Address Space Layout Randomization

0
Posted by TheXero on April 15, 2012 – 11:02
Filed under White papers

A previously unpublished paper that I wrote for the Infosec Institute about ASLR.

Bypassing Address Space Layout Randomization

Ftools TFTP

0
Posted by TheXero on March 25, 2012 – 20:45
Filed under Tools

A beta version of my TFTP fuzzing script can now be downloaded from www.thexero.co.uk/downloads/ftools/tftp.zip any recommendations you may have for improvements would be appreciated.

Regards

Ftools FTP

0
Posted by TheXero on January 27, 2012 – 21:39
Filed under Tools

The final version of my FTP fuzzing script can now be downloaded from www.thexero.co.uk/downloads/ftools/ftp.zip but any recommendations you may have for improvements would be appreciated.

Regards

Abusing the Stack

3
Posted by TheXero on October 26, 2011 – 22:26
Filed under Exploit Development
Tagged as , , , , , , , ,

Once you have successfully developed a working exploit, you will soon realize that it’s alot simpler and less of a black art than people think.

To start with, generally a Stack based Buffer Over Flow condition causes the target application to crash by overwriting the pointer to the next instruction, called EIP (Extended Instruction Pointer).

We first load up a simple python based fuzzer script and attempt to fuzz a free FTP server called FreeFloat FTP Server which is hosted on a machine in the lab with the IP of 192.168.72.129.

The program stops responding to our FTP requests after about 300 A’s after the command USER.

We then load the program into Immunity Debugger and attempt to replicate the crash once again and hopefully it will tell us a little bit more about the crash. In this case the target application crashed because EIP has been completely overwritten with 41414141 which is the hex equivalent to (4) letter A’s.

For simplicities sake we decide to export the target IP address and port to our local environment variables so that the potential of entering the wrong target address is minimized.

We then load up Metasploit’s tool Pattern Create and this creates us a unique string that we can use to replace the buffer to help identify the exact position before we get to the EIP overwrite, which turns out to be 230.

We then modify our buffer to include 230 A’s then send a DEADBEEF as the address to overwrite EIP and the rest of our buffer overflows into the ESP register which means that if we overwrite EIP to a memory address that has the assembly instruction of JMP ESP, then hopefully the we can jump to ESP and the next set of instructions.

We then send all hex bytes (minus the 00 as it would kill our TCP connection to the FTP server) and attempt to identify any bad characters that may be included in our shellcode later on.

Metasploit is then opened with the console interface and we begin to create test shellcode, while excluding the bad characters from the payload (identified previously) that will run the Windows calculator application. As the payload will be encoded we had to add 8 NOPs to our buffer so that there was sufficient room for the payload to decode itself.

Once the test shellcode is added we test our exploit which will hopefully crash the application once again but at the same time execute our code and open the Windows calculator, which ended up working as planned.

We go back to metasploit and create a Windows reverse shell payload, again excluding the bad characters found and write all the hex bytes to a file called shellcode which we then open with gedit.

We then replaced the test Windows calculator payload with the first stage of our newly created staged Windows reverse shell payload to complete our exploit.

Then we set up a metasploit to listen on port 4444 for a staged Windows reverse shell and executed our exploit, which resulted in the target machine connecting back to our machine. As we chose a staged payload our machine delivered stage 2 of the payload creating a full reverse Windows command prompt to be given to our machine and from then on we had full control over that session.
Exploit Files

Penetrating secure networks

1
Posted by TheXero on April 3, 2011 – 12:55
Filed under Penetration
Tagged as , , , , , , , ,

In this video we attempt to break into a secure network behind a basic Windows 2003 firewall and AD infrastructure in a Network Address Translation environment.

After we have run our Passive Information Gathering we begin Active Information Gathering and launching a quick nmap scan of our target no ports are open and are either closed or filtered.

Usually in these circumstances we’d perform further enumeration on the target however we quickly realize that attacks directly at the server are not likely to work, so we decide to attack a client within the NAT environment using the Internet Explorer Aurora exploit available in the metasploit framework.

During Passive Information Gathering we are likely to come across several email addresses used by employee’s which we can use in our next PenTest efforts to help with Client Side attacks.

We start up the Aurora exploit and send an email to the client. When the client clicks on the email link and opens the web page his browser crashes and sends us a remote Meterpreter shell on his machine using his limited credentials.

First thing we decide to do is elevate our privileges to local system which will hopefully give us unrestricted access to the machine. Once we acquire system access we decide to dump the local hashes and copy the Administrator hash to our clipboard hoping that they are unfortunately using the same Administrator credentials on other parts of the network.

Considering the netmask and IP range of the network we can safely assume that the domain controller is located at 192.168.0.1 so we decide to use the client as a pivot point meaning that we can continue our attacks using the client as a proxy.

We choose to load the psexec exploit module and set the remote host to 192.168.0.1 which is the default gateway for the network and the domain controller. Note that this attack will travel through our already compromised host on the network so it would appear the client is doing the attacking, not an outsider.

As we don’t know the password for the administrator account we use the already obtained hash for the admin and perform a PassTheHash technique. What this does, is rather than encrypting the password into a hash to send to the remote machine it will just pass the already encrypted hash to the target machine.

We get another meterpreter session this time from the domain controller and again we attempt to elevate our privileges to local system. We also dump the Active Directory hashes and attempt to crack them using the Ophcrack rainbow table cracking software and successfully crack all hashes in under 10 minutes.

