So after having my Droid Bionic for a few months now I have decided to take the leap from rooting to roming. A quick definition on Rooting and Roming from the nice people over at droidlessons.com:

What is Rooting?

“Rooting” your device means obtaining “superuser” rights and permissions to your Android’s software. With these elevated user privileges, you gain the ability to load custom software (ROM’s), install custom themes, increase performance, increase battery life, and the ability to install software that would otherwise cost extra money (ex: WiFi tethering). Rooting is essentially “hacking” your Android device. In the iPhone world, this would be the equivalent to “Jailbreaking” your phone.

Custom Software (ROM’s)

You may have heard of people loading custom “ROM’s” on their devices. A “ROM” is the software that runs your device. It is stored in the “Read Only Memory” of your device. There are many great custom ROM’s available that can make your Android device look and perform drastically different.

After hanging around rootzwiki forum, listening to Droid Nation and Android App Addictspodcast I felt like I was ready to install my first custom  rom. My rom of choice was [K]IN3TX v1.0 some features about this rom:

• Latest BusyBox
• Superuser (Updated Binary)
  
• Battery Optimization
• Fully ROOTED
• SD Card Read tweaks
• Built Off of 5.8.894 OTA
  
• Advance Power Menu
• Scrollable Power Toggles in Pull Down
• FULL Custom UI
• PNG Optimization
• init.d Run Support

Just to name a few..

You can read the full posting about this rom over at the rootzwiki forum their you will also find the various downloads that you would need. However I will highlight a few steps I took:

• Root your device
• Install clockworkmod recovery 
• Install Titanium backup pro or MyBackup root (backup your apps and data)
• ***COPY THE ROM TO YOUR SD CARD***
• Boot into recovery mode with CWM while there do the following
• WIPE DATA/FACTORY RESET
• WIPE CACHE
• UNDER MOUNTS AND STORAGE, FORMAT SYSTEM
• UNDER ADVANCED, WIPE DALVIK
• INSTALL AND HAVE FUN!

After you are finish installing log-in setup your device, then you can boot back into CWM wipe your cache, and dalvik then install add-on or tpak of your choice, I installed the ICS tpak.

Now as anyone might expect the first time you are doing something like this you have to realize that you might make a mistake, but you can only hope it doesn’t hurt you too much. The mistake I made was that I copied the wrong add-on pack to my sdcard but not the base rom, and since I already wiped my system partition I was unable to reboot my phone into recovery mode after I copied the correct file via another device.

How I corrected this issue you might ask yourself, I had some help from my buddy Highlander-:  over at the Podnutz IRC chat room. He pointed me to a tool call RSDlite, which allowed me to flash my phone back to the stock rom and from there I followed the steps outlined above and all was well the second time around . You have got to love the power of the Internet and great communities.

Have fun roming and you can comment back and let me know which rom is your favorite. I have only tried one and I must say I absolutely love it!

Reference Links:

http://droidlessons.com/what-is-rooting-on-android-the-advantages-and-disadvantages/
http://forum.xda-developers.com/showthread.php?t=1348587

So as most of you might know by now the development team over at Fedora has release a new version of the ever popular Linux distribution; Fedora 15 code name “LoveLock”. This posting is not to get into too much details about the new version or various ways in which you can  install it or anything of the sort for that you can visit Fedora documentation wiki.

rpm --import https://fedoraproject.org/static/069C8460.txt

yum update yum
yum clean all
yum --releasever=15 --disableplugin=presto distro-sync

Problem #1

As simple as the above upgrade looked it didn’t turn out to be so simple for me, the upgrade processes kept failing and when it finally worked and I was prompted to reboot the system would hang at the logo.

If  I hit the ESC key during boot up I would notice that the system was hanging at  “Starting SYSV: Late init script for  live image, Started SYSV: Late init script for live image”.

At this point I know it was time to signup for the mailing list and visit freenode.net #fedora in search of an answer, but since it was a new release everyone else was also asking for help so I had to wait a bit.

I tried a few things but in the ended wiping out my Fedora 14 and installing Fedora 15. At that point I got a potential fix in a reply to my mailing list cry for help, the suggestion was to:

Log into single user mode  and removed all kmod packages, then installed akmod packages through command line.

