Archive for category Tool Talk
Nsploit: Nmap grows some teeth
Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.
Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify versions and exploits. Then passes of these to Metasploit and launches the pain at your target box.
It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell 
Check out Ryans blog http://blog.happypacket.net/ and learn more about Nsploit from the 2009 SecToor Presentation Nsploit-(Popping-boxes-with-Nmap) hosted by securitytube.com.
PDF slides here
Usage videos below:
Nsploit Multi-Host Ownage from Ryan Linn on Vimeo.
Nsploit Single Host Ownage from Ryan Linn on Vimeo.
More and More Webapp Labs!
So… Since the writing of our webapp lab article a lot of people have gotten together similar projects. We like ours but we wouldn’t be objective if we didn’t report on some other options.
The big news is the OWASP Broken Web Applications Project. This Project is a nice *tidy* little VM you can spin up to train yourself in web-app pentesting ninja-ry.
The owaspbwa project includes applications from various sources (listed in no particular order).
Intentionally Vulnerable Applications:
- OWASP WebGoat version 5.3-SNAPSHOT (Java)
- OWASP Vicnum version 1.3 (Perl)
- Mutillidae version 1.3 (PHP)
- Damn Vulnerable Web Application version 1.06 (PHP)
- OWASP CSRFGuard Test Application version 2.2 (Java)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
And old Versions of Real Applications:
- WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
- phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
- Yazd version 1.0 (Java, released February 20, 2002)
Web Security Dojo , the second project, is actually very similar. It features not only targets, but tools to test against the targets. All in a VM for easy deployment.
- OWASP’s WebGoat v5.2
- Damn Vulnerable Web App v1.0.6
- Hacme Casino v1.0
- OWASP InsecureWebApp v1.0
- simple training targets by Maven Security (including REST and JSON)
- Burp Suite (free version) v1.3
- w3af cvs version
- OWASP Skavengerv0.6.2a
- OWASP Dirbuster v1.0 RC1
- Paros v3.2.13
- Webscarab v20070504-1631
- Ratproxy v1.57-beta
- sqlmap v0.7
- helpful Firefox add-ons
Both further the goal of raising awareness of web app flaws and breeding well trained security ninjas… we approve =)
For whom the Shell tolls…
Catchy title don’t you think?
Web shells provide an excellent way to exploit misconfigured web servers. SQL injection, upload scripts, webdav, PUT methods, etc. We can all appreciate command line administration through the web browser! Even better, web shells often allow us to access parts of web servers that normally are quarantined off if we crack SSH, FTP, etc.
So, wheres the good stuff you ask?
We start by featuring Evil1′s paper on web shells. “The paper covers web shells in PHP, ASP, JSP, Coldfusion, and Perl as well as hacking techniques for auditing each language (brief, but to the point).”
Evil1′s paper gives us some common blackhat shells to use. These are great and they have some magic built in to them but, they don’t always fit our scope.
If only we had a project that took all the great features of these shells and cleaned them up for penteters… oh wait, we do!
Laudanum, a Kevin Johnson (a la InGuardians) project, provides these shells for penteters. They have most of the built in privilege magic that the common c99 and r57 shells have and some come with built in authentication so malicious users just cant pop by and use our shells.
If you skip reading the paper by Evil1, which i don’t suggest, he highlights the awesome pentestmonkey reverse PHP shell which shoots out a shell egress that we can catch with netcat. Pure awesome.
php, jsp, cfm, asp, perl, etc, between these two resources we can control most platforms in an easy and flexible way.
Greetz to all those at Shmoo! Get me a damn t-shirt will ya!
ClickJacking, on the cheap…
So, Clickjacking…
“The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click any link you see on the current page, you are in fact clicking on the externally loaded invisible page and about to load pretty much whatever the attacker wants…”
This is a current attack prevalent in a lot of advertising, pay-per-click schemes, and malware drops these days. The Attack Research guys did a pretty good rundown on the type of attacks that are being used in the wild.
Just a few days ago Samy from samy.pl released a quick clickjacking code generator. Check it out:
Your Nikto’s on Fire…
Earlier this week (or rather end of last week) Robert Hansen aka RSnake released a huge, compiled list of Remote File Include Vulnerable parameters. To sweeten the deal Rob Fuller (mubix) and a few others parsed out the OSVDB’s CSV database and the compiled milw0rm site for all RFI’s listed there.
