Below is an overview of the high level process and topics that will be covered:

• Obtain a common dialog box
• Bypass folder path restrictions
• Bypass file type restrictions
• Bypass file execution restrictions
• Bypass file black/white lists
• Obtain access to native interactive shells
• Obtain access to native management consoles
• Downloading third party applications
• Useful third party applications

Obtain a Common Dialog Box

The first step towards breaking out of applications deployed via Terminal Services, Citrix, or a kiosk platform is often obtaining a Windows common dialog box.  This is usually possible via keyboard shortcuts and application functionality that interacts with the file system.  Windows XP dialog boxes look something like the screenshot below.

Windows Vista and above have additional built-in functionality for these dialogs such as Windows Search.  However, a lot of those functions can be limited or removed via group policy settings.  Regardless, there are a few ways that attackers and users are able to obtain a Windows dialog box.

Intended Application Functionality

Many desktop applications deployed via Citrix and Terminal Services support functionality that allows them to interact with files on the operating system. Functions that allow users to save, save as, open, load, browse, import, export, help, search, scan, and print will usually be able to provide an attacker with a Windows dialog box.  Below is a basic example using notepad.exe.

Shortcut Keys: Windows

A lot of applications are deployed to environments that do not suppress default Windows shortcut keys via group policy or other means.  As a result, attackers can often gain unauthorized access to other applications, menus, and dialog boxes.  I have had a lot of luck with the accessibility option shortcut keys, but a larger list of default Windows shortcut keys can be found at http://support.microsoft.com/kb/126449.  Also, the terminal services hardening guide (from Microsoft) can be found at http://technet.microsoft.com/en-us/library/cc264467.aspx.  It provides some guidance for disabling most of the shortcut keys.  Below is a basic example showing how to obtain an explorer dialog box using the “Sticky Keys” accessibility option shortcut keys.

1. Hit shift 5 times to obtain the Sticky Keys popup.

    

2. Click the link to access to open the explorer dialog box. In this instance, the explorer functionality can be accessed via the address bar.

   

Shortcut Keys: Citrix ICA Hotkeys

Citrix implementations have their own set of shortcuts or “hotkeys” that can lead to unauthorized system access.  In some cases, custom hotkeys can be set in the ICA configuration file.  Below are a few links that cover the default hotkeys, how to configure custom hotkeys, and how both can be disabled.

• http://support.citrix.com/article/CTX140219
• http://support.citrix.com/proddocs/topic/receivers-java-101/java-client-hotkeys.html

Internal Explorer Breakouts: Download and Run/Open

Most browsers support the execution of downloaded files from the browser.  They also support running open files with their default program.  So for example, a .txt file downloaded from a malicious web server would most likely open in notepad by default.   Interactive Kiosk Attack Tool (iKAT) Desktop is a free Kiosk hacking framework that has some nice support for quite a few break out scenarios.  However, in this instance the “File Handlers” and “iKat Tools” menus are particularly useful.  It can be downloaded from http://ikat.ha.cked.net/Windows/index.html.

Internal Explorer Breakouts: Menus

A lot of web applications are deployed via Terminal Services, Citrix, and Kiosk platforms.  Most of them are made accessible via Internet explorer.  As it turns out Internet Explorer is very integrated with the Windows operating system.  As a result, it can be used to navigate to folders, execute programs, and download content via native functionality.   Common areas that can be used to break out of Internet Explorer include, but are not limited to:

• The address bar
• Search menus
• Help menus
• Print menus
• All other menus that provide dialog boxes
• Right-click menus that support things like:
  • Goto/search copied address functionality
  • View source functionality
  • Third party plug-ins

Below is a basic screen shot of Internet Explorer.  I’ve outlined a few of the common functions/menus that can be used to break out to other applications or obtain a dialog box.

Internal Explorer Breakouts: Menu Links

In Internet Explorer you can also access common dialog boxes via HTML hyperlinks.  iKat Desktop has included a module to launch dialog boxes through such links.  In order to leverage the module simply start iKat, navigate the iKat web server via the target application, and click on the links in the “Common Dialogs” menu.  Below is a sample screen shot.

To be fair I’ve also provided a few links related to locking down Internet Explorer and placing it into “kiosk mode” to help prevent attackers from using it to breakout to the local operating system.

• http://technet.microsoft.com/en-us/library/cc775996%28v=ws.10%29.aspx
• http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/207ef293-2a5c-461a-aafb-630caacd3d56/

Bypass Folder Path Restrictions

After obtaining a Windows dialog box, the next step is often to navigate to a folder path that houses native executables that can provide an interactive console, registry access, etc.  Usually you can simply type the folder path into the file name field, but sometimes you will have to use alternative options.  Below are some options that typically work in both explorer and Internet Explorer.  Most of them can be prevented via group policy or registry modifications.

Standard Folder Paths

A standard file path looks like “C:\Windows\System32\” and can be entered into the file name field in order to navigate to the desired folder.  Below is a basic screen shot example from Windows XP.

Folder Paths in Shortcut Links

In a handful of instances I’ve found it useful to modify existing Windows shortcuts to gain unauthorized access to folder paths.  Below are the basic steps.

• Right-click the shortcut
• Choose properties
• In the “Target” field change the path to the folder you wish to access.

Below is a sample screen shot of what the shortcut properties window should look like for an application named “MyApplication”.

Folder Path Alternatives: Environmental variables

By default, Windows sets a number of environmental variables that can be used almost anywhere in Windows (including file dialog boxes).  To view the standard environmental variables you can type “set” in a command console.  In most cases you should be able to type the variable into the Filename and gain some access to the relative directory.  Below are some default variables to get you started.

• %USERPROFILE%
• %PROGRAMDATA%
• %PUBLIC%
• %TMP%
• %WINDIR%
• %SYSTEMDRIVE%
• %SYSTEMROOT%

Below is a basic screen shot example.

Folder Path Alternatives: Shell URI Handlers

There are a lot of folder locations that can be accessed via shell command shortcuts.  Many of which will allow you to execute programs, and provide some level of write access, that will come in handy later on.  I have not been able to find any solid Microsoft documentation on this, but there are quite a few sites online with good command lists. One of which is http://docs.rainmeter.net/tips/launching-windows-special-folders.  Below are a few shell command examples.  They can be executed from the run menu, taskmgr, command console,  or the file name/path fields in a Windows dialog box.

• shell:DocumentsLibrary
• shell:Librariesshell:UserProfiles
• shell:Personal
• shell:SearchHomeFolder
• shell:System shell:NetworkPlacesFolder
• shell:SendTo
• shell:Common Administrative Tools
• shell:MyComputerFolder
• shell:InternetFolder

Below is a basic screen shot example showing how the “shell:Common Administrative Tools” command can be issued in the file name field to access a folder containing shortcuts to administrative tools.

It’s worth noting the common Shell handler commands can be found in the iKat Desktop “File System Links” menu.

Folder Path Alternatives: File Protocol Handler

Below is an example of how to use the file handler to access a folder path.  Enter the path into the filename and press enter to change the directory.  A file handler folder path looks like “../../../Windows/System32/”. 

There are a number of other native protocol handlers that can be targeted as well. iKat  has a menu that contains a list of the common ones, but I’ve provided a short list of them below to give you an idea of the potential.