Once my new install was finish I realized quickly that Gnome 3 was not the way to go on my Eee Netbook, I quickly had the following issues:

• Screen kept diming eventhough I chaged the power management  and other setting.
• My wireless connection strength dropped by about 50% even though I was in the same room with the AP, prior to that Fedora 15 I had near perfect signal.
• The entire windowing experience was too slow, and bulky looking for my Netbook, It was hard to work with two windows side by side.

In most cases port base filtering  is an all or none approach. For example if you want to block  a user from accessing a certain website, blocking that user’s access to port 80/443 outbound will stop them from accessing all websites not just that one. If you would like to get more granular then you would need some sort of  web content filtering systems.

Good news is, if you are still using iptables you are now able to filter traffic destined to sites such as Facebook, Twitter, Gmail etc. You can accomplish this by using iptables to block a given hex string that will appear in the initial packet handshake. I first saw this technique being discussed in a full-disclouser posting and I figured it was worth trying out.

The tools of choice here is Ngrep (Network Grep) and IPTables .

Step one: Capture the X.509 certificate

You will be doing this by using ngrep:

[infolookup@Test ~]# ngrep -d eth2 -q -x ‘Twitter’
interface: eth2 (10.100.0.0/255.255.255.128)
match: Twitter

You will then notice the following output in your terminal:

<snip>

T 199.59.148.11:443 -> 10.100.0.119:38414 [A]

1. 30 30 31 16 30 14 06 03    55 04 0a 14 0d 54 77 69    001.0…U….Twi
2. 74 74 65 72 2c 20 49 6e    63 2e 31 1c 30 1a 06 03    tter, Inc.1.0…
3. 55 04 0b 14 13 54 77 69    74 74 65 72 20 20 4f 70    U….Twitter  Op

</snip>

Step two: Creating your IPtable rule

You will be building your rule based on the hex string obtained above.

Prior to applying the rule I able to run the following command:

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>301 Moved Permanently</title>
</head><body><h1>Moved Permanently</h1>
<p>The document has moved <a href=”https://twitter.com/”>here</a>.</p>
</body></html>

IPtable rules to use:
http://pastebin.com/1HQD017A

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j DROP

sudo iptables -I INPUT -m string –algo bm –hex-string ‘|303031163014060355040a140d547769747465722c20496e632e311c301a060355040b141354776974|’ -j LOG

The first rule will drop the connection to twitter and the second rule will log the entry. If you take a look at your /var/log/message you will see the following entry over and over:

Apr  7 00:05:11 Test kernel: [870656.036848] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0×00 PREC=0×00 TTL=44 ID=58494 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0×00 ACK URGP=0

Apr  7 00:05:19 Test kernel: [870664.675930] IN=eth2 OUT= MAC=00:50:56:b2:53:90:00:23:5e:a4:f2:bf:08:00 SRC=199.59.148.11 DST=10.100.0.119 LEN=1420 TOS=0×00 PREC=0×00 TTL=44 ID=58496 DF PROTO=TCP SPT=443 DPT=49542 WINDOW=23 RES=0×00 ACK URGP=0

If you try to access www.twitter.com you will get to the site, but when you try login the session will set there and just timeout.

[infolookup@Test]$ curl –connect-timeout 60 https://www.twitter.com/
curl: (35) SSL connect error

Note:

I was unable to use the following IPtable rule on a Ubuntu based system but it worked fine on my Fedora 14 test box. Also another thing to look out for is if you use too short of a hex string will will get an error the one I used was about 85 characters give or take.

Have fun filtering and post your comments about how you are currently using IPtables.

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
   
2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
2. fuser – a command line tool to identify processes using files or sockets.
3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04″)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# \du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# \l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# \c App_Name

List of tables:
App_Name=# \dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

• Try to reverse the password encryption and salting mechanism
• Try to find the code that handles the authentication and bypass that
• Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# \c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (’2′,’demo’,'demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

FWKNOP Tech Segment

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1

Single Packet Authorization

Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).

Steps to take:

Install fwknop Server

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Side note: If you get the following error while loading  “shared libraries: libfko.so.0: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:

# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0

Config files:

Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.

