Since everyone else is doing it...
Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot
Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html
Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html
Dumping Memory to Extract Password Hashes
http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html
Using the Metasploit SMB Sniffer Module
http://carnal0wnage.blogspot.com/2009/04/using-metasploit-smb-sniffer-module.html
Metasploit and WMAP
http://carnal0wnage.blogspot.com/2008/11/metasploit-and-wmap_24.html
Metasploit + Karma=Karmetasploit Part 1
http://carnal0wnage.blogspot.com/2008/08/playing-with-karmasploit-part-1.html
Token Passing with Incognito
http://carnal0wnage.blogspot.com/2008/05/token-passing-with-incognito.html
Metasploit + Karma=Karmetasploit Part 2
http://carnal0wnage.blogspot.com/2008/08/metasploit-karmakarmasploit-part-2.html
Getting your smartcard to work with Ubuntu
http://carnal0wnage.blogspot.com/2008/11/getting-your-smartcard-to-work-with.html
msvctl -- pass the hash action
http://carnal0wnage.blogspot.com/2008/03/msvctl-pass-hash-action.html
Top 10 posts of of the year 12/26/2008 - 12/26/2009 -- AttackResearch
Release of the TOR Backdoor
http://carnal0wnage.attackresearch.com/node/376
Coming soon to a pentest near you... (assagi teaser)
http://carnal0wnage.attackresearch.com/node/366
Microsoft DirectShow MPEG2TuneRequest Stack Overflow P0C
http://carnal0wnage.attackresearch.com/node/370
Why I hate web app pentesting...
http://carnal0wnage.attackresearch.com/node/383
PDF Defiling Intro
http://carnal0wnage.attackresearch.com/node/362
Past, Present, and Future of Security and the Security Community
http://carnal0wnage.attackresearch.com/node/395
Failing the Test of Trust (guest post By Timelord)
http://carnal0wnage.attackresearch.com/node/386
More On Metasploit Meterpreter & Timestomp
http://carnal0wnage.attackresearch.com/node/390
Security Conferences, pen tests and incident response
http://carnal0wnage.attackresearch.com/node/361
Metasploit JSP Shells
http://carnal0wnage.attackresearch.com/node/389
Top 10 Keywords that brought people to the blog -blogspot
carnal0wnage
gsecdump
karmetasploit
carnal ownage
msvctl
metasploit oracle
metasploit
carnalownage
scapy
c:\windows\system32\2.exe
Top 10 Keywords that brought people to the blog - AttackResearch
metasploit oracle
client-side penetration testing notacon edition slides
node/24
carnal0wnage
ping sweep
tor backdoor
attack research
msvctl
phishing framework
maltego download
Top 10 Referring Sites - blogspot
ethicalhacker.net
metasploit.com
google.com
twitter.com
forums.remote-exploit.org
blogger.com
learnsecurityonline.com
carnal0wnage.com
penetrationtests.com
synjunkie.blogspot.com
Top 10 Referring Sites - AttackResearch
carnal0wnage.blogspot.com
ethicalhacker.net
blog.attackresearch.com
google.com
twitter.com
blog.metasploit.com
attackresearch.com
pentoo.ch
learnsecurityonline.com
pauldotcom.com
Top 10 Countries - blogspot
United States
United Kingdom
France
Germany
India
Canada
Italy
Spain
Australia
Brazil
Top 10 Countries - AttackResearch
United States
United Kingdom
France
India
Canada
Germany
Indonesia
Spain
Italy
Australia
Sunday, December 27, 2009
Friday, December 18, 2009
File Upload, Anti-Virus, UPX Packer, Mubix's article and a partridge in a pear tree.
Today I was asked to give a proof-of-concept as a fun way of entering the holiday season. The idea was to prove why file upload (without extension / file type checking) can be dangerous. The target client and web server were both using A/V. We already knew it was possible to upload whatever type of file you chose. The question was, as the administrators demanded would be the case, would the A/V stop such an attack.
The answer?
Using solely the technique gained Here , which is @Mubix's site......sadly......the answer is NO. Now a week ago this would have worked. Recent A/V updates have changed that. So how to get around it?
Note: I've been warned by @carnal0wnage
that this technique will most likely flag on some products because of the UPX packing.
That being said, it worked great against the A/V and it turned out to be a fun day.
Instructions:
Create and encode the meterpreter payload as instructed on Mubix's site (link above).
