nullsploit

0
Filed under Tools

nullsploit is a work in progress exploitation framework. Currently, only a couple number of exploits are included in the framework, however the bases are being built to allow for rapid exploit development.

Features currently available included defining what payloads (shellcode) to use with the exploit, a custom encoder to avoid bad characters within the payload as well as an exploit shell handler.

A short demo of the WorldMail IMAP exploitation module is included below:

The project is available on github at the following link: https://github.com/TheNullSecXero/nullsploit

TFTP Fuzzer

0
Filed under Tools

This has been used to fuzz and discover a number of previously undisclosed bugs with TFTP and other simple UDP based protocols.

The project is hosted on github and can be found at the links below:
https://github.com/nullsecuritynet/tools/blob/master/fuzzer/tftp-fuzz/release/tftp-fuzz.py

FTP Fuzzer

0
Filed under Tools

This has been used to fuzz and discover a number of previously undisclosed bugs with FTP and other plain-text protocols.

The project is hosted on github and can be found at the links below:
https://github.com/nullsecuritynet/tools/blob/master/fuzzer/ftp-fuzz/release/ftp-fuzz.py

Breaking Hidden Networks

0
Filed under WiFu

In this demonstration, I attempt to break into a hidden network. These networks won’t allow you to connect them like the usual network as you won’t be able to see it as it does not broadcast its SSID.

Firstly after activating monitor mode on my Alfa AWUS036H adapter, I started airodump-ng on channel 6 and listened for any networks.

After noticing the hidden network I stopped airodump-ng and started it again on channel 6 and to save the captured data to a file called hidden.

Noticing there was an already authenticated client I started up aireplay-ng and attempted to de-authenticate the client forcing it to re-authenticate with the network revealing that the hidden SSID was in fact Cisco.

After we discovered the SSID I attempted to authenticate with the network Cisco and started the ARP Request Replay attack to increase the rate of new IV’s generated and crack the WEP key for the network.

ARP Amplification

0
Filed under WiFu

Using ARP to our advantage can greatly increase our IV generate rates. ARP amplification is a very advanced topic and this should not be attempted by new comers.

In this demonstration, I first performed a standard 1 – 1 attack by creating a generic ARP broadcast request and our injection rates were around 400, which is considered pretty good.

While attacking a network it is possible to find out the address ranges that are used and even associated client’s IP using attacks like the Korek Chop Chop attack. With this information you can more than double your IV generation rates by sending an ARP request to a existing WiFi client which will create a 1 -3 IV generation rate.

Bypassing Shared Key Authentication

0
Filed under WiFu

When attacking a WEP encrypted WiFi network you can come across two different authentication methods, Open and Shared Key. In the the previous video we attacked an Open WEP network, so this time we are going to attack a SKA WEP network.

In this video, I started aireplay-ng and try to authenticate but quickly realise it’s not an open network and aireplay-ng switched to Shared Key authentication.

Next I started up airodump-ng on channel 6 and to save the captured data to a file called ‘linksys,’ next I attempted to de-authenticate an associated client meaning that they would have to complete a new SKA, which we would capture.

Once captured we are able to use this captured SKA when we try and associate, which works fine for us and we successfully authenticated with the target network.

Like in the previous video, we proceed to capture the PRGA so that we can craft our own packets for the network and create broadcast ARP request packets in the hope that the Access Point will respond with a new IV, and finally we crack the WEP encryption key for the network using aircrack-ng.

Cracking Clientless WEP

0
Filed under WiFu

In this video, I demonstrate how to authenticate with a client-less WEP Open network and breaking the WEP key in a relatively short amount of time using various aircrack-ng tools

I was using Back|Track 4 R1 in this video but the default driver doesn’t work too well with my AWUS036H USB WiFi card, so I removed the new drivers and loaded the older Back|Track 3 drivers

The next step I took was to enable monitor mode on my wireless card using airmon-ng and starting airodump-ng on channel 6 to see what was about

After I identified the target network, I started up screen and ran airodump-ng again on channel 6 and to output the captured data to a file called ‘linksys’

I then attempted to perform a fake authentication attack with the target network using aireplay-ng and started listening for data packet from the clientless network (can take up to 5 minutes) so that I could obtain a PRGA for the network which would allow me to create my own packets for later injection