Edit the  fwknop.conf file, and  uncomment and set the options  for your interface “PCAP_INTF eth0″.

Next edit your access.conf file to allow access  based on your liking (users, port, key, etc).

A simple suitable config:

SOURCE: ANY;
KEY: P@$$W0r); //must be over 8 characters
REQUIRE_USERNAME: infolookup;
OPEN_PORTS: tcp/222;
FW_ACCESS_TIMEOUT: 30;

clear out your old IP rules and some default rules to drop all incoming traffic.

IP Tables rule:

#!/bin/sh
# Script to reset your iptable rules

# Load modules for  tracking and NAT
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

# Delete any user-defined chains
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain

# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”

# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”

Start the server with –> # fwknopd -f -vv

Testing rules after configuration:

I tried to ssh to the Ubuntu server via my windows box which is IP 192.168.19.1 on port 22 and as you can see from the below image I was block and it was logged as expected:

Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.

Additional reading:

http://www.cipherdyne.org/fwknop/

http://www.securitygeneration.com/single-packet-authorization/

http://aerokid240.blogspot.com/

http://www.cipherdyne.org/fwknop/download/ –> Windows client

About an hour or so ago I notice a posting on the Full Disclosure mailing list with a proof of concept code (PoC) that will allow a non-privileged user to gain Root access on a Linux system , below is a snippet from the comment section of the code that explains it.

–snip–

/*
* Linux Kernel <= 2.6.37 local privilege escalation
* by Dan Rosenberg
* @djrbliss on twitter
*
* Usage:
* gcc full-nelson.c -o full-nelson
* ./full-nelson
*
* This exploit leverages three vulnerabilities to get root, all of which were
* discovered by Nelson Elhage:
*
* CVE-2010-4258
* ————-
* This is the interesting one, and the reason I wrote this exploit.  If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok().  However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
*
* CVE-2010-3849
* ————-
* This is a NULL pointer dereference in the Econet protocol.  By itself, it’s
* fairly benign as a local denial-of-service.  It’s a perfect candidate to
* trigger the above issue, since it’s reachable via sock_no_sendpage(), which
* subsequently calls sendmsg under KERNEL_DS.
*
* CVE-2010-3850
* ————-
* I wouldn’t be able to reach the NULL pointer dereference and trigger the
* OOPS if users weren’t able to assign Econet addresses to arbitrary
* interfaces due to a missing capabilities check.
*
* In the interest of public safety, this exploit was specifically designed to
* be limited:
*
*  * The particular symbols I resolve are not exported on Slackware or Debian
*  * Red Hat does not support Econet by default
*  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
*    Debian
*
* However, the important issue, CVE-2010-4258, affects everyone, and it would
* be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
* more sophisticated version of this that doesn’t have the roadblocks I put in
* to prevent abuse by script kiddies.
*
* Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
*
* NOTE: the exploit process will deadlock and stay in a zombie state after you
* exit your root shell because the Econet thread OOPSes while holding the
* Econet mutex.  It wouldn’t be too hard to fix this up, but I didn’t bother.
*
* Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
*/

Naturally I would feel incline to turn up a Linux VM to test this exploit, I decided to go with a fully patched Ubuntu 10.10 with kernel version 2.6.35-23-generic to start my testing however the exploit fail on this system. I then decided to go with a default install of Unbuntu 10.10 with Kernel version 2.6.35-22-generic and to my amazement it worked.

Steps taken:

Ensure that I have gcc isntalled since the exploit was written in C.

infolookup@ubuntu:/tmp/exploitpoc$ touch full-nelson.c

Once the file is created simply copy the PoC from http://pastebin.com/qKZp2Qic or from the original post
and paste it into your newly created file.

infolookup@ubuntu:/tmp/exploitpoc$ nano full-nelson.c

Next just execute it….

infolookup@ubuntu:/tmp/exploitpoc$ gcc full-nelson.c -o full-nelson

infolookup@ubuntu:/tmp/exploitpoc$ ./full-nelson.c

And as you can see from the image above “Got Root”!

I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.

Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to  “allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.

What can you do with this plug-in or bridge you might ask?

The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .

