Dantevios.com

The time finally came for me in life to sink or swim. After bidding on many freelance projets, I finally was awarded with my first one from a company called iGlobal. They couldn’t give me a whole lot of technical details about what needed to be done except for they needed an application of theirs modified that was written in Java. The modification was to create an XML file and send it off to another server. This all sounds simple on the surface; however, once I got into the project as I suspected it was not just a Java application. The application was a Java Servlet. All I was provided with was source code. I noticed the structure of the code was made for eclipse, so I imported the project. After resolving the dependencies though, this source code wouldn’t compile on my machine. After hours of trying to get the JSP pages to work correctly in the Jetty servlet container I was using I gave up on that idea. I loaded the application up into a tomcat container like it was running on their live site and the application seemed to work. I then remember that Netbeans had a tomcat server built into the package if you download it off their website. Netbeans tools for debugging and syntax highlighting Java servlets are also superior to eclipses. Netbeans can do things like syntax highlight JSPs and the debugger works when you place breakpoints on pages. After I got the application working, something still was not right. Again I looked to iGlobals servers to see how their application was setup. Turns our they are using mod_proxy for apache to redirect some of their traffic and I was missing some of the html, javascript, and image files that the servlet was loading. The page was now displaying correctly, but I couldn’t get the application to work still. After digging around and pulling hair out, it turns out all their links for their application were hard coded to point to their domain name. The easiest way I solved this problem was to just add an entry to my /etc/hosts file to use their domain name to point to my local IP address (127.0.0.1). With that, everything came together nicely, I was able to debug their code by placing breakpoints, and I got the job done for them. Of course in this business everyone needs everything yesterday, and especially these guys who were waiting for this so they could open up a large account. So I delivered this solution to them in 27 hours flat. They seemed very happy with my work saying:

“Jon, you rock. You can expect some excellent feedback from us on oDesk. Thanks again.”

I would like to say thank you to iGlobal! It was a pleasure doing business with you and I hope that your company prospers! They were great to work with and were able to give me all the help they could.

Porting aircrack to android based phones is possible, but not plausible. Recently I noticed that the Android platform is still on the up and coming and that there is not a lot of security tools for it yet. This past Thursday I had a great idea, so I took the day and invest some of my time into seeing if it would be a good venture to port aircrack to my motorola droid. I wanted to know if it would be possible to port aircrack to android based phones and make the interface look similar to SpoonWEP. In this article, I will talk about why it is possible, but not plausible.

The first thing I actually looked into was SpoonWEP, which is available on Backtrack 3. Since SpoonWEP was written in Java I figured maybe it would be an easy port to android based phones. After decompiling SpoonWEP with my favorite Java decompiler (Jad), I saw that all SpoonWEP consisted of was a Java GUI designed to use the command line to call aircrack.

Porting aircrack into Java code would probably not be that bad of a transition. The Android API includes a packages like android.net.wifi and java.net.Socket, which could be used for messing with the the datalink layer. The task that would really be a pain to do though is write the driver for the broadcom bcm 4329 chipset that the android based phones such as the motorola droid use. A new driver would probably have to be developed in order for the chip to support packet injection (if it is even possible). I found out the model of the chipset of my motorola droid phone through Cyanogen, a third party firmware for android based phones. Even if one could write this driver, one would most likely have to root their phone in order to install it properly.  Otherwise they would probably end up violating the terms of service for users when they went to install the application from the android market.

The vision of this tool was to sell it off as a tool for security auditors. They could pay 10 bucks and download an app that would crack any WEP encrypted router they wanted to test right from their phone. Getting users to root their phone, or requiring users to break their terms of service to install the application would probably not go over so well. Anyway, if anyone else out there wants to give this project a shot, be my guest. I am just publishing my results for the sake of research.

I just read today that a couple months ago tipping point held their annual hacking competition Pwn2Own. With $100,000 and more in prizes, well I understand why people are in this business. Even those who didn’t get to submit their results in the competition still received the opportunity to sell their exploits to tipping point for thousands if not tens of thousands of dollars. Of course you have to be amongst the most elite reversers of the world to be able to figure out exploits these vulnerabilities, so I imagine you are not in a competition for these prizes amongst a whole lot of people. Pwn2Own is probably another contest I will add to my list of contests I would like to participate in for the future. I say future because I lack the knowledge right now to reverse binaries, but I am slowly learning about this invaluable skill. I am sorry if you are reading this and you say “Dantevios, why are you pestering me with this old news? Especially when you offer no new insight to it?”. Well, sorry readers, but I am using this blog to keep track of events as well for my own sake so there are going to be some boring entries you won’t want to read such as this.

Last Saturday, May 8th, I participated in Offensive Security’s How Strong is your FU? hacking tournament. Now I am going to post the results of how I went about hacking the n00b filter.

The first obstacle of actually hacking the n00b filter was actually getting into the game. Many people that signed up for this tournament did not get the emails with their password to enter the tournament until an hour or so later than the competition started. If you had no life and had time to social engineer, instead of waiting you could have joined the #offsec channel on freenode.net and they would have pointed you to the #hsiyf channel for the competitions. There the admins could have manually set you up to enter the tournament.  This is actually how I entered the tournament.