What we’re left with is a gargantuan list of RFI vulnerabilities to search for.
The first thing that came to my mind when i saw that list is “hey i’ll parse that into the Nikto Database” but, alas, Sullo (Nikto’s author) moves quick! Sullo released a new version of Nikto like hotcakes.
In addition to RFI goodness 2.1.1 contains some bug fixes, etc;
- New remote file inclusion (RFI) testing
- Over 2300 new RFI tests (courtesy RSnake/OSVDB)
- Sending of each test ID in the User-Agent
- Libwhisker 2.5, which includes 2 new IDS evasion techniques
- Ability to run specific plugins
- XML report now includes SSL information
UDP Payload Scanning
** Note: We all love the Internet Storm Center. By far it’s one of the largest conglomerations of brilliant engineers i know. So it doesn’t really surprise me that when i was going to write a blog on Nmap’s new UDP payload scanning yesterday, contributor Rob VandenBrink beat me to it. Here is mine anyways =P Robs goes into great detail with some packet captures to show before and after.
UDP…UDP…UDP… oh how do i scan thee?
The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets.
UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port.
Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs.
Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Nmap 5.21 fixes our dilemma by adding the following UDP fingerprints for scanning:
udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda
I know this has been a good number of months in development, thanks for all the good work Fyodor and the Nmap Dev Community!
Ncrack – Network Password Cracker
The 2009 Summer of code has a special present for us pentesters. Normally, we use hydra or medusa to crack network service passwords (telnet, ftp, SSH, etc).
Ncrack changes the game a bit.
By bringing the nmap dev team/community to the table it shows promise to fix some current issues in bruteforcing network service passwords. This has already happened in one instance, read the openssh_library paper here. It also gives us the possibility to bruteforce multiple targets and takes the standard nmap target syntax (hostnames, CIDR, range, and single IP’s) which is very extensible and convenient for scripting.
Additionally it can take input from all Nmap’s output files, making certain portions of a pentest faster, meaner, and leaner. We can specify IP’s not to bruteforce, or pass it a whole list of IP’s not to test. It’s multi-threaded and provides easy tuning options (not all have been activated yet). In addition it has a very simple syntax for bruting services on non-standard ports.
While it’s still relatively new and doesn’t have a GUI like Hydra, or as many modules as Medusa, it’s still an awesome addition to any pentesters toolbelt.
Check out the man page here: http://nmap.org/ncrack/man.html
The latest version can be downloaded here: http://nmap.org/ncrack
Note: Ncrack is a new project started in the Summer of code: 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. You can help out by testing it and reporting any problems as described in the section called “Bugs”. Currently It still only has modules for FTP, SSH, TELNET and HTTP(S)
Happy Cracking!
Hostmap – shared/virtual host enumeration
You either love or hate Sun Tzu Quotes but, when they apply i’m inclined to use them
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle”
And so it is also with some web servers! Do you manage your own hosting? Or, like the million others out there, do you share one mega-server hosting hundreds of other sites as well?
Part of the recon stage of pentesting is checking for shared hosting. If there are other sites on your same server, your security is only as strong as their security. Web applications they deploy may not be as well thought out, secure, or even documented.
Long have I searched for ways to enumerate these virtual hosts, but each avenue was a semi-manual process. Now I have settled on a stellar tool by Alessandro `jekil` Tanasi called Hostmap. It uses a plethora of dns and scraping tricks to accomplish this task for us. Check out the documentation =)
Interview: Ferruh Mavituna on Netsparker the New Web 2.0 Applicliaction Scanner
Also featured on Ethicalhacker.net Feel free to respond to this article or ask any/all questions to Ferruh at Ethicalhacker.net’s Forums
Today we showcase a new web application scanner called Netsparker, and believe us when we say that we put this app through the ringer.
There’s a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.
Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af, Grendel Scan, Nikto, Wikto, Websecurify, Paros, Burp, etc). We have to say, we are very impressed. Netsparker not only caught vulnerabilities that other scanners missed but also had excellent remediation and a documentation section for most of its findings.
For injection it does a full-scale attack, testing every parameter it can spider (which it also does very well), and, although this lengthens the testing time, it also awarded us with some valuable injection findings. Netsparker is developed by Mavituna Security, and more specifically our guest, Ferruh Mavituna.
—–
Ferruh, thanks for joining us today.