When you’ve only got a limited amount of time during a penetration test you want to get the best bang for your buck so I created a python script that will go and check for default usernames and passwords on certain models of printers. Below is the python script.

Usage:  at the command line type the following

So this script takes two arguments, 1) A list of IP’s you’ll want to test against, 2) Name of an output file where successful attempts are logged. If you’re having troubles running the script read my other post about running a python script. The output.txt will contain a list of IP’s that the script was able to log into. There are three variables that you’ll have to modify for your particular printer model that you are trying to scan for on your network, they are listed below.

Username and password variables should be obvious, simply put in the default username and password of the printer on your network. The only thing you’ll have to change in ‘theurl’ variable is the last quoted string. In my case it was ‘/index.html’, in your case it could be ‘/auth/login.html’. Variable ‘theurl’ builds the http request used to log into your printer’s web interface. A full example is below.

This script is doing nothing more than trying to log into the web interface of a printer, that’s it. So the script is not limited to printers, it can be used against any web application that takes a username and password. Although this script can be used against any web application there is a limitation.  This script authenticates to the printer using Basic Access Authentication. There are three main ways to authenticate to a web application.

1. HTTP Basic Access Authentication
2. HTTP Digest Access Authentication
3. HTML Form-based Authentication

So this script will not work if your web application (printer in this case) is using the second or third option. How would you know which one your printer or web application is using? Turns out OWASP has a nice write up on how to test which type of authentication your web application is using. Turns out that no one really uses one and two because they are not as secure as HTML Form-based Authentication wrapped inside SSL. Of course some printers use Basic Authentication because they are poorly built. Basic Authentication actually passes your username and password essentially in plaintext, the only way it tries to hide your username and password is by base64 encoding them which is easily transformed back into plaintext. I don’t want to get lost in the weeds to much but just knowing that your printer is using Basic Authentication is bad enough. Even if you set a strong username and password anyone sniffing network traffic would be able to determine your credentials.

I kicked this script over to Dave Huggins who has tons of experience developing Python applications and he quickly improved upon it by adding the functionality of IP ranges instead of a file. His enhancements can be seen below.

Happy printer hunting.

Below are what the options mean.

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

The first line is simply us executing the malware. Lines 2 – 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 – 13 is where the malware is setting registry values. It appears that lines 6 – 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 – 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 – 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 – 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 – 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks. Hopefully this helped and as always if you have any feedback I’d love to hear it.

If you’re familiar with programming and Python in particular then you could just grab the code and roll but I really wanted to discuss the usefulness of an application like this.  First I will discuss the basics of how to get this program up and running but will eventually jump into other implications such as time, storage, and usefulness of a password dictionary.

How to install and use the program

1. You must have Python installed.  If you’re running Linux (you should be) then it’s probably already installed.  If you’re running then Windows then you will have to download Python.
2. Now that you have Python installed simply copy and paste the code above into a text file and name it passwordDictionaryGenerator.py.  The .py extension is needed because that’s how Python recognizes code that it’s suppose to execute.
3. Modify appropriate variables within the program.  The only variables you may want to modify are numb, cap, and low.  These variables contain the ASCII equivalent ranges for the letters and numbers you will be using to generate your dictionary.  You may want to modify these variables so that your dictionary does not contain a-z but only a-k, I’ll leave that up to you.
4. Now to run the program simply type
   python passwordDictionaryGenerator.py

   You will have to answer the questions about which character set you want to use and how long / short your password dictionary is going to be.  Once you answer the questions it may seem like the program isn’t doing anything but it is, it will spit you back to the command line once the program has completed.  The output will be a file called wordlist.

So now you have this cool program that can generate a password dictionary for you, how big (size MB, GB, TB, etc) will this dictionary be?  How long will it take to generate this dictionary?  Let’s tackle the size question first as it will help us calculate the time as well.  The key to calculating the size is a math term called permutations.  Permutations is a simple equation to determine the number of words for that particular character set and length of word.  The basic equation is below.

n^r

n = total character set (e.g.  a-z + A-Z + 0-9 = 62)

r = length of the word

Now you’ll have to calculate n^r for each length to get every possible combination.  So for a 6 digit long password your equation will look like the following.

n⁶ + n⁵ + n⁴ + n³ + n² + n¹ = every possible combination

Let’s try an example where our character set is a-z (n = 26) and our password is no longer than 6 (r = 1-6) digits, how many words will be in our dictionary?

26⁶ + 26⁵ + 26⁴ + 26³ + 26² + 26¹ = 321,272,406 = total # of words

So now we understand how to calculate the total number of words in our dictionary.  How does that relate to the size?  Well for the most part if the length of the password is x then the size in bytes will be x + 1 for that particular line.  Then all we have to do is multiply each n^r times the size of that particular line to get the size for that particular length.  That may have just sound really confusing so hopefully the following graph clears that up some.