• data:
• res:
• about:
• mailto:
• ftp:
• news:
• telnet:
• view-source:

Folder Path Alternatives: UNC Path

In many cases UNC paths can be used to bypass group policy restrictions preventing you from accessing all of your favorite file paths.  Below is a basic screen shot showing how a UNC path can be used to navigate to the “c:\windows\system32\” directory of a Windows 7 system via the address field.  It should be noted that you can use the file protocol handler and UNC paths together.

Windows Search

The native search functionality in Windows can often be used to navigate the operating system even with restrictive policies in place.  For example, performing a search and then clicking the “custom” menu will at a minimum provide a full list of the folders on of the operating system even if the file restrictions have been put into place by GPO.  In some cases you may even be able to break out to your personal directories.  This can be accomplished using the steps below:

1. Obtain a dialog box

   

2. Search for any string

   

3. Click “Custom…”

   

4. Add a custom search path for “c:\”

   

5. Expand the “c:\” and right-click the sub directory that you would like to access.  Then choose “Include in library->Create new library”.

   

6. A soft link to the location will be created in your personal libraries folder, and the folder will be automatically opened. In some case allow you to access folders and files that you shouldn’t have access to.

   

There are also some more advanced search commands that can help you refine searches for key files during your breakouts at the sites listed below.

• https://windowssecrets.com/top-story/getting-the-most-from-windows-search-part-2/
• http://windows.microsoft.com/en-us/windows7/advanced-tips-for-searching-in-windows

Bypass File Type Restrictions

Sometimes dialog boxes will be deployed so that only certain file types or folders can be viewed.  Most of the time this can be bypassed by entering wild card characters into the filename field and pressing enter.  I provided some basic examples below, but didn’t feel this one really warranted a screen shot.

• *.exe
• *
• *.*

Bypass File Read Restrictions

In some cases you may not have the ability to launch applications to read files on the operating system.  However, in many cases you can upload files to an evil web server via an upload form via your web browser.  iKat Desktop actually has a module called “File Reflection” in the “Reconnaissance” menu to a serve that purpose.  Below is a screen shot example showing  the upload and viewing of a file called “helloworld.txt” that contains the string “Hello World!”.

Bypass File Execution Restrictions

The fantastic thing about Windows is that there is always more than one way to do everything. Naturally this makes Windows easier for users, but it also makes it harder to lock down.  Below are a few different options for executing files when standard execution isn’t possible.

Right-Click and Open

The classics never die.  If accessing right-click menus is possible then simply right-click the file you wish to execute and choose open from the Windows file dialog box.  Below is a basic example showing how to run cmd.exe

File Protocol Handler

In most scenarios this works well in the address bar for both Internet Explorer and Windows Explorer.  To execute a file with this method type “../../../Windows/System32/cmd.exe” into the address bar.  Below are a few screen shots to illustrate the process.  Once again, this can also be done using iKat by clicking on a preconfigured hyperlink.

File Shortcuts

Some “restricted” desktops and dialog boxes may allow you to modify or create shortcuts to the files for execution.   After the shortcut is modified/created a simply double-click should do the trick.

• Right-click the shortcut
• Choose properties
• In the “Target” field change the path to the executable you wish to run.

Below is a basic example screen shot.

Drag and Drop Execution

Windows also allows for drag and drop execution.  For example, if right-click or file handler options are unavailable, you can simply drag any file onto cmd.exe in order to open a console Window.  This can be done with a single dialog or between multiple as shown in the basic example below.

Browser Add-ons

If you’re testing a web application in most cases you’ll have the ability to navigate to a web server via the address bar in Internet Explorer or Windows Explorer.  By starting up your own web server on a remote server you should be able to access add-on applications that have the ability to pass commands to the operating system.  For example, you can use a Java  applet that passes commands through cmd.exe and displays the results on the page.  Below are some common technologies that can be used.  If you don’t feel like writing your own wrappers, iKat supports a number of different “Browser Addons” including java applets, click once, and ActiveX.

Browser Based Exploits

Many browsers and browser add-ons suffer from exploits that allow the execution of arbitrary code on the system.  One way to leverage those kind of issues while trying to break out an application deployed via Terminal Service, Citrix, or Kiosk platform is to simply visit a web page hosting the exploit.  You can configure and deploy your own malicious web pages with Metasploit manually or through iKat.  However, Metasploit provides the flexibility to test one module at a time or test many at once with the “browser_autopwn” module.  I would provide instructions, but the usage has been documented a million times.  Feel free to Google it.

Office File Macros

Office and Adobe PDF documents can contain macros that will execute arbitrary code on the system.  Simply create an Office file that with run the operating system command of your choice via a macro, host it on your malicious web server, and open it from the application’s browser or Internet Explorer.  Surprise! iKat supports this as well.

Native Application Functionality

A surprising number of applications have command execution functionality built in on purpose.  So make sure that you walk through the entire application looking for command execution, scheduled tasks, and database query options.  Many thick applications also provide users with the ability to execute arbitrary queries on backend databases.  In many cases that functionality can be used to execute operating system commands through existing database functions on the database server such as xp_cmdshell.

Bypass File Execution Black/White Lists

Administrators can configure group policy to prevent or allow applications to be run by name.  However, attackers have a few workarounds available to them which can be hard to prevent with group policy on its own.  Below are a few examples.

Rename files

Simply renaming files will typically allow you to bypass  group policy enforced black and white lists.  In most cases you can rename your files to anything that isn’t on the blacklist,  but I have had the most success when naming files after required or running processes like svchost.exe, conhost, explorer.exe, iexplore.exe, etc.

Change Directories

Although the default folders used by the application may not allow files to execute, your user’s personal directories usually do.  Navigating to %userprofile% or shell:Personal will often give you the write/execute access you’ll need to break out of the application and execute commands on the operating system.

Obtain Access to Native Interactive Shells

There are lots of native applications that will provide an interactive shell.  I’ve listed a few of the common ones are below:

CMD.exe

Cmd.exe is the native  console for Windows.  I think most people are more comfortable with it than the alternatives just because it’s familiar.  However, use what you like.  Below is a basic screen shot example.

It’s worth noting that there are two version of cmd.exe in 64bit Windows systems.  The are located in c:\windows\system32 and C:/Windows/SYSWOW64\cmd.exe.

COMMAND.com

Everyone goes straight for cmd.exe, but don’t forget about command.com.  It’s still on older Windows systems and when everything else is locked down it can come in handy.  Below is a basic example screen shot.

FTP.exe

A lot of people forget that the native ftp.exe client in Windows has a command  that allows users to execute local operating system commands without direct access to cmd.exe.  This usually comes in handy when there are a lot of restrictions around cmd.exe, and you don’t have change or write access to the file system.  Below is a basic overview of how to use the FTP client to obtain a directory listing.

1. Double-click ftp.exe, the console will launch
2. Type “!dir” to get a directory listing

Below is a basic screen shot example.

POWERSHELL.exe

PowerShell provides its own console with a bunch of cmd.exe aliases so that (for the most part) you can interact with it as though you were using cmd.exe.  It also supports all the .net magic, which means you can basically run any command  or call any API method that you have the privileges to.  This is my preferred shell for that reason, but of course PowerShell must already be installed on the system.  Below is a basic screen shot example.