• Generic Commands
• Reports Commands
• Scan Commands
• Plugin Commands
• User Commands
• Policy Commands

A few prerequisites are needed before you can start hacking away:

• A host with Metasploit installed and configured (I recommend BackTrack 4)
• A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
• A vulnerable host to test with (I recommend you download metasploitable)

Brief  demo section before I get into the interview:

MSF Console

Nessus Login Interface

1. First fire-up  both Metasploit and Nessus and run an update to ensure you have the latest signatures.
2. Login into Nessus and create your scanning policy
3. Close out your browser and prepare to have some fun CLI style!
   1. Load up the nessus module within msfconle with “load nessus”
   2. Next connect to your nessus server with “nessus_connect username:password@host:port ok”
   3. From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
      Using nessus_policy_list and nessus_scan_new

   Import scan results with “nessus_report_get report id”

   db_autopwn

Now on to the Q & A  section with the Author:

Question: How did you get started on your Infosec journey, and also the blogging  sphere?

Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management.  From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.

Blogging is relatively new for me.  I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them.  I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about.  Always seemed to be something else
to do.  I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.

Q: What was your motivation behind this project?

A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit.  When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.

I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans.  It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.

Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit.  Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin.  (Big thanks to k0st for his hard work on the library which i used as a starting point)

Q: What advice would you give  a newcomer that would like start using this  bridge?

A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe.  Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate).  Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start.  Scan things (that you have permission to scan, or own) and play with it, see how it works.

Q: What tips would you give someone for maximizing the usefulness of this  bridge?

A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning.  Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon).  Ideally the way to use this is scan, examine, import, pwn.  It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work .

Q: Why did you choose Metasploit above other application/frameworks to incorporate this  functionality?

A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications.  It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool.  I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely.  Also ruby is just a joy to code in.

Q: On a personal note, how did you get your handle?

A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me.  I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.

Q: If someone wants to assist you with this project what’s the best approach?Couple of ways.  Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploit – fork it, hack it and submit a pull request for me to include your changes.  I then submit a diff to msfdev about once a week (or when I have significant changes).

A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site?  Mainly to not annoy the msfdevs.  This way I can tweak/hack/commit as often as I need to and not impact their work on msf.  I can then just submit working code
when I need it included in msf.

A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.

Show notes for Linux Basix podcast:

Discussion Links:

News: http://www.wired.com/threatlevel/2010/09/zeus-botnet-ring/

Bye Bye Bios: New PCs could start in just seconds, thanks to an update to one of the oldest parts of desktop computers.The upgrade will spell the end for the 25-year-old PC start-up software known as Bios that initialises a machine so its operating system can get going.

The code was not intended to live nearly this long, and adapting it to modern PCs is one reason they take as long as they do to warm up. Bios’ replacement, known as UEFI, will predominate in new PCs by 2011.The acronym stands for Unified Extensible Firmware Interface and is designed to be more flexible than its venerable predecessor.

News: http://www.wired.com/gadgetlab/2010/09/data-collection-android/

Data collection Andriod:Something as simple as changing your Android phone’s wallpaper or downloading a ringtone could transmit personal data about you, including your location, without your knowledge.

Sound farfetched? It’s not: About 15 of 30 randomly selected, popular, free Android apps sent sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous
ways, say researchers.

News: http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=227500797

DHS Launches Cyber Attack Exercise:For three or four days this week, the Internet will come under a virtual attack from an unknown adversary, and it will be up to the government and private sector’s coordinated efforts to root out the cause and work together to keep systems up and running — at least within the simulated confines of the Department of Homeland Security’s Cyber Storm III exercise, which begins Tuesday.

The Cyber Storm series of exercises simulates large cyber attacks on critical infrastructure and government IT assets in order to test the government’s preparedness. Specifically, this year’s exercise will be the first time DHS will test both the draft National Cyber Incident Response Plan (an effort to provide a coordinated response to major cybersecurity incidents) that will be publicly released later this year and the new National Cybersecurity and Communications Integration Center (the hub of DHS’ cybersecurity coordination efforts).

Tech segment: “Nessus Bridge for Metasploit ”

The idea for this segment and a future blog post that I will be releasing tomorrow with an interview from the author,came about from a posting I saw on twitter this week. After reading the author’s site I said to myself this is some “prety cool stuff”

Basic Idea:

The general concept is to allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.