I went ahead and generated this dictionary, it took about 30 minutes.  Turns out the size matched my calculations.

So now you have the basic formula for calculating the size of your desired dictionary.  Let’s take a look at a larger example just to cure our curiosity.  Let’s assume the following parameters.

• character set = a-z, A-Z, & 0-9
• password length = 1-8
• n = 62
• r = 1 – 8

With these parameters the size of our dictionary jumps to 1,800 terabytes or 1.8 petabytes. Take a look at the chart below.

You can see how quickly the size jumps up. I don’t know about you but I don’t have a two petabyte drive lying around. Generating this dictionary is just infeasible. I did calculate the time it would probably take to generate this dictionary, it came out to be about 11 days. So the time to create such a dictionary is nothing compared to the storage required to house it. Not only that I don’t know to many applications that can handle a large dictionary as input, so that’s another factor you’ll have to keep in mind when generating your dictionary.

Calculating the time it takes to generate these dictionaries I’ll leave up to you.  The basic idea is that you can run the python program for a particular length password for a set amount of time and then extrapolate form there.  For the most part time isn’t really a factor but storage is. The concepts I’ve talked about here are nothing new. The idea of generating a password came to me and my coworkers as we were thinking of ways to test a WPA wireless infrastructure. Attacking WPA can be done offline so we were thinking of generating a dictionary to accomplish this. Hours later we soon realized the difficulty with generating such a large dictionary. This was actually good news because it meant that an attacker would have an extremely difficult time attacking a WPA access point with a complex password. Renderman and the Church of Wifi have thought about this problem way before I did and came up with some rainbow tables to help test the strength of your WPA access point. You can’t really create a dictionary with every single combination for a lengthy password, your best bet is to create a dictionary with the most “common” passwords, which is no easy task either.

The moral of the story is to use lengthy complex passwords with a high character set, but you knew that already. So I just suggested that this program is somewhat useless, well it is but it isn’t. You can use this program to generate a small dictionary but a large dictionary (greater than a couple of terabytes) is probably out of the question. So use this program and let me know what your results are, I’m always interested in your feedback. Happy cracking.

or

Determine version remotely

or

With netcat you may see weird output, example is below

In this case the version is 4.1.20, so you’ll have to read through the mess that is netcat output.

The basic goal of this article is to explain to others how to tunnel an application in a SOCKS proxy that doesn’t support SOCKS proxies. A SOCKS proxy is another network protocol but what’s special about SOCKS is that it doesn’t rely on the underlying packet to do it’s routing. SOCKS handles the routing and basically just creates an envelope for whatever it’s “wrapping up”. SOCKS can work with lots of protocols (HTTP, FTP, SMTP, etc) and lots of applications (Firefox, Internet Explorer, OpenSSH, etc). One useful example of using a SOCKS proxy is tunneling HTTP traffic through an SSH tunnel. This can be accomplished because both Firefox and SSH have support for SOCKS proxies. Refer to my earlier article concerning tunneling HTTP over SSH. One application / protocol that SOCKS does not work with is SVN, so then how can you tunnel SVN. Proxychains to the rescue.

Proxychains is the coolest thing since sliced bread. If an application doesn’t support SOCKS then Proxychains will make it support SOCKS. Proxychains basically SOCKSifies applications. The main reason to SOCKSify an application is so that you can tunnel it through SSH because SSH supports SOCKS. So how do you download Metasploit through restrictive firewalls? The answer is ProxyChains + SVN + SSH = latest Metasploit. So enough with the yip yapping how does all this work, below are instructions.

Requirements

1. Internet facing listening SSH server
2. Linux client (client being your laptop or desktop) with SSH
3. Proxychains on client
4. SVN on client

You may could perform all of these steps in Windoze but why would you? Besides all of my instructions will be Linux based. Once you’ve got Proxychains installed (see proxychains INSTALL file) the next thing to do is edit it’s config file proxychains.conf. In my situation all I had to modify were two lines. I first commented out the line that says dynamic_chain as seen below.

Next we’ll tell proxychains to use our localhost as the proxy and which port to connect to. At the very bottom of your conf file you’ll need to add the following.

I randomly chose port 4545. I usually choose a port higher than 1024 because you don’t need root privileges to use higher ports. Now your proxychains config file is set. Now let’s create the ssh tunnel.

In my case it would be

The -D flag tells ssh to listen on your localhost (127.0.0.1) and forward that connection to your remote host, in my case 74.208.13.81. Now that you’ve got proxychains configured and your ssh tunnel is up and running you’re ready to go. We don’t need to configure SVN we just need to have the client installed. So now that you’ve got everything up and running simply issue the command below to download the latest Metasploit.

