Monday, November 30, 2009

Hacking Unprotected JBOSS JMX Console Installations

Nothing new, notes for later, actually got most of the info from:

http://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/

http://goohackle.com/jboss-security-vulnerability-jmx-management-console/
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf

The pdf (last link) actually details all the steps to get it done.

Google Dorks

intitle:”jboss management console” “application server” version inurl:”web-console”

intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”

Those searches will lead you to

http://somecrappysite.com/web-console/ServerInfo.jsp

will all kinds of fun information like below:


switch the URL to

http://somecrappysite.com/jmx-console/

and you'll either be greeted with a password prompt box (good) or the JMX Console page (not good--least for them)

Good

Bad

Very Bad

From there, just add the link to your cmd shell wrapped up in a war file. (check pdf for screenshot)

need to turn your .jsp into a .war?

jar -cf meh.war meh.jsp

From there enjoy access to your jsp shell.

Todo: Kick the shell to an msf instance via the msf jsp reverse shell

Tuesday, November 24, 2009

Past, Present, and Future of Security and the Security Community

So just wanted to paste a few links to various views on the security community I have a come across lately.

The Extinction of Hackers by FX
http://www.phenoelit.net/extinction.html

The established community and its rules have the effect of distracting young hackers from their own, personal goals. You are not accepted as a hacker if you run Windows (there are very few exceptions). If you are not an established and respected person, you must run at least Linux, but never one of the large distributions like RedHat or Suse, even if your goal is hacking in the Microsoft .NET environment.

There is no doubt that working with Linux, FreeBSD, OpenBSD and MacOS X will teach you a lot. But if that's not what you are interested in, why bother? It just wastes a lot of valuable time, during which you could have read another book or two about the Windows architecture.
...

The community, the industry and the society as a whole needs smart, aggressive, young blood taking over the hacker's banner. It's time the role models realise what their task and their responsibility is, namely to encourage young hackers to do their own thing and stop to tell them how something should be done. This is not science; this is hacking, where reinventing the wheel is not necessarily a bad thing. The task is to help (re)inventing, not to show them your wheel from five years ago, it's rotten anyway.


Not Kind, Not Gentle. The turn of the decade in security. by Greg Hoglund
http://fasthorizon.blogspot.com/2009/11/not-kind-not-gentle-turn-of-decade-in.html

The decade in review: The most painful thing we learned is that computer security hasn’t worked. We are, at this very moment, MORE insecure than we were in the year 2000. Billions of dollars were wasted on security technology that isn't working. In the last ten years, true cybercrime was born. Maybe we were just naïve about the coming storm. At the turn of the century, it was hard to get past the romantic idea of a university student hacker who prowled systems harmlessly for fun. Blocking ports and preventing network based buffer overflow attacks seemed so important. None of this technology prevented true criminals from pulling off the biggest heist in computer history – the massive theft of identity and subsequent banking fraud of the last few years. The traditional hacker is dead. Hackers are now called terrorists. The Russian mafia pays developers six figure salaries to write rootkits and malware. Independent researchers can and will sell a reliable working exploit of Internet Explorer for more than $50,000 USD. It began to hurt so bad that even Microsoft had to jump on the secure coding bandwagon, declaring a massive effort to make their code more secure. But this isn’t working either. You see, we are adopting technology at a rate far faster than we can secure it. By the time we have secured something, the landscape has changed and the attackers have moved on. In fact, that is why desktop exploitation has become the dominant attack vector. Over the last few years, malicious documents and media, especially “rich content” that contains embedded logic, parse-able metacode or script, and other logical constructs that can be malformed, emerged as the dominant method of exploitation. The API’s, COM objects, and other hoo-hah piled sky high on your windows workstation is a garden of carnal delights to a skilled attacker. Exploits of this nature have been mostly delivered via Internet Explorer and email. In fact, Internet Explorer is quite possibly the largest software disaster ever. As a software program, it has probably caused over a hundred billion dollars in damages since its release. This isn't about blame - if IE wasn't there, someone else's browser would have been the target. The browser is the portal into the Enterprise, so it's going to be where the bad guys focus. Finally, even before all this was going on, every nation state on the planet was standing in the shadows scared out of their britches. Smart people in high (low?) places could see the writing on the wall. It is TRULY AMAZING that a terrorist hasn’t hacked into the SCADA systems of a municipal power utility, started a cascade failure, and shut down half a state in the dead of winter. It’s because of this that I think [most of] those so-called terrorists aren’t very bright. As we close out the first decade, we must realize we have just entered one of the biggest arms races in the history of warfare. In fact, one can easily say that true cyber warfare was birthed in the last ten years.