Scripts of All Kinds

If script extensions such as .bat, .vbs, or .ps are configured to automatically execute their code via their intended interpreter, then in some cases it may be possible to drop a script that acts as an interactive console or downloads/launches your favorite Third-party applications.

Obtain Access to Native Management Consoles

It’s pretty well known that most kiosk systems are configured to run with local administrative privileges.  So the native applications below should give you the means to access a full remote desktop or disable group policies that are making your life difficult.  They can also come in handy when attacking Terminal Service and Citrix applications.

MMC.exe

MMC.exe allows users to build custom management control panels.  It can be very handy for disabling restrictions on files, and other local configurations.

CONTROL.exe

Control.exe actually launches the control panel.  Depending on the group policy this may or may not give you access to what you’re looking for.

RUNDLL32.exe

Run dll can be used to execute dll functions from the command line.  This includes the native API calls to launch management consoles.  Below are a few examples that can be useful.

• Add/Remove Programs: RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0Content Advisor
• Control Panel: RunDll32.exe shell32.dll,Control_RunDLL
• Device Manager: RunDll32.exe devmgr.dll DeviceManager_Execute
• Folder Options – General: RunDll32.exe shell32.dll,Options_RunDLL 0
• Folder Options – Search: RunDll32.exe shell32.dll,Options_RunDLL 2
• Forgotten Password Wizard:  RunDll32.exe keymgr.dll,PRShowSaveWizardExW
• System Properties: Advanced: RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4
• Taskbar Properties: RunDll32.exe shell32.dll,Options_RunDLL 1
• User Accounts: RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl
• Windows Firewall: RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl

Below is an example screen shot.

TASKMGR.exe

If you’re looking for something a little more intuitive than rundll32.exe, then taskmrg.exe may be for you.  It will let you view all of the running process, logged in users, and provides functionality to run commands easily.  Below is a basic screen shot.

MSTSC.exe

Mstsc.exe is the remote desktop client application.  By remote desktop-ing to the Terminal or Citrix server that your already on, you may be able to obtain a full desktop without the original restrictions.  It can make life easier if you’re trying to escalate privileges.  Below is a basic screen shot.

Download Third Party Applications

In many cases leveraging native executables will be enough, but sometimes you may want to download your own tools to the target system.  There are a ton of ways to accomplish this goal.  However, I’m lazy so I’ve only included three common methods.

Terminal Services and Citrix clipboards

Based on my experience, Terminal Services and Citrix clipboards are left enabled to meet business requirement most of the time.  That means that as an attacker you can simply copy and paste your tools to the remote server.

Web Server

Don’t forget that you can simply startup your own web server and download tools via the web browser.  A lot of people like LAMP and WAMP for the sake of simplicity, but use what you like.  Also, (as mentioned) iKat Desktop has some useful tools.

FTP Server

Similar to web servers, it’s easy to start up a malicious FTP server.  As we have already seen, Windows has a FTP client installed by default that can be used to pull down tools to the target system.  Also,  don’t  forget that Internet Explorer can be used as a FTP client with the “ftp://” protocol handler.

Useful Third Party Applications

There are a number of third party tools that can come in handy when breaking out of applications.  If policies and privileges are very restrictive it may be easier to simply upload your own application to do simple things like manage the registry, navigate the file system, and obtain an interactive console.  So below I’ve provide a few tools that I’ve had success with.  Also, iKat has a lot of fun options.

Alterative Registry Editors

Oh registry how I love thee.  If you’re looking for a few registry editors that won’t be blocked by the standard group policy then look no further.  Simpleregedit and Uberregedit are GUI tools that can be used to edit Windows registry.  Below is a basic screen shot.

They can be downloaded from the links below.

• http://sourceforge.net/projects/simpregedit/?source=recommended
• http://sourceforge.net/projects/uberregedit/

Alternative File System Editor

I like this little single executable file explorer.  It’s fast and easy to use.  Best of all it will bypass all of the folder restrictions applied by group policy.  Below is a basic screen shot.

Explorer++.exe can be downloaded from the link below.  However, be aware that there are separate executables for x64 and x86 architectures.

• http://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/

Alternative Interactive Console

Console.exe may sound generic, but it gets the job done when harsh group policy restrictions are in place.  It does consist of four files, but does not need to be “installed” so it’s still very portable.   Below is a basic screen shot.

Console.exe can be downloaded from the link below.

• http://sourceforge.net/projects/console/

Wrap Up

This blog has provided some insight into common break out methods that can be used for Terminal Services, Citrix, and kiosk applications.   As with any game – your offense is usually better when you have a solid understanding of the your opponent’s defensive strategy.  So I highly recommend looking at the hardening guides provided below by Microsoft and Citrix to get an understanding of what administrators are/should be doing. Hopefully using the blog and guides together will help you identify common security weakness before the bad guys do. Good luck and hack responsibly.

References and Links

• http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/locking-down-windows-terminal-services.html
• http://technet.microsoft.com/en-us/library/cc264467.aspx
• http://technet.microsoft.com/en-us/library/cc758409(v=ws.10).aspx
• http://msdn.microsoft.com/en-us/library/aa767740(v=VS.85).aspx
• http://msdn.microsoft.com/en-us/library/aa767731(v=VS.85).aspx
• http://msdn.microsoft.com/en-us/library/cc848897(v=vs.85).aspx
• http://ha.cked.net/Windows/index.html

The process of patching a Java executable (.jar files) without the original source code has been known for a while. As I know of, currently there are two ways of doing it:

1. Decompile the executable > Import decompiled classes to an IDE (Eclipse, NetBeans, etc.) > Modify source code > Recompile > Repack
2. Extract Java classes from executable > Modify Java Bytecode > Verify > Repack

Method (1) has big advantage if you are already familiar Java or similar OO-styled languages. However, in practice it has two main drawbacks:

• Typically, the targeted jar file has dependencies to other libraries. You should be familiar with linking those dependencies to your project
• The decompilation process is not an exact science, so expect to fix syntactical errors before getting it to recompile

On one project after importing a decompiled jar file into Eclipse there are nearly 1000 syntactical errors. Going through and fixing all of it would be a pain, especially what you want to do is just edit a few lines of code.

In this blog post, I want to introduce to you a method (2) of patching Java. It is faster, less error-prone and quite simple to execute. I hope it will be useful for developers that are in need of patching Java. Some potential use cases are:

• Bypass software restrictions (license, signature, hash, etc.)
• Patch security issues without original source code
• Inject custom code to application

In the example below, I will show you how to patch the JBoss encrypting library to use custom private key to encrypt data source strings.

Background

JBoss has a SecureIdentityLoginModule utility to encrypt data source password in XML configuration files. More info can be found at the JBoss Community Site. In JBoss 7, the module is located in picketbox-4.0.7.Final.jar

The actual command to encrypt the password is:

java -cp modules\org\JBoss\logging\main\JBoss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar  org.picketbox.datasource.security.SecureIdentityLoginModule password
Encoded password: 5dfc52b51bd35553df8592078de921bc

Problem

If you peek into the source code, the utility is using Blowfish encryption algorithm with a fixed key set to: “jaas is the way”.  There is already a tool to decrypt it located at http://usefulfor.com/security/2009/09/24/beware-of-JBoss-secureidentityloginmodule/.