What this final command will do is use proxychains to wrap the SVN protocol into your ssh tunnel thus allowing you to download the latest version of Metasploit behind a restrictive firewall, pretty nifty huh.

Keep in mind this will download metasploit into whatever directory you happen to be in. If for example you wanted to download metasploit into your home directory (e.g /home/travis) then issue the following command.

Also keep in mind that in the above examples proxychains is assumed to be a recognized command and is set in your path. I installed proxychains in my /opt directory so I had to issue the proxychains command below.

Happy sploiting and downloading, hope this explanation helps.

[See post to watch Flash video]

I teach network secuirty at ECPI College of Technology. At the end of every class students present their projects for the course. One group put together a video of their project and I figured it would be a good idea to post it. It’s about 27 minutes and goes over a hand full of things, one of the neatest being the part using Nessus and Metasploit’s autopwnage. I also think the video has some great funny moments as well, especially the Star Wars CVE effect. Either way let me know if you find it helpful or not. I don’t have the greatest bandwidth so be patient with the player as it may take a while to load. It’s also a large video, high resolution that is, so don’t forget to click the fullscreen icon on the bottom right of the player. The audio capture is low so you will probably need to jack up the volume.

In my scenario I had a range of IP’s that I needed to extract/exclude out of a list of IP’s. This task needed to be done on a Windoze machine, I do most of my scripting on a Linux box, so I was trying to rely on the findstr command. Trying to use the findstr command to search, extract, or manipulate a list of IP’s will make you crazy. Now I’m sure there’s way smarter people out there that can craft a simple one line findstr command to hack and slash on an IP list but I’m not one of those people. I also tried to utilize some regular expression magic to manipulate an IP range. Google has this regular expression generator specifically for IP ranges, which seems neat at first but I couldn’t get it to work within findstr.

After no luck with findstr I was gonna turn to my old friend grep. Now for those that don’t know grep is a pattern / regular expression matching command within Linux. Grep has the ability to search for patterns within directories and files for a specific string (e.g. IP addresses). There is a grep Windows executable with basically the same functionality but it couldn’t handle Google’s regular expression either. After burning through two different programs to perform this task I was almost at a lost. My coworker reminded me of awk, how could I forget. Awk is a native program within Linux but you can download an exe version of the program. There are different flavors of awk (gawk and mawk) and different programmers that try and port over awk. I tried some awk.exe’s and some gawk.exe’s but I had the best success with mawk.exe, you can grab mawk.exe here. So enough yip yapping let’s walk through the solution. Below is a sample list of IP’s that we’ll hack and slash on, let’s assume these IP’s are in a file called IPlist.txt.

So let’s say we wanted to extract or exclude the range 192.168.0.5-192.168.0.15, you would use the mawk command below.

Let me explain the command above. BEGIN simply processes the text before mawk starts munching. FS stands for field separator, here we are telling mawk that our filed separator is period (surrounded by single quotes). The $3 is basically a variable calling the 3rd field, in our case it’s the third number in our IP address. The || means “or”. The == is to determine is something is equivalent. The && is “and”. The $4 is the 4th number in our IP address because it’s the 4th field. So the command reads like this: separator is a period, we want the 3rd number to be less than zero or greater than zero or equal to 3 and we want the 4th number to be less than 5 or greater than 15. The $0 represents the entire line so the print statement is just printing out the entire line that matches our criteria. Let’s look at a similar example, say we want to extract 192.168.5.10-18.

I’m sure there are probably other ways to go about performing the same task but this one works for me. Now feel free to go ahead and mawk it out.

Now the Leaf framework is still in beta but this project is open source and Chris welcomes more input into the project. The framework only works on the x86 architecture but supports both 32 and 64 bit binaries. The title of this post refers to reverse engineering Linux but the Leaf framework works on both BSD and Solaris as well. Hopefully this framework will get good traction as Chris has built a nice foundation.

Output of this command can be seen below.

I use this command on a consistent basis because it lists ciphers from strongest to weakest. So when looking at output from the OpenSSL command you can refer to this list to see how strong or weak the cipher support may be. The “openssl ciphers -v” command has nothing to do with what cipher the web server you are trying to fingerprint supports, “openssl ciphers -v” simply lists the ciphers that OpenSSL can check. I repeat the “openssl ciphers -v” command has nothing to do with the web server you are fingerprinting. You can also check out the man page for additional options when it comes to listing ssl ciphers.