Below is the current and future list of feature that the author is currently developing:

Checkout his blog and keep an eye on this project –> http://blog.zate.org

What do you need to start testing:

• A host with Metasploit installed and configured (I recommend BackTrack 4)
• A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
• A vulnerable host to test with (I recommend you download metasploitable)

Once you have the above criteria met, log into your Nessus server via the web interface and create your test policy. From this point onwards you can log-out of your server and close your web browser.

Next do the following:

1-  Load up your Metasploit console via /pentest/exploit/framework3/msfconsole
2-  Ensure you have the most updated version “svn up”
3-  Load the nessus module  “load nessus”
4- Connect to your nessus server with “nessus_connect user@myhost:8834 ok”
5-  Next start your first scan with “nessus_scan_new <policy id> <scan name> <targets>”
6-  While running you can issues “nessus_scan_status” to view when its completed
7-  Next you can need to get your report ID with the following command “nessus_report_list”
8-  Create db workspace and import scanned results “db_connect” then “nessus_report_get <report id>”
9- Choose a report ID number and use the following to view the details so you can see if your host has any high risk vulnerability to exploit with MSF “nessus_report_hosts <report id>” .

From here on you can issue the db_autopwn commands and have fun:

Usage: db_autopwn [options]
-h          Display this help text
-t          Show all matching exploit modules
-x          Select modules based on vulnerability references
-p          Select modules based on open ports
-e          Launch exploits against all matched targets
-r          Use a reverse connect shell
-b          Use a bind shell on a random port (default)
-q          Disable exploit module output
-R  [rank]  Only run modules with a minimal rank
-I  [range] Only exploit hosts inside this range
-X  [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m  [regex] Only run modules whose name matches the regex
-T  [secs]  Maximum runtime for any exploit in seconds

Go out and have some fun,and look for my follow-up post tomorrow.

What is Ncrack?

Taken from the author’s site…

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated brute-forcing attacks, timing templates for ease of use, run-time interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool and can be downloaded from the section below. Be sure to read the Ncrack man page to fully understand Ncrack usage.

Modules

Ncrack’s architecture is modular with each module corresponding to one particular service or protocol. Currently, Ncrack supports the protocols FTP, TELNET, SSH and HTTP(S) (basic authentication). Below we describe some key points for each of them.

FTP Module

FTP authentication is quite fast, since there is very little protocol negotiation overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a certain delay before replying with the results of a failed attempt. Filezilla is one of the most characteristic examples of this case, where the time delay is so great, that it is usually faster to open more connections against it, with each of them doing only 1 authentication per connection.

TELNET Module

Telnet daemons have been largely substituted by their safer ‘counterpart’ of SSH. However, there are many boxes, mainly routers or printers, that still rely on Telnet for remote access. Usually these are also easier to crack, since default passwords for them are publicly known. The drawback is that telnet is a rather slow protocol, so you shouldn’t be expecting really high rates against it.

SSH Module

SSH is one of the most prevalent protocols in today’s networks. For this reason, a special library, named opensshlib and based on code from OpenSSH, was specifically build and tailored for Ncrack’s needs. Opensshlib ships in with Ncrack, so SSH support comes out of the box. OpenSSL will have to be installed in Unix systems though. Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn’t be worrying about it at all.

SSH brute-forcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them. The latest version of the “Hacking the OpenSSH library for Ncrack” document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library

HTTP(S) Module

The HTTP Module currently supports basic authentication only, however additional methods will be added soon. Ncrack tries to use the “Keepalive” HTTP option, whenever possible, which leads to really high speeds, since that allows dozens of attempts to be carried out per connection. The HTTP module can also be called over SSL.

SMB Module

The SMB module currently works over raw TCP. NetBIOS isn’t supported yet. This protocol allows for high parallelization, so users could potentially increase the number of concurrent probes against it. SMB is frequently used for file-sharing among other things and is one of the most ubiquitous protocols, being present in both Unix and Windows environments.