Objective

The objective is to modify default private key. The key is still in the jar file and you can call the corresponding decode() function of the jar file to decrypt it anyway. Hence for a production system I would recommend switching to use  the keystore-based JaasSecurityDomainIdentityLoginModule  instead. More information could be found at https://community.JBoss.org/wiki/EncryptingDataSourcePasswords.

High-level steps:

1. Setup the environment
2. Use JD-GUI to peek into the jar file
3. Unpack the jar file
4. Modify the .class file with a Java Bytecode Editor
5. Repack the modified classes into new archive file
6. Verify it with JD-GUI

Step 1: Setup the Java environment

Most computers should have the JRE installed by default. For this tutorial, you will need to download and install the latest version of JDK. For this example, I am using JDK 6 update 35.

You may also need to add the JDK bin folder to your PATH environment variable. Upon completion, open up a command line console and type:

java -version

The result should look something like this:

java version “1.6.0_35″
Java(TM) SE Runtime Environment (build 1.6.0_35-b10)
Java HotSpot(TM) 64-Bit Server VM (build 20.10-b01, mixed mode)

Step 2: Use JD-GUI to peek into the jar file

Bytecode editors typically do not support decompiling Java executables. For that reason, I prefer to use a standalone decompiler to quickly browse decompiled classes and identify potential classes/methods. My favorite tool for this task is JD-GUI (we also need it later on to verify the modified bytecode):

As shown in the picture above, browsing to SecurityIdentityLoginModule reveals the default secret key used to encrypt string.

Step 3: Unpack the jar file

The below commands will create new directory > Copy jar file > Extract all the classes (note that in Windows you can use 7zip to extract them as well)

cd <JBOSS_HOME>\modules\org\picketbox\main
mkdir picketbox
cp picketbox-4.0.7.Final.jar picketbox
cd picketbox
jar -xf picketbox-4.0.7.Final.jar

Step 4: Modify the .class file with a Java Bytecode Editor

Download and run Java Bytecode Editor (JBE)

In this example we need to modify two methods of SecureIdentityLoginModule class: encode() and decode(). Note that the original encryption/decryption methods only work with 16-character key. To keep it simple, I will modify default key “jaas is the way” to “java is the way” to keep the length intact.

Step 5: Repack the jar file

Take the changed class file and repack the jar file

cd picketbox
jar -cvf picketbox.jar *.*

Step 6: Verify the changes with JD-GUI

JBE tool has Code Verification feature, but in practice, I found it complains too much . Hence, I use JD-GUI again to verify correctness of the modified jar file.

If there’s any error in the modified class file, JD-GUI will not able to render the new jar file. If things go well, you should see your changes reflected in the patched jar file:

Final test:

java -cp modules\org\JBoss\logging\main\JBoss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox.jar  org.picketbox.datasource.security.SecureIdentityLoginModule password
Encoded password: 3f8c894b05a5462a4a06c734ae626874

The last step would be overwriting the patched file to the original one.

I hope you had fun. Thanks Steve for helping me proofread this and happy hacking!

References:

http://set.ee/jbe/

http://java.decompiler.free.fr/?q=jdgui

http://www.oracle.com/technetwork/java/javase/downloads/jdk6u35-downloads-1836443.html

https://community.JBoss.org/wiki/EncryptingDataSourcePasswords

http://usefulfor.com/security/2009/09/24/beware-of-JBoss-secureidentityloginmodule/

I thought it would be nice to know how much data we can gain access to by simply uploading a web shell to a web server if we decided to take a step back and chose not to completely compromise it. This really becomes more practical when you’re testing an application in a QA environment and you want to show the client that access to a random QA application may grant you direct access to databases used by other applications, even critical production databases.

To simplify the process I rewrote an existing .aspx web shell and included PowerShell functionality to allow for database connectivity to create a new CmdSql.aspx web shell. Keep in mind that the shell only works on IIS servers that allow .aspx execution, PowerShell has to be available on the web server, and the current PowerShell code only allows connectivity to MSSQL servers. Not perfect, but nice enough for me.

It’s worth noting that the CmdSql shell can help in escalating an attack in tightly configured environments. If ingress and egress filtering are properly configured, normal Metasploit bind or reverse shells may not work. And if ingress filtering from the web server limits traffic to database communication, attacking databases may provide the means to escalate the attack into the internal network.

CmdSQL.aspx Script Overiew

The CmdSql.aspx web shell supports three different functions: OS command execution, web.config parsing, and SQL query execution. Below is an overview of the functionality and a basic screen shot.

OS Command Execution

This is really the core definition of a web shell I guess. Apart from the obvious, the command execution can be used to locate the web directories (such as C:\inetpub) and thus make locating web.configs faster for the next step. Below is a basic example screen shot.

Web.config Parsing

For the sake of CmdSql.aspx, the main function of web.config is to store the database connection strings. There can be multiple connection strings for an application, and there can be multiple web.configs per server. The connection strings can be either clear text or they can be encrypted. Nevertheless, they are needed for arbitrary SQL query execution.

CmdSql.aspx looks for all web.config files in the provided directory and extracts all the connection strings. If the connection string is encrypted, aspnet_regiis is first used to decrypt the configuration file (in a temp folder). Aspnet_regiis is a .NET tool that is typically used to encrypt web.configs; CmdSql attempts to find to newest version of the tools to decrypt the web.config. No key or any other decryption information has to be provided to aspnet_regiis, just the file location. I haven’t done comprehensive testing / research to determine what permissions are needed to run the program, but it seems to always work on my test systems. I decided to use aspnet_regiis even though WebAdminstration snapin could probably be used and it would be “cleaner”; I just wasn’t sure if it’s installed with IIS by default or if it’s otherwise common. Below is a basic example screenshot.

SQL Query Execution

Now that web.configs are successfully parsed (hopefully), and the connection strings are extracted, they can be popped into a text box in the web shell and arbitrary SQL queries can be executed on targeted database server. Below is a basic screen shot example.

The Code

Feel free to download the CmdSql.aspx web shell and give it a shot.

Installing the OS:

For an operating system, Linux and Windows are going to be the way to go. For a headless server however, Linux is the best way to go. The only downside with Linux is that driver support among video cards, especially AMD, is somewhat lacking to its Windows counterpart. However, the good news is that both AMD and Nvidia have been increasing their support for Linux drivers in recent years.

Any Linux distribution will do, but for our server, we opted for Ubuntu 12.10 64-Bit server edition to do the most minimal setup. Much of the information for the next few sections is from the hashcat wiki.

To start off, download the Ubuntu 12.10 server edition ISO from Ubuntu. We don’t have a cd drive on our server, so we had to copy the ISO to a flash drive. YUMI and UNetbootin make this process painless on Windows and Linux, respectfully. Otherwise, the ISO can be burned to a disc.

Boot up the Ubuntu image, choose your language, and select Install Ubuntu Server.

Navigate through the installation options and select your preferences. For most people, the defaults should be sufficient. Then create your user when the dialog comes up. When the installation reaches the “Partition Disks” section, either manually set them up (if you know what you’re doing) or just use the “Guided – use entire disk” option. We choose not to use LVM on our box, but the option is up to you.