Download the UPX packer Here. I chose the upx-3.04-i386_linux.tar.bz2 for BT4.
Now simply bunzip2 & tar -xvf the file and cd into the upx directory. Perform a ./upx and consider the file packed.
Happy Hacking!
The answer?
Using solely the technique gained Here , which is @Mubix's site......sadly......the answer is NO. Now a week ago this would have worked. Recent A/V updates have changed that. So how to get around it?
Note: I've been warned by @carnal0wnage
that this technique will most likely flag on some products because of the UPX packing.
That being said, it worked great against the A/V and it turned out to be a fun day.
Instructions:
Create and encode the meterpreter payload as instructed on Mubix's site (link above).
Download the UPX packer Here. I chose the upx-3.04-i386_linux.tar.bz2 for BT4.
Now simply bunzip2 & tar -xvf the file and cd into the upx directory. Perform a ./upx
Happy Hacking!
Beating Up On Oracle Book List
Need some last minute books to beat up on Oracle? Here's a list.
(you'll have to go to the rampant press site http://www.rampant-books.com/book_0701_oracle_forensics.htm)
(you'll have to go to the rampant press site http://www.rampant-books.com/book_0701_oracle_forensics.htm)
Friday, December 11, 2009
Hackers -- Net Cafe Series Video circa 1996
From the old skool files...
This is the very first episode of the Net Cafe series. It was shot on location at a cybercafe in San Francisco called CoffeeNet. It looks at the hacker culture and their influence on the early growth of the internet. Guests include Dan Farmer, author of SATAN and COPS; Elias Levi (aka Aleph 1), webmaster of underground.org and Bugtraq; also "Reid Fleming" and "White Knight" from Cult of the Dead Cow. Originally broadcast in 1996.
BToD Testing an Intranet site / 'do WWW Authentication'
I'm sure most folks have already used this feature but for those that haven't, I came across a situation recently where I was asked to test an Intranet application and found the 'do WWW Authentication' piece of functionality made life much easier for me.
So as you may know from my earlier post regarding extracting HTML comments using DirChex, Burp Suite and a Burp Suite Plugin this process is very quick and very simple.
DirChex is basically a dumb application. It is fed a list of URIs like so:
http://www.example.com/index.html
http://www.example.com/protected/shouldn't_be_available.html
http://www.example.com/hidden/mydatabasedump.txt
http://www.example.com/protected/TheMetsSuck.html
(That last line was for you Jack)
and it blindly requests each URI thru the proxy of your choice. The whole idea is to view the request/response as an unauthenticated user. I provide no options for setting a cookie/sessionID/login creds.
Here is the problem I ran into. I'm testing an Intranet application, the application uses NTLM which is tied to your Windows Domain account to receive access to the main page of the application. Only after you've first authenticated via your domain account will you have access to the actual application (which has a login form, technically your half authenticated?). So to test the "unauthenticated" portion you technically have to be authenticated :-)
This is where you can save your self some time. If you utilize the 'do WWW Authentication' option every request that is sent via Burp will automatically have the NTLM/Basic/Digest credentials included.
Navigate to the 'Comms' tab ('Options' tab in later version) and fill in the following:
Hope this helps someone.
Happy Hacking!
So as you may know from my earlier post regarding extracting HTML comments using DirChex, Burp Suite and a Burp Suite Plugin this process is very quick and very simple.
DirChex is basically a dumb application. It is fed a list of URIs like so:
http://www.example.com/index.html
http://www.example.com/protected/shouldn't_be_available.html
http://www.example.com/hidden/mydatabasedump.txt
http://www.example.com/protected/TheMetsSuck.html
(That last line was for you Jack)
and it blindly requests each URI thru the proxy of your choice. The whole idea is to view the request/response as an unauthenticated user. I provide no options for setting a cookie/sessionID/login creds.
Here is the problem I ran into. I'm testing an Intranet application, the application uses NTLM which is tied to your Windows Domain account to receive access to the main page of the application. Only after you've first authenticated via your domain account will you have access to the actual application (which has a login form, technically your half authenticated?). So to test the "unauthenticated" portion you technically have to be authenticated :-)
This is where you can save your self some time. If you utilize the 'do WWW Authentication' option every request that is sent via Burp will automatically have the NTLM/Basic/Digest credentials included.
Navigate to the 'Comms' tab ('Options' tab in later version) and fill in the following:
Hope this helps someone.