Once obtained I use packetforge-ng to create a generic ARP Request packet using the broadcast range 255.255.255.255 as most wireless Access Points respond to these, and hopefully would create new IV’s for the target network

Using the newly crafted packet, I used aireplay-ng again to inject this packet, which caused the Access Point to produce new IV’s

Once enough IV’s were captured I used aircrack-ng to work out the HEX encryption code for the network

Cracking WPA PSK

0
Filed under WiFu

In this video, I demonstrate the simplicity of cracking a PSK password using tools freely available within the aircrack-ng suite of tools

I first put my Alfa AWUS036H USB WiFi card into monitor mode and proceeded to listen for WiFi traffic on channel 6 and noted down information

I needed to be able to have airodump-ng running during the next stages so I ran screen and started airodump-ng again to continue my attack

Once I had found an associated client, I created another session and using aireplay-ng I sent a de-authentication packet to this client in the hope that the client would re-authenticate with the target network

Once I had captured the PSK handshake, I stopped airodump-ng and proceeded to crack the PSK using a brute-force method with the tool aircrack-ng and the example dictionary that comes with the aircrack-ng suite
In this video, I demonstrate the simplicity of cracking a PSK password using tools freely available within the aircrack-ng suite of tools

I first put my Alfa AWUS036H USB WiFi card into monitor mode and proceeded to listen for WiFi traffic on channel 6 and noted down information

I needed to be able to have airodump-ng running during the next stages so I ran screen and started airodump-ng again to continue my attack

Once I had found an associated client, I created another session and using aireplay-ng I sent a de-authentication packet to this client in the hope that the client would re-authenticate with the target network

Once I had captured the PSK handshake, I stopped airodump-ng and proceeded to crack the PSK using a brute-force method with the tool aircrack-ng and the example dictionary that comes with the aircrack-ng suite

Abusing the Stack

0
Filed under Exploit Development


Once you have successfully developed a working exploit, you will soon realize that it’s a lot simpler and less of a black art than people think.

To start with, generally a Stack based Buffer Over Flow condition causes the target application to crash by overwriting the pointer to the next instruction, called EIP (Extended Instruction Pointer).

We first load up a simple python based fuzzer script and attempt to fuzz a free FTP server called FreeFloat FTP Server which is hosted on a machine in the lab with the IP of 192.168.72.129.

The program stops responding to our FTP requests after about 300 A’s after the command USER.

We then load the program into Immunity Debugger and attempt to replicate the crash once again and hopefully it will tell us a little bit more about the crash. In this case the target application crashed because EIP has been completely overwritten with 41414141 which is the hex equivalent to (4) letter A’s.

For simplicities sake we decide to export the target IP address and port to our local environment variables so that the potential of entering the wrong target address is minimized.

We then load up Metasploit’s tool Pattern Create and this creates us a unique string that we can use to replace the buffer to help identify the exact position before we get to the EIP overwrite, which turns out to be 230.

We then modify our buffer to include 230 A’s then send a DEADBEEF as the address to overwrite EIP and the rest of our buffer overflows into the ESP register which means that if we overwrite EIP to a memory address that has the assembly instruction of JMP ESP, then hopefully the we can jump to ESP and the next set of instructions.

We then send all hex bytes (minus the 00 as it would kill our TCP connection to the FTP server) and attempt to identify any bad characters that may be included in our shellcode later on.

Metasploit is then opened with the console interface and we begin to create test shellcode, while excluding the bad characters from the payload (identified previously) that will run the Windows calculator application. As the payload will be encoded we had to add 8 NOPs to our buffer so that there was sufficient room for the payload to decode itself.

Once the test shellcode is added we test our exploit which will hopefully crash the application once again but at the same time execute our code and open the Windows calculator, which ended up working as planned.

We go back to metasploit and create a Windows reverse shell payload, again excluding the bad characters found and write all the hex bytes to a file called shellcode which we then open with gedit.

We then replaced the test Windows calculator payload with the first stage of our newly created staged Windows reverse shell payload to complete our exploit.

Then we set up a metasploit to listen on port 4444 for a staged Windows reverse shell and executed our exploit, which resulted in the target machine connecting back to our machine. As we chose a staged payload our machine delivered stage 2 of the payload creating a full reverse Windows command prompt to be given to our machine and from then on we had full control over that session.