After you are done partitioning your hard drive, write the changes to the disc. If you have an HTTP proxy, enter the information when the dialog appears. If not, then just continue. Next, select if you would like to have automatic updates enabled. We opted not to, but it’s entirely up to you. When the software selection appears, select OpenSSH server by navigating to it with the arrow keys and pressing spacebar to select the option.

None of the other packages are required unless you need them. Press enter to install the software. When the installation is finished, install GRUB to the master boot record and reboot. You should now be booted into your new Ubuntu server!

Setting Up Ubuntu:

Before we install the video drivers, we have to setup our Ubuntu server with X11. This is because the AMD drivers require X11 to interact with video cards to obtain fan speeds and GPU temps, which are very important to know when cracking away.

To begin, ssh into your server and update Ubuntu with the following command:

sudo apt-get update && sudo apt-get upgrade

After Ubuntu has updated, we will need to install a minimal X11 environment that our user can automatically login to when the server is rebooted. This is to ensure that the xserver will always be running and in turn allow continuous cracking without any hiccups.

To keep it simple, a light weight window manager is recommend. Openbox, fluxbox, and blackbox are three simple light weight window managers that we can use. You are by no means restricted to a window manager. If you want gnome, xfce, or kde, those can be installed too. For this installation, we will install fluxbox with lightdm as the display manager. To install these, run the following command:

sudo apt-get install fluxbox lightdm-gtk-greeter x11-utils

This should install all the necessary packages for an X11 environment to run. Now that we have an X11 environment installed, we need to let applications from the console know which display we are using. To do this, we set the DISPLAY variable to our current display. The format for the DISPLAY variable is hostname:display. For a local instance, the hostname can be omitted. The default display is usually going to be 0. Run the command below to set your current display to 0.

export DISPLAY=:0

Add the above command to your bashrc to make it persistent whenever your user logs in. I have run into many issues because I did not have this set. So make sure your bashrc is setup with your correct display location.

Now that our X11 environment is setup, we can install the AMD drivers.

Installing AMD Drivers:

To begin installing the AMD drivers, we need to install some prerequisites. First install unzip with the following command

sudo apt-get install unzip

Next, we need to install the dependencies for fglrx, which is the proprietary Linux driver for AMD on Ubuntu’s repositories. The only difference between fglrx and AMD’s Catalyst drivers is that the latter is newer, but they both require the same dependencies. Run the following command to install the fglrx dependencies:

sudo apt-get build-dep fglrx

If the fglrx dependencies are not installed, the AMD driver installation will fail with this fglrx error:

Now we can grab the latest version of the AMD Catalyst drivers from the AMD Catalyst™ Proprietary Display Driver page.

The latest version at this time is 13.1. It should also be noted that oclHashCat-plus requires a specific version of Catalyst installed, which at this point is 13.1. So we’re good there.

Fetch the AMD driver with wget and then unzip it:

wget http://www2.ati.com/drivers/linux/amd-driver-installer-catalyst-13.1-linux-x86.x86_64.zip

unzip amd-driver-installer-catalyst-13.1-linux-x86.x86_64.zip

There should now be a .run file in the directory. Execute the file while running as root.

sudo sh amd-driver-installer-catalyst-13.1-linux-x86.x86_64.run

Select the default options on all the dialog boxes and let the driver install.

After it is done, create a new xorg.conf by running:

sudo amdconfig --adapter=all --initial -f

Then we are going to setup our user to automatically login to fluxbox when the server boots up.

Open the lightdm.conf file in /etc/lightdm/ as root and add the following lines:

[SeatDefaults]
greeter-session=lightdm-gtk-greeter
user-session=fluxbox
autologin-user=USER
autologin-user-timeout=0

Reboot the server and your user should be automatically logged into fluxbox.

When the server boots up run amdconfig --list-adapters and amdconfig --adapter=all --odgt to verify that all your cards and their temperatures can be seen.

Now that the AMD drivers are installed, we can install our cracking software.

Installing oclHashcat-plus

Download the latest oclHashcat-plus. We will just wget the latest version to our box.

wget http://hashcat.net/files/oclHashcat-plus-0.14.7z

oclHashcat-plus comes in a 7z format. So we need to install p7zip to extract it.

sudo apt-get install p7zip

Run p7zip with the –d flag to extract a 7z file.

p7zip -d oclHashcat-plus-0.14.7z

Navigate to the newly extracted ocl directory and run one of the Example.sh scripts to test run the cracking process.

If all goes well you should see your cards loading up and the hash getting cracked! If you do not see all your cards being recognized, make sure that your xorg.conf was created properly. Try running the amdconfig command above again to regenerate an xorg.conf.

Next we will install John the Ripper with OpenCL support

Installing John the Ripper

Like oclHashcat-plus, John also supports cracking hashes on GPUs, but it must be compiled with the options to do so. Much of the information here is taken from the john GPU wiki (http://openwall.info/wiki/john/GPU).

First download the Accelerated Parallel Processing SDK from AMD. 32 bit and 64 bit are supported, so make sure you download the correct one for your architecture.

Copy the file to your server with scp or if you’re on Windows, WinSCP.

Next, extract the APP SDK file.

tar xvf AMD-APP-SDK-v2.8-lnx64.tgz

Then run the Install-AMD-APP.sh as root.

sudo ./Install-AMD-APP.sh

Reboot the server.

After the APP SDK has been installed, download the latest version of John. We will be using the jumbo version.

wget http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz

Extract john with the following command:

tar xvf john-1.7.9-jumbo-7.tar.gz

Next, install the libssl-dev package from apt-get so that John compiles correctly.

sudo apt-get install libssl-dev

Navigate to the john src directory. Compile john with OpenCL for either 32 bit or 64 bit with make linux-x86-opencl and make linux-x86-64-opencl respectfully. John can also be compiled with CUDA support if you have Nvidia cards. The information on how to do that is located on their wiki.

If you get openssl headers not found during compilation, install the libssl-dev package.

Navigate back to the run directory and your newly compiled john binary should be there. You can test that John can use your GPUs by running a test command.

Conclusion

This is guide details one of many possible setups for a GPU cracking server. When all is done, our cracking server built with these specifications works very well. Next week we will be benchmarking, extracting, and providing strategies for cracking several different types of hashes.

This winter, we decided to create our own dedicated GPU cracking solution to use for our assessments. It was quite the process, but we now have a fully functional hash cracking machine that tears through NTLMs at roughly 25 billion hashes per second (See below). While attempting to build this, we learned a lot about pushing the limits of consumer-grade hardware.

Goals

We set out to build a cracking rig with four high end video cards (AMD Radeon HD 7950) to run oclHashcat. We also wanted this solution to be rack mountable, so that it would be easy to store in our data center. As it turns out, there are not a ton of video card friendly server cases. We were only able to find a few GPU cracking friendly cases, but most of them cost more than the rest of our cracking hardware combined. If you have the money to spend, we would recommend going with the special case to save yourself from other issues, but this isn’t really an option for everyone. The reason why we recommend this is that the cards themselves do not take well to being lined up all together on a standard ATX motherboard. The fans tend to stick out further than they should and end up hitting the next card in the row. On top of that, the cramped conditions lead to overheating cards and cracking jobs stopping. The specialized cases have enough space to avoid these issues, making it easier to set up a box.