ZFO5
http://seclists.org/dailydave/2009/q3/47

The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS poisoning will destroy life as we know it. You have Matasano harvesting talent and critiquing everyone, and then Ptacek can only announce the release of....a graphical firewall management client. There's kingcope killing bugs and dropping weaponized exploits while making no other contribution except putting a smile on the face of kiddies. There's iDefense and their competitors selling exploits and only doing research in how to make more exploits. There's Jeff Moss running a conference under the hideous misnomer "Blackhat Briefings" where the same researchers search for glory and present the same shit year after year. There are people who just live press release by press release. And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last.

If you are just someone looking to pay a fair price to not get owned, you find out quickly that none of these people exist to help you. Very few people in this industry have their income model based around actually making you more secure. At best, some of them have it based around convincing you that you are better off.

The very concept of "penetration testing" is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they're allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client's network may or may not get into everything. A real dedicated hacker making the slog who spends a month ofeight hour days WILL get into anything they target. You're lucky if it even
takes him that long, really.

Those things should all be very obvious, but whitehats still make the mistake of discounting them. Look at Mitnick. Every time he gets owned he blames his host or his DNS provider. If he's getting owned through them, that's still his fault. Choosing a host is a security decision, it's just like choosing a password. If you choose a weak one you expose yourself. It's still your fault.

It's the same with outsourcing the development of your security-critical code. Mitnick could get someone else to make him a flashy website, and then blame them when it is full of file include vulnerabilities. People do this all the time, indirectly, by using ridiculous CMS or blog software. As an easy example, look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When considering Wordpress, a blackhat starts reading the PHP, shudders and giggles, and then laughs at the idea of ever using it on one of their servers. A whitehat never gets that far apparently, they just install it and get owned. I simply fail to see how leading security researchers run all kinds of code that is blatantly dangerous. Are they really that bad at reading code? Or do they just not care much if their passwords end up on Full Disclosure? If it's the second option, why is that? Why can these people make a living selling security when they make such bad choices? How do they maintain legitimacy? They take less responsibility for getting owned than do the people who they sell services to.

There's a popular term for people who don't read code. We call them script kiddies.

You cannot outsource blame. You HAVE to take responsibility for your mistakes, whether they are mistakes in your code, mistakes in code you are using, mistakes by your host, or mistakes in who you trust. These are all security choices. Learn to control this shit. Learn how to read code. A lot of the time it only takes a very shallow audit to realise that the code is crap and is bound to have bugs. In a smarter world, security professionals get paid to stop people from getting owned. End of. These is no limit to the scope of an audit.

Are you professional types really this out of touch? I see all these papers about how to protect yourself from these super-fucking-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It's the simple stuff that works now, and will continue to work years into the future. Not only is it way easier to dev for simple mistakes, but they are easier to find and are more plentiful.

The whole concept of full-disclosure has backfired. It will never work. It's some slashdot hippie pipe dream. Even you dumbass corporate types should recognize this. If you're constantly giving away all the vulnerabilities you find, for *FREE* mind you (and what other industry does that?), and the vulnerabilities get harder and harder to find and exploit, it will get harder and harder for you all to do your "job". Frankly, I'm surprised that the non-disclosure movement didn't start in the security industry in the first place. In a way it did, by default. With full-disclosure, the security industry is all about show and gloat, it is not about fixing anything. A lot of bugs have been fixed from it, but it comes with the price of an industry that likes to cripple itself. Projects run by teams of trained monkeys are always eager to add more bugs to replace those that have been fixed.

We hate the industry because it is full of shit. There are so many trolls like Kaminsky who just desperately search for anything new, to get attention. So many talentless buffoons trying to scam the planet. A lot of the actual talent out there is severely misapplied. It's an industry tied to news and not results, because very few of you can even attain results. When you can't, who's the wiser? Your customers can hardly tell if you have really made them more secure or not. Sometimes there are superficial benefits, sometimes there aren't. How do you convince the customer that they are more ZF0-safe than before, if they were never targeted and probably never will be? And you all lack the legitimacy to really do the job you should anyways. We can only expose so many frauds, the rest of you can pretend you have changed something.

Very few whitehats actually go out there and provide a service where they make people more secure. Not just for a day or a month. Are you genuinely fixing the underlying design and logic flaws that generate security problems for your clients or customers? If you actually clean up every exposed security flaw they have, will they still be "secure" in six months or a year?

We could go on. Just in general, the industry is failing. Flat out failing.

You cannot even protect yourselves.

Powerful things to think about as we move forward into 2010. Thoughts?

Tuesday, November 17, 2009

Customizing Your Metasploit Banner

Hey I'm as vain as the next security dude in the community so let's see how I can stroke my own ego with metasploit!!

Metasploit has awesome banners. Once you load it up you'll get your random banner or you can just keep typing banner to randomly get one. If you don't like hdm's banner hotness, you can always roll your own. And thanks to msf in color its never been easier to sexy up your ascii art.

