Archive for July, 2010

h1

Basic Windows Exploit….

July 30, 2010

Compiling and Debugging Windows Programs
Development tools are not included with Windows, but that doesn’t mean you need to spend $1,000 for Visual Studio to experiment with exploit writing. You can download for free the same compiler and debugger Microsoft bundles with Visual Studio .NET 2003 Professional.

In this writing , I’ll show you how to initially set up your Windows exploit workstation.

Compiling on Windows
The Microsoft C/C  Optimizing Compiler and Linker are available for free from http://
msdn.microsoft.com/vstudio/express/visualc/default.aspx. After a 32MB download and a
straightforward install, you’ll have a Start menu link to the Visual C++ 2005 Express Edition.

Click the shortcut to launch a command prompt with its environment configured for compiling code. To test it out, let’s start with the meet.c and then exploited in Linux . Type in the example or copy it from the Linux machine .

C:\wakrin>type hello.c
//hello.c
#include <stdio.h>
main ( ) {
printf(“Hello haxor”);
}
The Windows compiler is cl.exe. Passing the compiler the name of the source file will

generate hello.exe. Compiling is simply the process of turning human-readable source code into machine-readable binary files that can be  digested by the computer and executed.

C:\wakrin>cl hello.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80×86
Copyright (C) Microsoft Corporation. All rights reserved.
hello.c
Microsoft (R) Incremental Linker Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.
/out:hello.exe
hello.obj
C:\wakrin>hello.exe
Hello haxor
Pretty simple, eh? Let’s move on to build the program we’ll be exploiting later.

Create meet.c  using cl.exe.
C:\wakrin>type meet.c
//meet.c
#include <stdio.h>
greeting(char *temp1, char *temp2) {
char name[400];
strcpy(name, temp2);
printf(“Hello %s %s\n”, temp1, name);
}
main(int argc, char *argv[]){
greeting(argv[1], argv[2]);
printf(“Bye %s %s\n”, argv[1], argv[2]);
}
C:\wakrin>cl meet.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80×86
Copyright (C) Microsoft Corporation. All rights reserved.
meet.c
Microsoft (R) Incremental Linker Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.
/out:meet.exe
meet.obj
C:\wakrin>meet.exe Mr. Haxor
Hello Mr. Haxor
Bye Mr. Haxor

Well , thats a very simple coding for writing exploits in windows. I’ll be explaining later in my blog on how to compile and debug using a windows console. Till then . have a pleasent weekend….

p/s: Some new tools had been released in this year Black Hat 2010 Conference. Others will be released today in Defcon 18. I’ll be reviewing those tools and some topic regarding both of the conference.

Advertisements
h1

The Nmap Scripting Engine (NSE)…

July 29, 2010

The Nmap Scripting Engine extends the results of an Nmap port scan. It combines the Lua programming language, a library of network functions, and the results provided by other parts of Nmap to give more information about network hosts and their open ports.

There are standard scripts that grab SSH host keys or SSL certificates, discover the remote date and time, check for weak passwords and unpatched vulnerabilites, and much more.

While started, Nmap loads the scripts (all of the available in the repository if “-sC” is given on the command line, or only the given ones via “–script=<scriptname>”). The script is parsed and if a portrule is present, saved in the porttests table with a portrule key and file closure value. Otherwise, if the script has a hostrule, it is saved in the hosttests table in the same manner. During the scan, a thread is created for each of the matching script-target combinations. More details about how scripts are implemented are available here.

Each thread contains detailed information such as the runlevel, target, port (if a porttest), host and port tables, and the script type (service or host script). The value returned by the “action” block will be printed in the Nmap output below the port:

Starting Nmap ( http://nmap.org )
Interesting ports on flog (127.0.0.1):
PORT     STATE SERVICE
80/tcp   open  http
|_ Script output

Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

Now, a few words about writing rules and documentation. You have to follow some basic rules. All Nmap scripts must start with description variables (the “header”):

description     = "This is a simple nmap script"
author          = "Khairul Azrin B Azman
license         = "See http://nmap.org/book/man-legal.html"
categories      = { "default", "discovery", "safe" }
runlevel       = 1.0

The most important is categories. It describes the script behavior and can be a mix of the following keywords: auth, default, discovery, external, intrusive, malware, safe, version, and vuln. Check out the online documentation for a full description of each category.

If you check your <installprefix>/share/nmap/scripts directory you will find a lot of scripts ready to be used.

NSE is supposed to be versatile, with these NSE functions:-

Network discovery
This is Nmap’s bread and butter. Examples include looking up whois data based on the target domain, querying ARIN, RIPE, or APNIC for the target IP to determine ownership, performing identd lookups on open ports, SNMP queries, and listing available NFS/SMB/RPC shares and services.

