Quickly gathering logins/emails with theHarvester and Metasploit

Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users ;)

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

Read the rest of this entry »

1 Comment

Easy, breezy, beautiful, password attacking…

Bruting web forms usually is part of a web app assessment. We love to use Hydra, Medusa, or Wfuzz for this but we recently stumbled across a tool that makes it much easier.  It's called Fireforce. It's a Firefox extension that gives you point and click bruting.

We ran it in our labs with about a 74% success rate, meaning it mapped the parameters for web form logins correctly and gave us the correct password back (aka it didn't spaz out and kill our browser). So it isn't perfect, but we're willing to forgive that for it's ease of use.  It's dead simple. Give it a username, right click in the form password field, give it the text the login form gives on an unsuccessful login, and a bruteforce list. Make sure to read the documentation as you'll need to use a seperate firefox profile if you wish to  browse will while using the tool, (it's a mem/cpu hogger). *note* We haven't done a code analysis on the extension, use at your own risk in your lab.

Also, yesterday we tweeted about Ron Bowes of Skullsecurity.com's password analysis and password list collection which are much win. Ron has done some data analysis on some of the leaked password lists of the last few years like RockYou, MySpace, and PhpBB. He also stores the default password lists of many common industry tools, and even the passwords conficker used to spread. I'd grab these lists if you dont already have them, who knows how long they will stay up.  Ron has actually been on a hot-streak lately, as he has released an awesome tool called dnscat. He also did some VMware Guest stealing NSE scripts which we will post on later ;)

Remember, password bruteforcing is great as long as you don't DOS the application/server. Also remember just because it's a web form doesnt mean its not tied to another backend system (ldap, etc) so be aware you could lockout users.

Also you might wanna check out  our writeup a bit back on password attacks here.

Get Fireforce Here

Get Password Lists Here

Get DNScat Here

Catch Ron on twitter: @iagox86

Profit…

1 Comment

Exploit the User with SET – The Social Engineering Toolkit

I have to say… SET is just plain awesome. The Social Engineering Toolkit (SET) is a set of python scripts created by David Kennedy (aka rel1k) to automate many client side penetration testing vectors. In conjunction with Social-Engineer.org, which is also a top-notch resource, it provides for some of best extensibility in this type testing. A couple of weekends ago Dave released 0.4 of SET at Shmoocon. I’ll be honest, i hadn’t used it much until now but, after a good bit of research I now appreciate its full glory.

SET’s Python scripts allow you to easily create phishing email attacks, create clones of any given URLs you provide it in a web based attack, and then on that page exploit the users machine using a java applet or browser exploits. It can create Malicious PDFs as well. In 0.4 there are many improvements:

- An improved java applet that is multi-platform and deals well with any permission type
- 0.4 adds Metasploit browser exploits in addition to the java applet
- Can launch the “Aurora” style attacks with Metasploit
- Improved cloned sites and redirect to legit site.
- Integrates with Backtrack’s sendmail or gmail addresses
- Spear phishing with input of email lists improved

The SET is highly tied to the Backtrack and Social-Engineer.org communities. Training authors and contributors to these sites are well recognized penetration testers with a high level of interest on client-side and social engineering based attack vectors. You’ll recognize names like Paul Hand, Chris Nickerson, Mati Aharoni, Chris Hadnagy, of course Dave Kennedy, etc, all working on these projects. In addition a whole section of the free Metasploit Unleashed training is dedicated to SET and they have an excellent setup and usage article here. Also Social-Engineer.org has an excellent writeup as well.

SET has a large fanbase with many useful videos on usage and customized scopes. The First video is actually the new SET 0.4 updates presentation and a recording of all the Firetalks (shorter than regular presentations) at Shmoocon, recorded by Adrian Crenshaw (Irongeek).

The Shmoocon firetalks are very interesting as well.  Adrian’s presentation on trapping script kiddies, and BruCon Organizer Benny’s Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie are both very interesting. In addition it was good to hear more about the Pentoo Penetration Testing distribution.

Check it and some of the other vids below =)

Read the rest of this entry »

, , , , , , , , , ,

7 Comments

Getsystem, Privilege Escalation via Metasploit

A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage) and Joshua Gauthier showed some quick snippets of Metasploit’s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.

Getsystem uses several techniques for priv escalation:

  • Windows Impersonation Tokens (fixed by MS09-012)
  • Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
  • Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
  • Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)

As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.

Also, check out Bernardo Damele’s (author of SQLmap!) walkthrough on integrating Metasploit privilege escalation via SQLmap for post database exploitation. Here.

And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):

Kitrap0d in Metasploi 3.3.4-DEV

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)


meterpreter > getsystem -t 1
…got system (via technique 1).


meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

No Comments

Medusa 2.0: She wears so many hats…

On the heels of us posting about Ncrack, Nmap’s new password brutforcer, the foofus group had go and update Medusa!

Medusa, which has been our go-to tool for years, is now 2.0! This is it’s first major release in two years, and it has a multitude of useful changes.