RDP Module

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the purpose of providing remote terminal services by transferring graphics display information from the remote computer to the user and transporting input commands from the user to the remote computer. Fortunately, Microsoft recently decided to open the protocol’s internal workings to the public and has provided official documentation, which can be found at http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx

RDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase. For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved. Care must be taken against RDP servers in Windows XP versions, since they can’t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don’t suffer from the same limitation.

POP3(S) Module

POP3 support is still experimental and hasn’t been thoroughly tested. You can expect it to work against common mail servers, nevertheless.

Installation and Basic usage:

Once you have download the latest version from the Ncrack website, the installation process is as follows:

tar -xzf ncrack-0.3ALPHA.tar.gz
cd ncrack-0.3ALPHA
./configure
make
su root
make install

Or download the development svn:

svn co –username guest –password “” svn://svn.insecure.org/ncrack

Before you attempt to start  using this tool its recommended that you first read the Manual, either online or issue “man ncrack”, from your console.

Quick Examples:

I first fired up nmap and ran it against a Lexmark network printer.

infolookup@TestSrvr:~# nmap -A 172.29.19.85

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-22 22:26 EDT
Nmap scan report for rnp92a8d6.localhost (172.29.19.85)
Host is up (0.00020s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        Lanier LP125cx/LP126cn ftpd 4.15.1
|_ftp-bounce: bounce working!
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp   open  tcpwrapped
80/tcp   open  http       Ricoh Aficio printer web image monitor (Web-Server httpd 3.0)
|_html-title: Web Image Monitor
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
139/tcp  open  tcpwrapped
514/tcp  open  login      Aficio/NRG/Ricoh printer logind
515/tcp  open  printer    lpd (error: Illegal service request)
631/tcp  open  ipp        NRG copier or Ricoh Aficio printer (Embedded Web-Server 3.0)
9100/tcp open  jetdirect?
MAC Address: 00:00:23:92:G8:F1 (Ricoh Company)
Device type: printer
Running: Ricoh embedded, Savin embedded
OS details: Ricoh Aficio 3045/3245C multifunction printer, Savin 8025e multifunction printer
Network Distance: 1 hop
Service Info: Device: printer

Now that we have our open ports  we can now  feed them to ncrack to test if we have any weak passwords. As you can see from the below command I am using NCrack to look for weak authentication via Telnet, FTP, HTTP. You can either specify the port number, the service name or both.

infolookup@TestSrvr:~# ncrack -v –log-errors /tmp/ncrack.txt  172.29.19.85 -p telnet,ftp:21,http

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2010-09-22 22:41 EDT

Failed to resolve given hostname/IP: . Note that you can’t use ‘/mask’ AND ’1-4,7,100-’ style IP ranges
http://172.29.19.85:80 finished.
Discovered credentials on ftp://172.29.19.85:21 ‘root’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘administrator’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘guest’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘info’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘security’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘support’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘abuse’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘admin’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘postmaster’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘lists’ ’123456′
caught SIGINT signal, cleaning up
Saved current session state at: /root/.ncrack/restore.2010-09-22_22-42

We can conclude from the above test that our FTP service was mis-configured because we left “Anonymous FTP login ” turned on. Our Nmap scan shown us this and we were able to confirm it, since every possible login via FTP was granted access.

Now this was just a basic test, however you can do much more like stop and restart your session, specify your own username and password list, and much more. If you don’t have a good password list visit –>  SkullSecurity , and I must end by saying ” for an Alpha release I am very impressed”, and I cant wait to see what the future has to offer for this program.

Reference links:

http://nmap.org/ncrack/man.html

Today’s post will serve as a sort of show notes for the Linux Basix podcast that I will be a guest on tonight.

Discussion Links:

1. SET v0.7 aka “Swagger Wagon” new release, I did a blog posting on the 14th highlighting SET, and I am mentioning it here again because I think it worth taking a look at this program. For anyone not familiar with the Social-Engineer Toolkit (SET), it’s specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. The group also had a Social Engineering Capture the Flag competition at”Defcon 18″ and the have finally release the full report http://www.social-engineer.org/resources/sectf/Social-Engineer_CTF_Report.pdf
   
2. A report was published detailing the exploits of a former Google engineer who allegedly used his internal clearances to access private Gmail and GTalk accounts so that he could spy on and harass people, including four minors, read more over at http://techcrunch.com/2010/09/14/google-engineer-spying-fired/. Now this brings me back to a similar point I made a while back, we have to stop putting all our truth in the cloud-base services because we never know if or how much the are violating our privacy.
3. Second time’s a charm “Linux Kernel 0-day bug”, on the 16th I did a quick new bulletin post highlighting a serious Linux vulnerability. The vulnerability was found in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of  kernel version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access, Read the complete article over at The Register..
   
