16 Jan 2012
I have wanted to use the Social Engineering Toolkit for quite a while but didn't want to setup Sendmail. I know you can use a gmail account but I wanted to spoof an address and Sendmail was the only option until now. I built a ruby script to implement an open relay that can be used with SET. I used code from here and here to get started.
To use SETmail you need to configure SET to use Sendmail. After that, run the SETmail script, which will start an SMTP server on port 25 on the localhost.
Next, go through the SET menu until you get to
[-] Sendmail is a Linux based SMTP Server, this can be used to spoof email addresses.
[-] Sendmail can take up to three minutes to start FYI.
[*] Sendmail is set to ON
set:phishing> Start Sendmail? [yes|no]:
Do not start Sendmail. Answer a few more questions and you will get here.
set:phishing> Send email to:stephen@averagesecurityguy.info
1. Use a gmail Account for your email attack.
2. Use your own server or open relay
set:phishing>2
set:phishing> From address (ex: moo@example.com):stephen@averagesecurityguy.net
set:phishing> Username for open-relay [blank]:
Password for open-relay [blank]:
set:phishing> SMTP email server address (ex. smtp.youremailserveryouown.com):127.0.0.1
set:phishing> Port number for the SMTP server [25]:
set:phishing> Flag this message/s as high priority? [yes|no]:no
After that your email will be sent.
If you want to bypass spam filters with your custom domain name, you will need to setup an MX and SPF record for your custom domain.
You can get SETmail here.
31 Dec 2011
Penetration testing is a lot like stealing jewelry. There are two basic options, either plan the heist carefully, cut the alarm, pick the lock, and blackout the security cameras or kick in the front door, bust open the jewelry cases, stuff your bags, and get out before the cops show up. Of course the best option is to take the time to plan the heist because if it's done correctly no one gets arrested and a lot of money is made. Sometimes though, the smash and grab is the only option available.
To perform a carefully planned penetration test, study the Penetration Testing Execution Standard (PTES) at pentest-standard.org. This is how every penetration test should be done but unfortunately, the sales guys and management haven't read the PTES and therefore don't allocate enough time or money to do a proper pentest. This is when the smash and grab becomes necessary.
Kick In the Front Door
Use the social engineer toolkit (SET) to get meterpreter or shell access to an internal box, which is easier than it should be. Other options include owning a ColdFusion server or finding a Tomcat Manager server or other admin console with weak or default credentials.
Bust Open the Jewelry Cases
After gaining administrative access to a machine, dump the password hashes and crack them; Ophcrack or rcracki_mt are particularly good at cracking LM hashes. Typically, the local administrator password is shared among machines throughout the internal network.
Another option is to migrate into a process that is running as a domain administrative user. There may be a service set to run under a domain admin account or the user on the box may have domain administrative privileges. If I get domain admin privileges this way I like to create my own domain admin account using net user username password /ADD /DOMAIN and net group "Domain Admins" username /ADD /DOMAIN. Make sure to remove the account when finished using net user username /DELETE /DOMAIN.
Stuff the Bags
After gaining administrative access to multiple machines, mount Windows shares on as many boxes as possible and look for sensitive data. Focus particularly on the data that makes the client money.
That is the basic smash and grab method I use on a regular basis. Feel free to share your smash and grab strategy as well.
20 Dec 2011
I'm going to push a few buttons with this post and I may even start a flame war, but here goes.
I don't think security auditors, security analyst, or penetration testers should define risk levels and severity ratings for a client's vulnerabilities. I think we should rely on systems like CVSS or CVSS2 instead of developing our own definitions.
A typical security company will have its own four or five tier rating system along with nifty definitions to explain why a vulnerability would be rated at that level. That system is fine until a client inevitably tries to talk you into lowering a severity rating. Then you have nothing to stand on but your opinion, which may be different from the opinion of the security company next door. If you use a standardized severity rating instead, then you stand on the collective opinion of many knowledgeable researchers.
I realize the CVSS and CVSS2 scoring system isn't perfect and mistakes are made when rating a vulnerability, but the system is better than having some average security guy make up his own standard.
10 Dec 2011
Back in November Chris Gates, @carnal0wnage, gave a talk called "From LOW to PWND" at BSides Atlanta. In the talk he discussed a ColdFusion directory traversal vulnerability that allows the admin password hash to be downloaded. More details can be found at GNUCitizen. Once the password is downloaded it can be cracked, it is a SHA1 hash, or it can be used to login to the server. The article on GNUCitizen includes step-by-step instructions for authenticating to the server using the hash.
On a recent job I came across a vulnerable ColdFusion server, downloaded the hash and followed the instructions for logging in with the hash. I was unsuccessful in my attempts to login because the server refreshed the page every 30 seconds and I couldn't go through all of the steps fast enough. So, I did what anyone in their right mind would do and wrote a script. The script uses the directory traversal flaw to download the password.properties file, extract the password, extract the "salt" on the login page, and login to the page with the salted admin hash. If all goes well, the authorization cookie will be set and printed to the screen. The cookie can be manually added to firefox using the Cookies Manager+ addon to gain administrative control of the ColdFusion server. From there a ColdFusion shell can be uploaded and commands can be run on the server with SYSTEM level privileges. The script is available on Github.
Another interesting file to download is the neo-datasource.xml file, which contains 3DES encrypted passwords for the backend database connections. The passwords can be easily decrypted because the encryption key is static and is used on all ColdFusion servers. The passwords are buried in the file and are a pain to locate manually. Again, I did what anyone else would do and wrote a script. The cfneo.rb script will download a neo-datasource.xml file from a vulnerable server, find all the encrypted passwords, and decrypt them. It uses the RexTable module to print the encrypted and decrypted passwords in a nice table. The cfneo.rb and rextable.rb scripts can be downloaded from Github.
The ColdFusion locale directory traversal flaw affects a number of pages and sometimes requires a different path. Some of the other affected pages and another possible path can be found in Chris Gates's POC python script on exploit-db.com. Details about decrypting the neo-datasource.xml file can be found at the HEXALE blog.
Update
When I was researching and writing this script I found this metasploit module, which is an auxiliary module that scans for vulnerable ColdFusion servers. I totally missed this metasploit module, which is an exploit module. I can't seem to find it in the latest version of metasploit, which must be why I missed it the first time.
Enjoy these tools and remember only use them for good.
02 Dec 2011
In a recent pentest I ran across the web interface for a Watchguard firewall and wanted to bruteforce the password. I couldn't find a tool to do the brute force so I wrote one. I ran the script against the firewall and received valid responses to my queries but I never guessed the correct password because I didn't receive the positive response I was expecting. I guess I should have tested the script on a firewall to which I knew the password but I didn't have one around at the time. If any of you would like to test this script for me I would greatly appreciate it. You can find the script here.