We then attempt to create a new user called thexero and add him to the administrators group and the remote desktop users. Once completed we attempt to enable remote desktop assuming that it had been disabled for security reasons and we login with the new credentials that we had just created using the IP address we scanned earlier.

WiFu – Hacking Invisible Networks

0
Posted by TheXero on February 23, 2011 – 08:58
Filed under WiFu
Tagged as , , ,

In this demonstration, we attempt to break into a hidden network. These networks won’t allow you to connect them like the usual WiFi network as you won’t be able to see it as it does not broadcast its SSID.

Firstly after activating monitor mode on my Alfa AWUS036H adapter, we start airodump-ng on channel 6 and listened for any networks.

After noticing the hidden network we stop airodump-ng and started it again on channel 6 and to save the captured data to a file called hidden.

Noticing there was an already authenticated client we start up aireplay-ng and attempted to de-authenticate the client forcing it to re-authenticate with the network revealing that the hidden SSID, which in this case was Cisco.

After we discovered the SSID we then attempt to authenticate with the network Cisco and started the ARP Request Replay attack to increase the rate of new IV’s generated and crack the WEP key for the network.

WiFu – ARP amplification

1
Posted by TheXero on February 16, 2011 – 16:33
Filed under WiFu
Tagged as , , , , , , ,

Using ARP to our advantage we can greatly increase our IV generate rates. ARP amplification is a very advanced topic and this should not be attempted by new comers.

In this demonstration, we first perform a standard 1 – 1 attack by creating a generic ARP broadcast request and our injection rates are around 400, which is considered pretty good.

While attacking a network it is possible to find out the address ranges that are used and even associated client’s IP using attacks like the Korek Chop Chop. With this information you can potentially more than double your IV generation rates by sending an ARP request to a existing WiFi client which will create a 1 -3 IV generation rate.

WiFu – Bypassing Shared Key Authentication

0
Posted by TheXero on February 16, 2011 – 16:17
Filed under WiFu
Tagged as , , , , , , ,

When attacking a WEP encrypted WiFi network, you can come across two different authentication methods, Open and Shared Key. In the the previous video we attacked a WEP network with Open Authentication, so this time we are going to attack a WEP network using Shared Key Authentication.

In this video, we start aireplay-ng and try to authenticate but quickly realize it’s not an Open Authentication, so aireplay-ng switched to Shared Key Authentication mode.

Next we start up airodump-ng on channel 6 and to save the captured data to a file called ‘linksys,’ next we attempt to de-authenticate an associated client, meaning that they would have to complete a new association request, which we will capture and save to disk.

Once captured we are able to use this captured SKA when we try and associate, which works fine for us and we successfully authenticat with the target network

Like in the previous video, we proceed to capture the PRGA so that we can craft our own packets for the network and create broadcast ARP request packets in the hope that the Access Point will respond with a new IV.

Once enough Initialization Vectors are captured we can crack the WEP encryption key for the network using aircrack-ng.

WiFu – Cracking clientless WEP networks

0
Posted by TheXero on February 16, 2011 – 16:12
Filed under WiFu
Tagged as , , , , , , ,

In this video, we demonstrate how to authenticate with a clientless WEP Open network and cracking the WEP key in a relatively short amount of time using various tools in the aircrack-ng suite.

We are using BackTrack 4 R1 in this video, the default drivers don’t work too well with the AWUS036H USB WiFi card, so we removed the default drivers and load the older BackTrack 3 driver.

The next step we take was to enable monitor mode on the wireless card using airmon-ng and starting airodump-ng on channel 6 to see what networks are within range.

After we identified the target network, we start up screen and run airodump-ng again on channel 6 and to output the captured data to a file called ‘linksys.’

We then attempt to perform a fake authentication attack with the target network using aireplay-ng and start listening for data packets from the clientless network, which are sent out automatically every few minutes.

Once we obtain a data packet, we can use packetforge-ng to create a generic ARP Request packet using the broadcast range 255.255.255.255, as most wireless Access Points respond to these and hopefully will create new IVs for the target network.

Using the newly crafted packet, we use aireplay-ng again to inject this packet back to the Access Point and hope that it will produce new Initialization Vectors.

Once we obtain enough IVs we are able to use aircrack-ng to crack the WEP encryption key for the network.

WiFu – Cracking WPA Pre Shared Key

0
Posted by TheXero on February 16, 2011 – 16:04
Filed under WiFu
Tagged as , , , , , , , , , , , , ,

In this video, we demonstrate the simplicity of cracking a password for a WPA encrypted wireless network using tools freely available within the aircrack-ng suite of tools.

We first put out Alfa AWUS036H USB wifi card into monitor mode and proceed to listen for wifi traffic on channel 6 and note down any information we receive.

We need to be able to have airodump-ng running, so we decide to run the screen program and start airodump-ng again to continue our attack.

Once we find an associated client, we create another screen session, using aireplay-ng we send a de-authentication packet to the client, and hope that the client would automatically re-authenticate with the target network.

Once the client successfully re-authenticates we will capture the four way handshake. We I stop airodump-ng and proceeded to crack the PSK using an example dictionary which comes with the aircrack-ng tool. We discover that the password for the WPA protected network which is in fact ‘password’ and as this was an off-line attack means that even with MAC address lockouts, we should be able to connect ok.