We opted for an “open air” configuration for our cracking box. This was primarily driven by trying to mimic the setups of bitcoin mining rigs that we had seen online. I will say that this is not the prettiest option for housing all of these cards. However, it is one of the most efficient ways to space the cards out for cooling. With the “open air” setup, we’re able to connect riser cables to two of the cards and keep the other two cards down on the board. These riser cables can have their own problems. We ended up opting for one (16x to 1x) riser cable and a different (16x to 16x) riser cable that has some modifications for voltage. The 16x to 16x cable has a 12 volt molex adapter soldered to the 12 volt pins on the riser slot.

While this looks a little hackish, it actually works quite well. We had to do this to supplement the voltage from the motherboard, as it was unable to pull proper voltage for all four cards (with two riser cables). I should also mention that there is some crafty engineering taking place to suspend the two cards above the board. This was accomplished with several zip ties and a modified piece of wire-mesh shelving.

I should also note that this whole rig is tied down (with stand-offs) to an old rack mount shelf. All in all, this setup works quite well. We can have all four cards running at full speed and the the hottest card will top out at 85° Celsius. We’re very aware of the fact that this looks insane. It’s hopefully a temporary solution. Eventually, we’re looking at securing a single rail to the rack to screw the cards into.

As for performance, here’s our current averages for hash cracking (OCL in Brute-Force mode):

MD5 – ~16000.0M/s
NTLM – ~25500.0 M/s
SHA1 – ~7900.0M/s

5 Tips for Building Your Own

So if you’re planning on putting together your own GPU cracking rig, here’s some steps that you may want to take to make it easier.

1. Look into a nice GPU server case and motherboard combo like this one http://www.newegg.com/Product/Product.aspx?Item=N82E16816152125
   1. These will be spendy (~$3,500+ for the combo, cards not included) but they are meant for this kind of setup.
2. Look at what the bitcoin miners are doing.
   1. Our “open-air” setup is actually pretty similar to most mining rigs that I can find.
   2. Replicate their parts list for your setup, if it works for them, it “should” work for you.
3. Plan everything out as best you can.
   1. From components and case layout to power and cooling requirements.
   2. Measure twice and cut once to avoid returns, repairs, and rebuying parts.
4. Devote a resource to the project
   1. Intern not busy enough? Have them build the cracking machine.
   2. Find the person that plays more PC games than you.
      1. They may know more about the cards and multi-GPU setups.
5. Don’t get discouraged if your set up isn’t working.
   1. We didn’t get it right on the first try, but we eventually got there.

Check out GPU Cracking: Setting up the Server by Eric Gruber on how to configure your cracking box to see all of the cards and run the cracking software.

What is it?

Certificate pinning is hardcoding or storing the information for digital certificates/public keys in a mobile application. Since the predefined certificates are used for secure communication, all others will fail, even if the user trusted other certificates.

In a mobile application, the application knows what servers they will connect to, so that the application can check for those specific certificates.  A browser cannot implement certificate pinning, since it is designed for general-purpose communication.

What happens during an SSL Connection?

When an application sees an SSL certificate from a server, it should verify two things:

1. The certificate signed by a root certificate authority (CA)
2. The server’s name (via DNS) matches the Common Name (CN) presented in the SSL certificate

In the case where these do not match, the application (or browser) throws up a warning and lets the user decide what to do. In many cases, the general user population will not understand the warning and just decide to accept the invalid certificate.

What are we trying to do by certificate pinning?

The idea is to prevent a man in the middle attack. This allows the attacker to get in the middle of the conversation between a client and server. They could be just eavesdropping on the conversation or could be changing the data as it moves to the client or server.

An attacker who gains control of a user’s operating system can install trusted root Certificate Authorities.  These root CAs will be able to sign new certificates, which will satisfy SSL validation procedures.  Certificate pinning prevents this by ensuring a specific server public key is used to initiate secured traffic.

How do we implement certificate pinning?

Distribute the server’s public key with the application.  Any time the application begins an SSL exchange with the server, validate that the traffic has been encrypted with the same key that matches the public key included with the app.  This takes the CA system out of the equation and assuming it is the correct certificate, the names do match.

Is there a way to break certificate pinning?

An attacker would have to decompile the application, change the code, rebuild it and redeploy the application. Another option would be to run the application in a debugger.

For Android, you can obfuscate your code. You can also check to see if the application is running in a debugger.  Code signing will also make it more difficult for an attacker to create an unauthorized patch for your application.

For iOS, see Detecting the Debugger

For Android, see Securing Android LVL Applications

Neither of the above options are perfect, but they do help. Both of these methods make the attacker’s job harder, but not impossible.

Where else can I find information on this?

OWASP provides some information and sample code:
User Privacy Protection Cheat Sheet  and Pinning Cheat Sheet

Moxie Marlinspike provides good information for an Android on his blog:
Your app shouldn’t suffer SSL’s problems 

iSecPartners provides other information for iOS:
SSL Pinning on iOS

——

Be sure to check out author Steve Kern’s webinar on Securing Your Mobile Applications

1. Root access – you’ll need root access *inside* your chroot jail to execute a breakout. This is the weakest link here, but many chroot jails have been improperly configured, as root privileges are used to access the application functionality that the shell is supposed to expose.
2. The echo utility – this is built in to several shells, so you can rely on this in many situations.
3. A file that you have both write and execute privileges on – if the chroot jail has been properly secured you won’t have access to chmod, but check the filesystem for these privileges. This will allow you to get your breakout on the filesystem and to execute it.

Now for the juicy bit. To break out of your jail, the basic steps are pretty simple. Determine if you have chmod available inside your chroot jail. If you don’t, search for a file with both write and execute privileges . You can use find –executable –writable or ls –lR / | grep wx to search entire partitions for these files. This might be difficult if you don’t have find or grep, but you can check common locations for executables like /bin/. Remember the path of this file, as you’ll have to overwrite it later.

Spin up a VM with the same kernel as the machine hosting the chroot jail you’re targeting. Grab code for a chroot jail (there are examples all over the internet). For the purposes of this demonstration, I’ve put my code into breakout.c. All this code does is create a file descriptor for the current directory and then makes a new chroot jail in a subdirectory. Since the program has saved a file descriptor to a directory outside this new sub-chroot jail, the program will use fchdir to hop back out of the new chroot jail and onto the main directory structure. Then it cd’s all the way back up to the real root where it execs a new shell. Use gcc to compile the code into a binary on your VM. Use hexdump with the command below to dump the binary into the format you’ll need. This command works just like a C printf statement:

hexdump -ve ‘”\\\x” 1/1 “%02x”‘ bin.o > echo_this

Copy the contents of the file echo_this, and paste them into an echo command inside the chroot jail:

Echo –ne \x7f\x45\x4c\x46… > name_of_file_from_first_step (ie: /bin/writeableBinary)

Finally, you can just execute the file you’ve just overwritten to escape the jail. This will provide you with a root shell on the complete file system of the machine you were jailed in earlier.

