Tuesday, August 14, 2012

Debut of Offensive Techniques:


We have completely overhauled our Tactical Exploitation class for Blackhat, and are now getting ready to debut a new course at Countermeasure 2012 (http://www.countermeasure2012.com/) titled Offensive Techniques (http://www.countermeasure2012.com/training-ot.html)

Offensive Techniques is designed to show students how to truly conduct offensive cyber operations on networks. In our current day of "APT" and targeted attacks, companies often don't understand how they are vulnerable to these types of attacks. Targeted attacks can be carried off by individuals as well as nation states and Offensive Techniques is designed to teach students how to really conduct these types of operations. We increasingly see many "pen-testing" shops disappoint a customer with a report about how many shells they got, but not how vulnerable their business is from someone actually coming after them in a targeted manner.The class is designed to work a student through compromising a fully operational enterprise Windows and Unix network with techniques perfected by Attack Research.
We will be releasing more courses in the near future ranging from secure system administration to offensive and defensive classes. If you are interested in Offensive Techniques or other courses drop us a line at training@attackresearch.com

Tuesday, August 7, 2012

Lotus Domino Scanner

occasionally I run into Lotus Domino stuff on tests.

William Dawson (@bill_e_ghote) did a talk at Bsides LV 2012 and skytalks on Lotus Domino hashes

Link --> http://youtu.be/vfUqZo1Hryg

its worth a listen if you need some background info.

in 2010 i dropped a lotus domino version module
http://carnal0wnage.attackresearch.com/2010/05/metasploit-lotus-domino-version-scanner.html

The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.

One of the other things Bill mentions is locating these vulnerable pages. He uses google dorks, which is useful as long as the site is indexed.  While not in the trunk, awhile back i had a bunch of domino servers on a pentest. I ended up taking all the domino scanners i could find and combing those wordlists into one wordlist and writing a metasploit module to search for those URLs.  The key was that we wanted to see which ones were open to the world and which  ones require authentication (correct behavior) and any the forwarded you to somewhere else (probably because you are on 80 and the site requires 443).

In my github repo is the module and wordlist

module is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/lotus_domino_scanner.rb

wordlist is here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/data/wordlists/lotus_domino_bases.txt

if i'm missing some urls please let me know so i can update the list.

looks like this when run



msf  auxiliary(lotus_domino_scanner) > run

[*] Scanning 192.168.1.4:443
[*] Bases with Anonymous Access:
download/filesets/l_LOTUS_SCRIPT.inf
download/filesets/l_SEARCH.inf
download/filesets/n_LOTUS_SCRIPT.inf
download/filesets/n_SEARCH.inf
events4.nsf
help/lsxlc.nsf
homepage.nsf
iNotes/Forms6.nsf
iNotes/Forms7.nsf
mtatbls.nsf


[*] Bases Requiring Authentication:
admin4.nsf
agentrunner.nsf
agentrunner.nsf
Bookmark.nsf
certlog.nsf
certsrv.nsf
certsrv.nsf
cldbdir.nsf
dbdirman.nsf
ddm.nsf
doladmin.nsf
domadmin.nsf
domcfg.nsf
domcfg.nsf/?open
log.nsf
log.nsf
mail1.box
mail2.box
names.nsf
names.nsf
names.nsf/$Users
schema.nsf
statrep.nsf
statrep.nsf
statrep.nsf?ReadEntries
webadmin.nsf
webadmin.nsf


[*] Forward:

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed