES()
    • Function vulnerable to PL/SQL Injection
    • Runs with definer (SYS) privileges
    • Allows privilege escalation
    • OS Command Execution

Privileges needed to execute code on the OS

  • DBA Privileges
  • JAVA IO Privileges

Versions prior to CPU April 2006 there are a number of exploits in Pangolin and CoreImpact

Functions to execute code on the OS

  • DBMS_JAVA.RUNJAVA()
  • DBMS_JAVA_TEST.FUNCALL()

These take an Oracle class as input and cannot be executed without JAVA IO Privileges.

DBA can grant himself the required privileges, however even without he can use the SYS.KUPP$PROC.CREATE.MASTER_PROCESS() function on 10g/11g to execute code on the remote OS.

Bsqlbf 2.6

Supports these new attack types and can be downloaded from Google Code.

Includes the ability to upload and execute a Metasploit payload through these vulnerabilities

Supports JAVA IO and DBA execution as required

Has a cleanup mode for nice penetration testers ;)

Non-interactive second order injections

Even if a field is not injectable it could be that the code is executed if for example, an administrator views the injected code through a second vulnerable application (for example a logging tool, or administration screen).

The malicious user will never see the response however, as the secondary user is running the injection. This means any output will be returned to the secondary user and not the malicious user.

Another possible scenario is a trigger or automated nightly process that acts on the injected code when run.

So how can we make these non-interactive attack vectors interactive ?

Encode and upload a binary (Metasploit payload) to the remote server and wait for the secondary user/process to trigger the exploit –> Shell –> WIN

webraider tool implements this style of attack to upload a Metasploit module

You’ve been hacked… so what?

PCI compliance mandates the card data must be stored encrypted –> So the output is encrypted

PCI doesn’t specific if the encryption happens at the DB or App level

If it’s at the DB level, then the App decrypts the data when requesting –> Passing the encryption key means an attacker could extract them

  • v$sql table logs statistics on shared SQL area
  • Typically stores last 500 queries –> including the encryption details


Links:

Follow

Get every new post delivered to your Inbox.

Join 129 other followers