Preventing this is actually pretty simple, and just relies on some linux security basics that sometimes get neglected in these chroot jails. Don’t let the user run as root, if you can avoid it. If a user has to run as root, restrict access to binaries, and make sure there aren’t any files that they have both write and execute permissions on.

Setup

In order to modify our scores, we will need to proxy our iOS traffic through Burp. In order to properly intercept the encrypted iOS traffic, you will also need to install the Portswigger certificate on your iOS device

At this point, you will want your Burp listener to be on the same wireless network as your iOS device. You also need to have your Burp listener set to listen on all interfaces to allow your iOS device to proxy through it.

The iOS proxy settings are fairly easy to set up. Just enter your Wi-Fi settings, tap on the blue and white arrow-in-a-circle (to the right of your SSID), and scroll down to your HTTP Proxy settings. Set the server IP to your Burp listener and set your port to the Burp listener port. Visit an https website on your iOS device to see if the Portswigger certificate is properly installed. If you don’t have any issues (or SSL warnings), you should be ready to go.

Modifying Scores

Once your iOS device is properly proxying traffic through your Burp listener, you will want to generate a score to post to GameCenter. For most games, this is not very hard to do. We will be using “Cut the Rope”as our example. Open up the first level, set Burp to intercept traffic, and complete the level (you cut one rope, it’s really easy). At this point you will see the “Level Complete” screen on your iOS device and the following request will come through Burp.

POST /WebObjects/GKGameStatsService.woa/wa/submitScores HTTP/1.1
Host: service.gc.apple.com
User-Agent: gamed/4.10.17.1.6.13.5.2.1 (iPhone4,1; 6.1.2; 10B146; GameKit-781.18)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Accept: */*
Some-Cookies: have been removed to make this shorter
Content-Type: application/x-apple-plist
Connection: keep-alive
Proxy-Connection: keep-alive
x-gk-bundle-version: 2.1
Content-Length: 473
x-gk-bundle-id: com.chillingo.cuttherope

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>

<key>scores</key>
<array>
<dict>
<key>category</key>
<string>1432673794</string>
<key>context</key>
<integer>0</integer>
<key>score-value</key>
<integer>12345</integer>
<key>timestamp</key>
<integer>1361998342937</integer>
</dict>
</array>

</dict>
</plist>

If you are seeing other requests come through, just forward them and keep your eye out for the request for the “submitScores” page.

Before forwarding the score on to Apple, you will want to modify the score. The highest possible value that you can submit is 9,223,372,036,844,775,807. Replace the “score-value” stored in the <integer> tags (bolded in the example) with 9223372036844775807 and forward the request. You should receive a “status 0” response from Apple and your score will be updated in GameCenter.

Conclusion

I don’t intend on modifying my high scores for each of my GameCenter games. I really don’t care that much about the scores, but some people do. Given Apple’s current model for GameCenter leaderboards, this may not be an easy fix. At a minimum, Apple may want to do some checking on these high scores to weed out any of the users that are maxing out their top scores. For now, I’m going to put the iPhone down and get some work done.

Regardless of the path taken, it’s nice to have some decent resources along the way. In this blog, I’ve put together a list of books and online training resources that cover topics and skills that I’ve found useful as a penetration tester. Hopefully the list is also useful to those of you interested in getting your feet wet. Have fun and Hack Responsibly!

Recommended Books

Read, read, and read some more. Recommending that people “Read the F***ing Manual” (RTMF) is just as important today as it was 20 years ago. The list below is really directed at specific tasks that most penetration testers have to perform. I’m aware that there are some obvious gaps in the list, but I haven’t found any books that I really love related to privilege escalation, network attacks, AV evasion, or penetration testing as a profession. Regardless, I hope you enjoy the books as much as I have.

1. Web Application Hacker’s Handbook 2nd Edition

   Every penetration tester should have a copy of this book. It has good coverage on a lot of web application attack methods with an emphasis on Burp Suite, which a very robust local HTTP proxy.

2. SQL Injection Attack and Defense

   This book is very complimentary to the Web Application Hacker’s Hand Book. It provides a pretty straightforward approach for identifying and exploiting SQL injection flaws on common database platforms. As a side note, I also recommend playing with Burp Suite and SQLMap while learning how to perform SQL injection attacks.

3. Web Application Obfuscation

   This book is also complimentary to the Web Application Hacker’s Hand Book and SQL Injection Attack and Defense. It provides a decent overview of techniques that can be used to essentially hide your attacks from web application firewalls, intrusion prevention systems, and web application input filters.

4. Database Hacker’s Handbook

   This is an oldie but a goody. It provides some great coverage on how to attack the common database platforms. This can come in handy if you’re hoping to escalate your privileges on the database level after finding an SQL injection issue.

5. Managed Code Rootkits

   This book provides manual and automated methods for reverse engineering managed code applications and frameworks. It covers the .NET framework, Java RTE., and Dalvik applications. I thought it was interesting because it has a large focus on actually poisoning the frameworks instead of the application directly. However, it should be noted that this book does not focus on advanced debugging techniques like most reversing books.

6. A Guide to Kernel Exploitation: Attacking the Core

   Not all penetration testers spend their days developing kernel exploits, but it’s still good to know the basics. This book has a focus on understanding kernel exploits and how they actually expose operating system vulnerabilities. So far, it’s been a good read, but I haven’t finished it yet. Someone also recently recommended The Shellcoder’s Handbook to me. So consider that as well.

7. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

   I liked this one a lot. It provides a good assembly primer which can come in handy in a lot of ways during a penetration test. It also provides decent coverage in areas that you would expect like static and dynamic malware analysis, file structures, test handlers, packers, and debugging. I’ve also heard that the IDA PRO Book is great if you want to become the reversing master of the universe. However, I don’t actually own it at the moment.

8. Gray Hat Python

   I really like this book as well. It’s a quick read and it does a good job of describing different debugging, injection, and fuzzing techniques. It also provides a lot of sample code that can be used to perform tasks like hooking and DLL/code injection. I’ve found both techniques to be quite handy for avoiding anti-virus solutions and stealing data protected with encryption.

9. Windows® Internals, Part 1 / Part 2: Covering Windows Server® 2008 R2 and Windows 7

   I will most likely never finish either of these books in their entirety. However, they do make great references. If you ever need to know anything about how any part of Windows works, these are the go-to books.

10. Network exploration and security auditing cookbook

    Nmap has become one of the fundamental “tools of the trade” over the past decade or so. In my opinion, it’s as valuable to administrators as it is to attackers. I think that every IT professional should know what Nmap is and how to use it. This book is a great start for someone who has not been exposed to it in the past. It covers everything from basic system discovery to writing your own plugins to scan for vulnerabilities.

11. MetaSploit: A Penetration Tester’s Guide

    MetaSploit has also become one of the fundamental “tools of the trade” in recent years. There is a lot of community involvement and I think this is a good book for beginners who want to learn more about MetaSploit and some practical use cases.

Free Online Training and Vulnerable VMs

Obviously, there are ton of great blogs, training sites, and vulnerable VMs/application out there. I will not be coving all of them. However, I’ve tried to include online resources that are valuable for beginners and veterans alike.