More sophisticated version detection
The Nmap version detection system (Chapter 7, Service and Application Version Detection) is able to recognize thousands of different services through its probe and regular expression signature based matching system, but it cannot recognize everything. For example, identifying the Skype v2 service requires two independent probes, which version detection isn’t flexible enough to handle. Nmap could also recognize more SNMP services if it tried a few hundred different community names by brute force. Neither of these tasks are well suited to traditional Nmap version detection, but both are easily accomplished with NSE. For these reasons, version detection now calls NSE by default to handle some tricky services. This is described in the section called “Version Detection Using NSE”.

Vulnerability detection
When a new vulnerability is discovered, you often want to scan your networks quickly to identify vulnerable systems before the bad guys do. While Nmap isn’t a comprehensive vulnerability scanner, NSE is powerful enough to handle even demanding vulnerability checks. Many vulnerability detection scripts are already available and we plan to distribute more as they are written.

Backdoor detection
Many attackers and some automated worms leave backdoors to enable later reentry. Some of these can be detected by Nmap’s regular expression based version detection. For example, within hours of the MyDoom worm hitting the Internet, Jay Moran posted an Nmap version detection probe and signature so that others could quickly scan their networks for MyDoom infections. NSE is needed to reliably detect more complex worms and backdoors.

Vulnerability exploitation
As a general scripting language, NSE can even be used to exploit vulnerabilities rather than just find them. The capability to add custom exploit scripts may be valuable for some people (particularly penetration testers), though we aren’t planning to turn Nmap into an exploitation framework such as Metasploit.

Nmap Scripting Engine (NSE) has been one of the hottest topic that are discussed in this year Defcon and Black Hat.

h1

Fuzzing – Brute Force Vulnerability Discovery….

July 23, 2010

Fuzzing is a method for discovering faults in software by providing unexpected input and monitoring for exceptions. It is typically an automated or semiautomated process that involves repeatedly manipulating and supplying data to target software for processing . All fuzzers fall into one of two categories: mutation-based fuzzers, which apply mutations on existing data samples to create test cases , and generation-based fuzzers, which create test cases from scratch by modelling the target protocol or file format.

Most fuzzer developers will find themselves creating tools from scratch as evident in the abundance of fuzzer script already available for public consumption. Fortunately , many tools and libraries can help you during the design and implementation phase of your fuzzer. These are the tools and libraries:-

1. Ethereal/Wireshark.

2. LIBDASM and LIBDISASM.

3. LIBNET/LIBNET NT

4. Metro Packet Library.

5. PTrace.

6. Python Extensions.

Fuzzing has evolved into one of today’s most effective approaches to test software security. To “fuzz”, you attach a program’s input to a source of random data , and then systematically identify the failure that arise. Hackers have relied on fuzzing for years.

If you all wanna know other tools that we can use to fuzzing , here’s are the website link:-

http://fuzzing.org

h1

System Penetration With Metasploit Framework…version 3.4.0….

July 5, 2010

“The Metasploit Framework is a platform for writing, testing, and using exploit code. The primary users of the Framework are professionals performing penetration testing, shellcode development, and vulnerability research.”

The MSF is not only an environment for exploit development but also a platform for launching exploits on real-world applications. It is packaged with real exploits that can provide real damage if not used professionally. The MSF is an open-source tool and the fact that it provides a simplified method for launching dangerous attacks, has attracted wannabe hackers and script kiddies. I will however, demonstrate the power of the Metasploit Framework in a controlled environment for the purpose of showing the capability of this product.

Operating System: Slackware Linux (BackTrack)

Software:  BackTrack Security Live  CD Version: 2.0 (released March 6, 2007)

Source: http://www.remote-exploit.org/

Description:

BackTrack 2 is a bootable Live CD that consists of over 300 security related tools packaged into one customized distribution based on Slackware. Because it is a Live CD, the OS environment is loaded into memory and therefore leaving the hard drive untouched.

Software:  Metasploit Framework Version: 3.0

Source:  Included within BackTrack Security Live

CD or via http://www.metasploit.com/

Software Exploitation attacks have become very common because the amount of damage they can cause. In our attack methodology, I am simply showing the effects of the attack by having the Victim to explicitly navigate to the malicious URL. However, sophisticated attacks require more work, such that we need to persuade the Victim to the malicious URL. We can use Man-in-the-middle attacks to re-direct traffic (if the attacker is local on the Network) or send an e-mail with a URL that looks innocent using HTML.

All in all, this information is for educational purposes. Using Metasploit to launch attacks without any knowledge of what is happening are for script kiddies can get someone in big trouble!