Happy Hacking!
Wednesday, December 9, 2009
DirChex Help / BT4 version
Hey folks,
Just as an update, if you downloaded the Backtrack 4 DirChex_v1.1 tool and are having issues with the install relating to the apt-get install libXXXX portion, ensure you enter "apt-get update" FIRST so that the newest packages and their corresponding locations are up to date.
Happy Hacking!
Just as an update, if you downloaded the Backtrack 4 DirChex_v1.1 tool and are having issues with the install relating to the apt-get install libXXXX portion, ensure you enter "apt-get update" FIRST so that the newest packages and their corresponding locations are up to date.
Happy Hacking!
Friday, December 4, 2009
Digging into SSL Cipher Checking
On a recent pentest one of the findings that came up (actually it seems like this finding is on every pentest) is the web server allowing SSLv2.
In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.
Nevertheless, here are some links that were useful in understanding the problem.
http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf
http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html
http://osvdb.org/show/osvdb/56387
http://www.schneier.com/paper-ssl.pdf
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
http://clearskies.net/blog/2009/03/01/insecure-ssl-and-how-pci-nearly-gets-it-right/
OSVDB updated their entry for SSLv2
http://osvdb.org/56387
Also a couple of tools to do some checking for you:
Foundstone's SSLDigger
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm
nmap will do this for you with -A with port 443 open or with the sslv2 script
http://nmap.org/nsedoc/scripts/sslv2.html
ssl-cipher-check.pl from http://www.unspecific.com/ssl/
Example output from the tool site:
Links that go with the above tools
ssl-cipher-check author's talk slides
http://dc214.org/.go/presentations#mar2009
Disabling SSLv2 on a variety of services:
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
http://adamyoung.net/Disable-SSLv2-System-Wide
In the course of doing the report I of course wanted to point to a good reason why this was the case. It was actually difficult to find a CVE/CVSS/etc to say why its bad, in fact I never did. Kind of the same with allowing VRFY on your SMTP server. We all know its bad, but where is the proof.
Nevertheless, here are some links that were useful in understanding the problem.
http://www.foundstone.com/us/resources/whitepapers/wp_ssldigger.pdf
http://www.gnu.org/software/gnutls/manual/html_node/On-SSL-2-and-older-protocols.html
http://osvdb.org/show/osvdb/56387
http://www.schneier.com/paper-ssl.pdf
http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Security
http://clearskies.net/blog/2009/03/01/insecure-ssl-and-how-pci-nearly-gets-it-right/
OSVDB updated their entry for SSLv2
http://osvdb.org/56387
Also a couple of tools to do some checking for you:
Foundstone's SSLDigger
http://www.foundstone.com/us/resources/proddesc/ssldigger.htm
nmap will do this for you with -A with port 443 open or with the sslv2 script
http://nmap.org/nsedoc/scripts/sslv2.html
ssl-cipher-check.pl from http://www.unspecific.com/ssl/
Example output from the tool site:
Usage:
$ perl ./ssl-cipher-check.plDefault Output:
: SSL Cipher Check: 1.2
: written by Lee 'MadHat' Heath (at) Unspecific.com
Usage:
./ssl-cipher-check.pl [ -dvwas ][ ]
default port is 443
-d Add debug info (show it all, lots of stuff)
-v Verbose. Show more info about what is found
-w Show only weak ciphers enabled.
-a Show all ciphers, enabled or not
-s Show only the STRONG ciphers enabled.
$ perl ./ssl-cipher-check.pl mail.yahoo.com
Testing mail.yahoo.com:443
SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits
SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits
SSLv3:RC4-SHA - ENABLED - STRONG 128 bits
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
SSLv3:AES128-SHA - ENABLED - STRONG 128 bits
SSLv3:AES256-SHA - ENABLED - STRONG 256 bits
TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits
TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits
TLSv1:RC4-SHA - ENABLED - STRONG 128 bits
** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
TLSv1:AES128-SHA - ENABLED - STRONG 128 bits
TLSv1:AES256-SHA - ENABLED - STRONG 256 bits
** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **
*WARNING* 14 WEAK Ciphers Enabled.
Total Ciphers Enabled: 24
Links that go with the above tools
ssl-cipher-check author's talk slides
http://dc214.org/.go/presentations#mar2009
Disabling SSLv2 on a variety of services:
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
http://adamyoung.net/Disable-SSLv2-System-Wide