SecurityTube

SecurityTube is like YouTube, but the videos are dedicated to teaching penetration test skills. Our intern actually recommended this site to me before I knew what it was. Since that time, I’ve been checking every time I start learning a new topic just to see if they have already covered it. I feel the quality of the tutorials is great and obviously recommend it.

Irongeek

It’s not a pretty site, but it provides a lot of good content. It is also known for releasing video presentations from security conferences is record time.

MetaSploit Unleashed

This web site provides a free online course all about MetaSploit. They do ask for donations to fund Hackers for Charity which raises funds for underprivileged children in East Africa. It’s a great site with a great cause – I recommend checking it out.

VulnHub

Reading only gets you so far. Most people in IT are hands on learners so, in order to get your hands dirty, I recommend checking out VulnHub. This is a relatively new site that supplies virtual machines that are designed to be vulnerable. For those of you looking for a quick way to set up a testing lab at home, this may be the most cost/time affective solution.

Bug bounties

If you feel you have the skills that can now pay the bills, there are lots of companies willing to pay real money if you find a big issue in their product. Below is a site dedicated to consolidating a list of the companies currently paying “bug bounties”.

Good Google Searches

As I mentioned earlier, I haven’t been able to find books that cover everything I’d like them to. Where books fail, Google usually succeeds. I suggest using it to find good archived presentations from security conferences such as Defcon, Blackhat, Derby con etc. Below I’ve also provided some topics that you might find interesting.

Windows Penetration and Escalation

In my experience, 90% of enterprise environments are Windows-based operating systems that centralized access control around Active Directory Services. Therefore, it’s good to have an understanding of the tools and techniques used to escalate privileges in those environments. Unfortunately, I have yet to find a single book that covers well; below are some basic keywords, vulnerability categories, and tools to get you started.

• Default passwords
• Clear text passwords
• Excessive privileges: Users, services, gui, files, registry, memory
• Insecure local and remote services
• Insecure schedule tasks
• Local and remote exploits
• Password guessing: medusa, hydra, bruter, and MetaSploit
• Password and hash dumping: Cain, lsa secrets, credential manager, fgdump, mimikatz, MetaSploit post modules
• Password hash cracking: john the ripper, hashcat, lophtcrack, masking, Cain
• Impersonating users: incognito, mimikatz, pass the hash, MetaSploit psexec, shared accounts, smbexec

Linux Penetration and Escalation

Even though Linux and UNIX systems aren’t in the majority on most networks, they still have a role to play and so, naturally, it’s good to understand their soft spots as well. For the most part, Linux has many of the same basic keywords and vulnerability categories as Windows:

• Default passwords
• Clear text passwords
• Excessive privileges: Users, services, gui, files, memory, setuid, orphan files, world writable files, sudoers configurations
• Insecure local and remote services
• Insecure schedule tasks
• Local and remote exploits
• Password guessing: medusa, hydra, bruter, and MetaSploit
• Password and hash dumping
• Password hash cracking: john the ripper, hashcat, masking

Man in the Middle (MITM) Attacks

For some of you, MITM attacks may be a new concept so here is brief description. If a workstation is communicating with a server, and you are routing traffic between them, then you are the MITM. It’s a great position to be in for monitoring and manipulating traffic. There are lots of ways to acquire a MITM position using a range of protocol attacks. To get you started, I’ve provided a list of 10 protocols and tools for attacking systems on a LAN.

• Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycreds
• NetBIOS Name Service  (NBNS): MetaSploit and responder
• Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder
• Pre-Execution Environment (PXE): MetaSploit
• Dynamic Trunking Protocol (DTP): Yersinia
• Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin)
• Hot Stand-by Router Protocol (HSRP): Yersinia
• Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup
• Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPack
• VLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig

Anti-Virus Evasion

Anti-virus evasion is often a requirement during penetration testing. I personally break down AV evasion approaches into the four buckets below. I provided a list of keywords for each category to get your searches started. I’m also planning to release a few blogs down the line that will provide more options and actual examples.

• Bypass Weak AV Configurations
  • Uninstall anti-virus, disable services, terminate processes, disabled via the GUI, create an exception policy for all .exe files, or execute from external media.
• Source Code Manipulation
  • Remove comments, randomize function and variable names, encode or encrypt content, delay execution of malicious code, use alternative functions, or insert superfluous functions that change execution flow.
• Binary Manipulation
  • Bind with white listed applications, pack or compress, modify strings, modify resources, modify imports table, modify assembly to do things mentioned in source code manipulation. Common packers: upx, iexpress, and mpress.
• Process Manipulation
  • Inject malicious code or DLLs into local or remote process. Native languages can do it directly or through a managed code framework like .net. Powershell is a popular example that the MetaSploit team (amongst others) has been using a lot lately. Also, process manipulation is commonly done with python code that is converted to a portable executable.

One of the best tools to use for working with HTTP requests and responses for applications is Burp. The only downside with Burp is that it does not natively support parsing of WSDL files into requests that can be sent to a web service. A common work around has been to use a tool such as Soap-UI and proxy the requests to Burp for further manipulation. I’ve written a plugin for Burp that takes a WSDL request and parses out the operations that are associated with the targeted web service and creates SOAP requests which can then be sent to a web service. This plugin builds upon the work done by Tom Bujok and his soap-ws project which is essentially the WSDL parsing portion of Soap-UI without the UI.

The Wsdler plugin along with all the source is located at the Github repository here: https://github.com/NetSPI/Wsdler.

Wsdler Requirements

1. Burp 1.5.01 or later
2. Must be run from the command line

Starting Wsdler

The command to start Burp with the Wsdler plugin is as follows:

java -classpath Wsdler.jar;burp.jar burp.StartBurp

Sample Usage

Here we will intercept the request for a WSDL file belonging to an online store in Burp.

After the request for the WSDL has been intercepted, right click on the request and select Parse WSDL.

A new Wsdler tab will open with the parsed operations for the WSDL, along with the bindings and ports for each of the operations. Operations are synonymous with the requests that the application supports. There are two operations in this WSDL file, OrderItem and CheckStatus. Each of these operations has two bindings, for simplicity’s sake, bindings describe the format and protocol for each of the operations. The bindings for both of the operations are InstantOrderSoap and InstantOrderSoap12. The reason there are two bindings for each of the operations is because the WSDL file supports the creation of SOAP 1.1 and 1.2 requests. Finally, the ”Port” for each of the operations is essentially just the URL the request will be sent to. The full specification for each of the Objects in WSDL files can be read here: http://www.w3.org/TR/wsdl.

The SOAP requests for the operations will be in the lower part of the Burp window. The parsing functionality will also automatically fill in the data type for each of the parameters in the WSDL operation. In this example, strings are filled in with parts of the Aeneid and integers are filled in with numbers.

The request that Wsdler creates is a standard Burp request, so it can be sent to any other Burp function that accepts requests (intruder, repeater, etc.).

Here the request is sent to intruder for further testing. Because the request is XML, Burp automatically identifies the parameters for intruder to use.

Conclusion

Currently, the plugin only supports WSDL specification 1.1, but there is work on supporting 1.2 / 2.0. Also, I will be adding the option to specify your own strings and integers when the plugin automatically fills in the appropriate data type for each of the parameters in the parsed operations. If there are any bugs or features that you would like to see added, send me an email or create a ticket on Github.