-Pool-based thread handling
-Modules now request next credential set
-Secondary user credential queue added for missed login tests.
-Host and User-level Resume
-Multiple Module fixes

It’s not like pentesters have never had multiple tools to do the same thing, in fact we like both Ncrack and Medusa (and at this time Medusa has far more supported protocols/services).

Check out the changes here

The usage here

and download it here

No Comments

BeEF, Browser Rider, and XSSTunnel make friends…

About 7 days ago Wade Alcorn made the announcement that Benjamin Mosse, developer of the other popular browser attack tool Browser Rider, would be involved in an initiative to roll Browser Rider into the BeEF.

This is big news.

BeEF and Browser Rider have long been somewhat of rivals, and a joint effort by two brilliant devs for more browser hackery should just give you that warm-fuzzy-feeling like when you watch A Charlie Browns Christmas.

If that wasn’t enough, today Wade announced that Ferruh Mavituna would be joining the dev team. Is that the same Ferruh Mavituna who wrote one of the more popular SQL injection cheat sheets? The same guy who we just interviewed on the new web-app scanner Netsparker? (who we around the office affectionately refer to as “the sparkler“)

Indeed it is. He will be actively rolling XSSTunnel and XSSShell into BeEF.

Ferruh joins Wade, Benjamin, and more of our favorite BeEF Devs (Jabra and Ryan Linn) in making browser based attacks easy to perform, extensible, and just plain bad-ass.

Download BeEF Here

Check out John Strand’s Intro to BeEF Video Here and Here

And check out Ryan’s BeEF Exploitation Videos Here

And check out Jabra’s Metasploit and BeEF mashup videos Here

Don’t make the Cow angry…

2 Comments

Nsploit: Nmap grows some teeth

Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.

Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify versions and exploits. Then passes of these to Metasploit and launches the pain at your target box.

It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell ;)

Check out Ryans blog http://blog.happypacket.net/ and learn more about Nsploit from the 2009 SecToor Presentation Nsploit-(Popping-boxes-with-Nmap) hosted by securitytube.com.

PDF slides here

Download

Usage videos below:

Nsploit Multi-Host Ownage from Ryan Linn on Vimeo.

Nsploit Single Host Ownage from Ryan Linn on Vimeo.

, , ,

1 Comment

More and More Webapp Labs!

So… Since the writing of our webapp lab article a lot of people have gotten together similar projects. We like ours but we wouldn’t be objective if we didn’t report on some other options.

The big news is the OWASP Broken Web Applications Project. This Project is a nice *tidy* little VM you can spin up to train yourself in web-app pentesting ninja-ry.

The owaspbwa project includes applications from various sources (listed in no particular order).

Intentionally Vulnerable Applications:

And old Versions of Real Applications:

Web Security Dojo , the second project,  is actually very similar. It features not only targets, but tools to test against the targets. All in a VM for easy deployment.

Targets include:

Tools:

Both further the goal of raising awareness of web app flaws and breeding well trained security ninjas… we approve =)

2 Comments

Testing Flash Applications

SaaS Penetration Testing is a model i can’t get behind, but that doesn’t mean that the people behind the product don’t have good ideas. A few days ago this company provided a pretty decent guideline article on testing flash applications called A Lazy Pen Tester’s Guide to Testing Flash Applications

It outlines the general categories of vulns we should be looking for in flash apps:

* Cross Site Scripting
* Malicious Data Injection
* Insufficient Authorization Restrictions
* Secure Transmission
* SWF Information Leak
* Minimum Stage Size for Anti-ClickJacking
* SWF Control Permission
* Untrusted SWF in Same Domain
* Clickjacking
* Privilege Separation
* Cross Domain Policy Audit
* Uninitialized Variable Scanning
* Remote Method Enumeration
* Business Logic Testing

I like it. Check it out.

,

No Comments

For whom the Shell tolls…

Catchy title don’t you think? ;)

Web shells provide an excellent way to exploit misconfigured web servers. SQL injection, upload scripts, webdav, PUT methods, etc. We can all appreciate command line administration through the web browser! Even better, web shells often allow us to access parts of web servers that normally are quarantined off if we crack SSH, FTP, etc.

So, wheres the good stuff you ask?

We start by featuring Evil1’s paper on web shells. “The paper covers web shells in PHP, ASP, JSP, Coldfusion, and Perl as well as hacking techniques for auditing each language (brief, but to the point).”

Evil1’s paper gives us some common blackhat shells to use. These are great and they have some magic built in to them but, they don’t always fit our scope.

If only we had a project that took all the great features of these shells and cleaned them up for penteters… oh wait, we do!

Laudanum, a Kevin Johnson (a la InGuardians) project, provides these shells for penteters. They have most of the built in privilege magic that the common c99 and r57 shells have and some come with built in authentication so malicious users just cant pop by and use our shells.

If you skip reading the paper by Evil1, which i don’t suggest, he highlights the awesome pentestmonkey reverse PHP shell which shoots out a shell egress that we can catch with netcat. Pure awesome.

php, jsp, cfm, asp, perl, etc, between these two resources we can control most platforms in an easy and flexible way.

Greetz to all those at Shmoo! Get me a damn t-shirt will ya!

, , , ,

No Comments