I wanted to see carnal0wnage when I started it up.

Step one. Find and open banner.rb in your favorite editor. banner.rb is located in %msfdir%/lib/msf/ui (do I need to tell you to make a backup of the orig?)

Step two. Go to ascii art generator of choice and pick a few pimp ass ascii logos for whatever you want (even though metasploit is pretty damn cool as it is)

**keep in mind ticks (') and underscore (_) mean things in ruby so you probably cant use any ascii art that includes those.

***bonus credit for editing banner.rb to only have the cowsays and bet john strand you can ALWAYS get the cow on command.

Step three. Paste those into banner.rb with ticks and commas separating each banner.

Step four. Start metasploit and hope it doesn't blow up because you didn't read the note in step 2.

Step five. Cycle through you new pimp banners.









Monday, November 16, 2009

Decompiling Flash Files with SWFScan

Inspired by Rafal Los' talk at AppSec DC I started taking a look at SWFScan.

SWFScan download

SWFScan FAQ

A good description here so I don't have to plagiarize

Did a quick search for login.swf and found one (actually lots). Let's fire up SWFScan and see what we can see.


Open it and decompile the .swf. We see a hardcoded password.


Just to be sure that it actually does any checking


Ok its working. They're not letting just anyone in there!


Because the code just jams the username and password box together we can just throw the whole thing in the username block or mix it up however you want.


weeeeeeeeeeeeee!



Just to make sure it wasnt beginner's luck...


Happy decompiling...

Additional Info can be found on the pdc #172 show notes:
http://pauldotcom.com/wiki/index.php/Episode172

Link to Blackhat talk
http://www.blackhat.com/presentations/bh-dc-09/Jagdale/BlackHat-DC-09-Jagdale-Blinded-by-Flash.pdf

Tuesday, November 10, 2009

Metasploit In Color!

Metasploit now has color in MSFConsole. weeeeeeeee!


Thursday, November 5, 2009

BToD Using Burp Extender & DirChex to extract all HTML comments

Today's Burp Suite Tip of the Day is a video showing quite a few things.

1) How to compile and package the Burp Extender utilizing BackTrack 4.

2) We build the plug-in coded by Daniele Costa (ref: portswigger.net )

3) How to install DirChex on BT4

4) How to utilize both DirChex and BurpSuite (along with plug-in) to extract all html comments from a web application.

You can download DirChex at DirChex Project Page

Enjoy & Happy Hacking!!

cktricky & BurpSuite Tip of the Day - Extracting HTML from cktricky on Vimeo.

Wednesday, November 4, 2009

BackTrack 4 version of DirChex now available

Hey folks,

As promised k3r0s1n3 has delivered! We now have a BT4 specific version of DirChex_v1.1 available. If you navigate to the DirChex Project Page you can download the zip file containing the program and the install script. Just unzip the file, 'cd DirChex_v1.1' and then 'bash install.sh'...........that is about it!

Then fire up the program 'ruby DirChex_v1.1.rb'

Okay folks so here is a screenshot:




k3r0s1n3 is the man for whipping this up in such short time. You can visit his blog Here .

Also SPECIAL thanks to @mubix for helping to troubleshoot various errors for the release. Without his help the program wouldn't be a fully functioning stand-alone windows executable.

Happy Hacking!

Tuesday, November 3, 2009

Side Note: DirSnatch_v2.0

So, in case you were annoyed by the .exe version of DirSnatch opening a console window along with the main program....you will be happy to know this has been removed. I've uploaded a recompiled version which does not require the console window pop-up.

It can be downloaded at the same location as always which is the DirSnatch Project Page.

Cheers,

cktricky

&

Happy Hacking!!!

Adding DLLs with OCRA

Hey folks, for those of you who create wxruby apps and package them with OCRA but customers receive an error (Windows) about MSVCR** or MCVCP** missing (or something along those lines) here is what you do.

Simply copy over your DLL files (the ones the app complains about) to \Ruby\bin\ then run OCRA like so:

C:\ruby\lib\ruby\gems\1.8\gems\ocra\bin\ocra --dll MSVCR**.dll --dll MSVCP**.dll

AND you will be in business.

Cheers,

cktricky

Monday, November 2, 2009

DirChex_v1.1 Release

As promised the follow-up program to DirSnatch ==> 'DirChex' has been released. You can download the tool Here The tool automates the task of requesting a list of URLs via an intercepting proxy with the User Agent of your choice.

Right now the layout suxx for BT4 so I wouldn't even bother trying BUT in case you wanted to the README offers up some instructions.

Lots of upgrades and different stuff to do so please let us know if you have problems, requests, etc. they are all welcomed.

By "us" I mean @k3r0s1n3 and I.

Here is a screenshot



One last thing, additional usage instructions for the tool are located on k3r0s1n3's blogs

Happy Hacking!