The command you’ll use the most is

but always with options. The “s_client” argument emulates a SSL client that can connect to a remote device running a SSL service. Another helpful option is “-connect“. You’ll need to supply a name/IP and a port (default port is 4433). Enough talking about the commands lets take a look at some examples.

The command above is the basic template you’ll use to fingerprint a web server that supports SSL. Instead of IP address you could also use the domain name (e.g. travisaltman.com). See the example below.

You’ll notice that an error message is generated in the example above, that’s because no SSL service is listening on port 80 at travisaltman.com. This is a typical error message you will see if openssl fails to connect with a SSL service. Now lets see what a successful connection would look like.

The connection may seem to hang but you can kill it with a “Q” or “Cntrl C”, the connection will also eventually timeout. You’ll first notice how much information you get back from the server via the openssl command, initially it can be overwhelming. When it comes to fingerprinting I tend to focus on the “SSL-Session” section because it tells you what protocol and cipher is being used for the communication. In the “SSL-section” above you see that travisaltman.com supports the TLSv1 protocol and the cipher is DHE-RSA-AES256-SHA. This is great that it gives us this information but when it comes to fingerprinting we’ll want to know what other protocols and ciphers the web server supports. Let’s say we wanted to know if a web server supports SSLv2 instead of SSLv3 or TLSv1. The command below tells openssl to only connect using SSLv2, this is done with the “-ssl2″ option.

A truncated version of successful output from this command can be seen below.

So you see that my site supports both SSLv2 and SSLv3, in this case the default cipher for communicating over SSLv2 is the DES-CBC3-MD5 cipher. You’ll notice from the “openssl ciphers -v” command that this is the strongest SSLv2 cipher with a key size of 168. You may then be wondering if this SSL server would support weaker SSLv2 keys and also weaker SSLv3 keys. In order to get this granular you would have to specify within openssl which ciphers to check. This is the reason why I love fingerprinting with openssl as oppose to those tools I mentioned at the beginning of this article. So let’s say you wanted to know if a SSL server supported the weakest SSLv2 cipher, which according the output of “openssl ciphers -v” is EXP-RC4-MD5, you can issue the command below.

A truncated version of successful output from this command can be seen below.

So this proves that my SSL server supports the weakest SSL cipher (40 bit key) possible. Looking through the “openssl ciphers -v” output you’ll notice another SSLv2 cipher that supports 40 bit (EXP-RC2-CBC-MD5). If you wanted to figure out if the SSL server supports either one of these SSLv2 40 bit ciphers you could issue the command below.

The -cipher option behaves like an OR, meaning if any cipher in that colon separated list is found supported by the SSL server the command will execute successfully. Taking a look at an example may clear things up a bit. Let’s fingerprint our buddies over at thepiratebay.org and see what ciphers they support.

I won’t bore you with the output, thepiratebay.org does support this strong cipher, now let’s try the weakest cipher.

No dice, they do not support this weak encryption. Now if you combined these ciphers into one option (-cipher AES256-SHA:EXP-RC4-MD5) you would get successful output. So the point is to be careful when going through the fingerprinting process as you may think a SSL server supports a weak cipher when in fact they don’t. So after you have gone through this process and determined what ciphers and protocols the SSL sever supports what should you take away? This is a very good question and one that lots of people have opinions about. The real answer is it depends on what kind of risk you are willing to accept and how easily accessible you want your application to be. In most cases I would recommend only supporting a SSLv3/TLSv1 256 bit cipher because it’s so easy to implement. Only supporting 256 bit may mean limited access, especially to legacy applications but this is becoming less and less common. Most modern browsers and applications can now easily handle the higher key ciphers. I would also mention numerous vulnerabilites found within SSLv2 including the rollback vulnerability from three years ago. So applications that transmit sensitive information may not want to support SSLv2 at all. Keep in mind that most browsers will attempt to communicate with the highest possible cipher. So even if your SSL server supports SSLv2 for backwards compatibility odds are most users will communicate with the strongest SSLv3/TLSv1 cipher your server supports. You don’t have to solely rely on openssl, you could also test in Firefox if your SSL server allows communications on weaker ciphers. Simply type about:config in the address bar of Firefox, then in the filter type “security.ssl”. From there you can enable and disable various ciphers and see if your SSL sever allows the communication. A screen shot of this can be seen below.

That pretty much wraps up this tutorial on fingerprinting SSL. In my spare time I wrote a shell script that automated this process for me given a list of IP’s that were running a SSL sever. This shell script is not ready for prime time but I hope to release a “tools” section soon and place some of my other scripts in there as well. I’m no guru on this subject it’s just simply my experience. As always your feedback is welcome.

travis@hacktop:~$ more references

http://h71000.www7.hp.com/doc/83final/BA554_90007/rn01.html