Archive for January, 2011

 

script – alert(‘REDDIT’) – /script

Jan 04, 2011 in Security

There are a lot of sources to get exploit code, passwords, sensitive information, hacked sites, and etc.  I posted in the past about scraping pastebin.com [https://www.securepla.net/?p=173] to get valuable information… The downside is that pastebin now will block you if you make too many requests.  Luckily, http://pastebin.ca/ didn’t block the last time I checked (thank you Canadians).

While I was searching through reddit.com as I always do, I found a community called /r/xss.  It is the cross-site scripting community, where people just post their valid XSS findings.  I don’t really look for cross-site scripting anymore as it’s a boring finding that you pretty much find everywhere, but it does have potential to cause huge impacts.

Now a days, web developers are starting to get aware of XSS flaws and creating different mitigation, such as blacklisting certain characters that can be used in search fields.  So hackers have gone around and started encoding their XSS attacks.  Using everything from UTF-8, Long UTF-8, Hex, and so many more.  If you want to further your XSS needs, a great resource for XSS is from ha.ckers.org/xss.html. [http://ha.ckers.org/xss.html]

So now back to the scraping.  As I saw all the different real world XSS attacks listed under http://www.reddit.com/r/xss I was interested in looking at how other people were getting away with finding valid XSS.  So I quickly created a python script to grab the page and parse out the URLs including the XSS.  The only small issue I ran into was that trying to scrape the next 25 pages, because reddit used some sort of session type key.  I just created another regular expression to pull this data out and I was set.

In total, I was able to pull out about 500 XSS urls in about 1 minute.  This isn’t anything crazy, but it’s always good to see other encoded examples of XSS to put into your own toolkit.

I included the python script and you can use it at your will [reddit.py].  I have also included a small chunk of the XSS output right here [small_output.txt].  If you want the whole list, just run the script and you will have all 500+ XSS.

Special thanks goes out to reddit and if I took your XSS and want some karma, let me know.

-cheetz

Down the Rabbit Hole of IPv6

Jan 01, 2011 in Security

[SecurePlanet Wiki][SecurePlanet RSS Feed][SecurePlanet RSS Vulnerabilities]

IPv6 is nothing new, hell it has been around since 1998… but still it’s a mystery to many. So I started down the path of seeing the who, what, where, when and why of IPv6. We have the RFC located here: http://tools.ietf.org/html/rfc2460 but I wasn’t about to read the whole RFC just yet. So let us start with some of the basics and differences between IPv4 and IPv6.

IPv6 uses a 128-bit address, whereas IPv4 uses only 32 bits. The new address space supports 2^128 (about 3.4×10^38) addresses. This expansion provides considerable flexibility in allocating addresses and routing traffic. It also eliminates the primary need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion. [http://en.wikipedia.org/wiki/IPv6]

On a 100 foot level, an IP for Google in IPv4 is 72.14.204.104 and in IPv6 it looks like 2001:4860:800f::63. The double colons represent consecutive zeros. From a packet header perspective, the differences between IPv4 and IPv6 header are quiet different. Differences include the fact that IPv6 contains it’s own version information, no header length (as it is fixed), no ID field, no checksum (accomplished in upper layers), no fragmentation layer, and no options (everything else is the same).

If you want to see a Wireshark output of IPv4: IPv4
If you want to see a Wireshark output of IPv6: IPv6

IPv6 also contains header extensions placed between the fixed header and the upper-layer protocol header:
Hop-by-Hop Options, Destination Options (before routing header), Routing, Fragment, Authentication Header (AH), Encapsulating Security Payload (ESP), Destination Options (before upper-layer header) [http://en.wikipedia.org/wiki/IPv6_packet].  Nevermind this for now.

After a quick walkthrough of IPv4/6, we can now try connecting through IPv6. There are a lot of different IPv4 to IPv6 tunnels and you can even get some of your ISPs to enable IPv6 for you. In this demonstration, we will be using Hurricane Electric’s IPv4/IPv6 tunnel. Goto: http://tunnelbroker.net/, create an account, put in your home IP and choose a tunnel. And now you’re in the IPv6 world.

Now in this case, my host system is Ubuntu, so I add my tunnel that I just created and create the interface to talk via IPv6:
$modprobe ipv6
$ip tunnel add he-ipv6 mode sit remote [tunnel IP] local [home ip] ttl 255
$ip link set he-ipv6 up
$ip addr add [ipv6 address] dev he-ipv6
$ip route add ::/0 dev he-ipv6
$ip -f inet6 addr

Once you have the tunnel setup, try going to: ipv6.google.com. If it works, you did it correctly!

If you want to find more IPv6 sites, you can go here: http://sixy.ch/ or http://www.sixxs.net/tools/gateway/

Now that your tunnel is setup, we can start doing a little testing. Here are some quick notes that I took while trying some basic IPv6 queries.

Ubuntu:
How to ping: #ping6 ipv6.google.com
How to do a lookup: #nslookup -type=AAAA ipv6.google.com
How to type a IPv6 IP address into a browser: http://[2001:4860:800f::67]/ (you have to keep the ‘[‘ and ‘]’ brackets)

Now getting into some fun stuff. Nmap [http://nmap.org/] has support for IPv6 using the “-6” switch. For example, this will run a scan of ports 1 through 10000, not ping the device, via IPv6 : nmap -PN -6 -p1-10000 ipv6.google.com

I started comparing results from different sites and noticed that the results were vastly different. Here are two examples from a little testing that I did. What this tells us is that there are potentially different/more services running on IPv6 than IPv4. A misconfigured network could allow potential for attack.

In terms of tools available other than nmap, THC (The Hacker’s Choice) has created a set of tools a few years ago for IPv6. Recently there have been a slew of updates and more supposedly to come: http://freeworld.thc.org/thc-ipv6/. For example, any windows box running IPv6 service can be crashed using the flood_router6 tool even if the host has the windows firewall enabled. OoOoO. Here is a lot of the tools provided with the IPv6 kit. At this point THC’s tools only run on 32bit architectures.

-parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
-alive6: an effective alive scanng, which will detect all systems listening to this address
-dnsdict6: parallized dns ipv6 dictionary bruteforcer
-fake_router6: announce yourself as a router on the network, with the highest priority
-redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
-toobig6: mtu decreaser with the same intelligence as redir6
-detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
-dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
-trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
-flood_router6: flood a target with random router advertisements
-flood_advertise6: flood a target with random neighbor advertisements
-exploit6: known ipv6 vulnerabilities to test against a target
-denial6: a collection of denial-of-service tests againsts a target
-fuzz_ip6: fuzzer for ipv6
-implementation6: performs various implementation checks on ipv6
-implementation6d: listen daemon for implementation6 to check behind a fw
-fake_mld6: announce yourself in a multicast group of your choice on the net
-fake_mld26: same but for MLDv2
-fake_mldrouter6: fake MLD router messages
-fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
-fake_advertiser6: announce yourself on the network
-smurf6: local smurfer
-rsmurf6: remote smurfer, known to work only against linux at the moment
-sendpees6: a tool by willdamn(ad)gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff 😉 to keep the CPU busy. nice.
-thcping6: sends a hand crafted ping6 packet

This was just a IPv6 primer and if time permits I’ll come up with an update to this.

For more information:
From the Recent 27C3 and from THC a great report on the IPv6 insecurities: www.youtube.com/watch?v=uzfyehmbkJE

-cheetz