4. Is Stuxnet the ‘best’ malware ever? Even though this is not Linux related issue, I know a lot of us fix our friends and family computers and its always good to keep-up on new malware threads. The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. They work for the two security companies that discovered that Stuxnet exploited not just one zero-day Windows bug but four — an unprecedented number for a single piece of malware, read full article over at computerworld.com.
   
5. Tunneling SSH over HTTP(S), Not much to talk about this one but I think it’s pretty cool and you should give it a try, I know I will. –> http://dag.wieers.com/howto/ssh-http-tunneling/

Tech Segment: Building your test lab

During this segment I i will be discussing what I have been up too for the last  few days and thats rebuilding my home network so I can  have more that just a laptop to perform my various testing.

Equipment used in lab:

• HP DL 380 G4 server with 6 drives (2X75, 4X150) with ESXi installed.
• Cisco 3500 switch
• Cisco 2621 router
• Verizon FIOS Wifi router.
• PFsense FW

OS currently installed:

• FreeBSD
• Ubuntu server
• Snorby IDS

Router config:

RT01#sh run
Building configuration…

Current configuration : 1202 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RT01
!
enable secret 5 10g1n\//\/
enable password 7 10g1n\//\/
!
ip subnet-zero
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.29.19.1 255.255.255.0
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.29.20.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 10.29.21.1 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description Transit-to-FW
ip address 172.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
!
router rip
version 2
network 172.0.0.0
network 10.29.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.1.1.1
no ip http server
!
line con 0
password 7 10g1n\//\/
login
line aux 0
line vty 0 2
password 7 10g1n\//\/
login
line vty 3 4
password 7 10g1n\//\/
login
!
end

Switch Config:

SW01#sh run
Building configuration…

Current configuration:
!
! No configuration change since last restart
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname SW01
!
enable password 7 10g1n\//\/
!
username infolookup password 7 10g1n\//\/
!
ip subnet-zero
no ip domain-lookup
!
interface FastEthernet0/1
description Uplink-to-Verizon
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
description Firewall-OUT-interface
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/3
description Firewall Inside-Transit
switchport access vlan 11
!
interface FastEthernet0/4
description Link to Router  – Fa0/1
duplex full
switchport access vlan 11
!
interface FastEthernet0/5
!
interface FastEthernet0/18
!
interface FastEthernet0/19
switchport access vlan 30
spanning-tree portfast
!
interface FastEthernet0/20
description Inside-workstation
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/33
description ESX Host
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface FastEthernet0/34
!
interface FastEthernet0/35
description ESXi Host-Mgmnt
duplex full
speed 100
switchport access vlan 40
spanning-tree portfast
!
interface FastEthernet0/36
!
interface FastEthernet0/48
duplex full
speed 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,30,40,50,1002-1005
switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN30
ip address 10.29.19.10 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN100
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 10.29.19.1
!
line con 0
exec-timeout 0 0
password 7 10g1n\//\/
login local
transport input none
stopbits 1
line vty 0 4
password 7 10g1n\//\/
login local
line vty 5 15
no login
!
ntp clock-period 11259018
ntp server 153.16.4.130
end

PFsense Config:

• Configured port forwarding, you can do this via the interface or be editing /config/config.xml
  • Forward to my FreeBSD box
  • Configured my dynamic DNS  host (free of course)
  • Forward my VMware ESX connection over SSH
  • Configured Snort to send logs to Snorby

Links:

• http://www.pfsense.org/
• http://snorby.org/
• http://www.securityjokes.com/2010/04/pfsense-remote-logging-and-snorby.html
• http://www.freebsd.org/
• http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a008009478e.shtml