When I finally got the instructions on what servers to attack (there were only two and they were identical), I did what most people do: nmap it and see what operating system it is and what services it has running. The results looked like this:

1/tcp     open   tcpmux?
3/tcp     open   compressnet?
4/tcp     open   unknown
6/tcp     open   tcpwrapped
7/tcp     open   tcpwrapped
9/tcp     open   tcpwrapped
13/tcp    open   tcpwrapped
17/tcp    open   tcpwrapped
19/tcp    open   tcpwrapped
20/tcp    open   tcpwrapped
21/tcp    open   tcpwrapped
22/tcp    open   tcpwrapped
23/tcp    open   tcpwrapped
24/tcp    open   tcpwrapped
25/tcp    open   tcpwrapped
26/tcp    open   tcpwrapped
30/tcp    open   tcpwrapped
32/tcp    open   tcpwrapped
33/tcp    open   tcpwrapped
37/tcp    open   tcpwrapped
42/tcp    open   tcpwrapped
43/tcp    open   tcpwrapped
49/tcp    open   tcpwrapped

…

Etc. etc. of tcpwrapped ports. When I chopped up this output and grepped for open ports I got:

1/tcp     open   tcpmux?
3/tcp     open   compressnet?
4/tcp     open   unknown
80/tcp    open   http?
110/tcp   open   pop3
1723/tcp  open   pptp?
2701/tcp  open   sms-rcinfo?
2702/tcp  open   sms-xfer?
5666/tcp  open   nrpe?
6788/tcp  open   unknown
7921/tcp  open   unknown
7938/tcp  open   lgtomapper?
8021/tcp  open   ftp-proxy?
9100/tcp  open   jetdirect?
9101/tcp  open   jetdirect?
9102/tcp  open   jetdirect?
9103/tcp  open   jetdirect?

They obviously had some kind of tarpit running that was spoofing a whole bunch of fake services, because if I tried to connect to fingerprint any of these with netcat they would not respond and time out.

They also spoofed all the operating system signatures and it looked ugly:

Running (JUST GUESSING) : 3Com embedded (86%), Dell embedded (86%), Samsung embedded (86%), Xerox embedded (86%), Bay Networks embedded (85%)
Aggressive OS guesses: 3Com SuperStack 3 Switch 4300, Dell PowerEdge 2650 remote access controller, Samsung ML-2571N or 6555N printer, or Xerox Phaser 3125N printer (86%), Dell 1815dn printer (86%), Bay Networks BayStack 450 switch (software version 3.1.0.22) (85%), Bay Networks BayStack 450 switch (software version 4.2.0.16) (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows

The only port that appeared to be open was port 80. When I visited it I arrived at this puzzle:

When I clicked the submit button, I was given this message:

Pretty humorous. When I tried entering in a single quotation to the user field I received the message “HAHAHA!” on a blank white page. There was a few hours where I was wondering around in the dark trying various things like making shell scripts to automatidly fingerprint ports I found on the machine and see if any other ports would respond, using p0f to try to passively fingerprint the operating system to see if I could find a vulnerability, trying XSS injects, and manually fuzzing the variables of the web application to see if I could make it overflow. P0f actually said the OS was Tru64. Apache error messages said the OS was fedora (which I think it was most likely a fedora box). After hitting a bunch of dead ends, I decided to revisit the “HAHAHA!” message and check the source code. I noticed an advertisement in the source for applicure. Turns out applicure makes a product called dotDefender, which was running on the server we had to attack and preventing the SQL injection. I spent a while over-thinking how to hack dotDefender and even debated downloading it, setting it up in a virtual machine, and fuzzing it for buffer overflows. Then a google search revealed the missing piece to the puzzle: the dotDefender exploit.

With this exploit I tried to log into the /dotDefender/index.cgi script. It was on a password protected .htaccess directory so I tried looking through the manuals on applicure’s website and it said the password was the same as the username. The .htaccess script told me the username was admin, so I assumed the password was admin. For a long time there was a lot of confusion because there was talk in the #hsiyf channel that people kept changing the passwords on the .htaccess file somehow. I knew we weren’t supposed to run automated tools, but I had heard of people using hydra, so I just hurled a dictionary attack at the dotDefender password prompt. In social engineering with some of the other contestants who were fed up with the lag problems with the dotDefender application, someone told me the login was admin/password . When I tried to log into the application it would lag like hell. I waited literally 10 minutes for a response from the http server, and at the same time the admins were reverting to snapshots on their VMs constantly. One time I did actually make it through and I was very close to getting to the n00bSecret.txt file that was needed to move on to phase 2. Here is a screen shot of me using the dotDefender exploit:

I was so close to getting to phase 2. All I had to do was sucessfully execute a few commands like find / -name n00bSecret.txt . But every single time I actually got onto the application I received a message like this:

Someone later told me (that went through the pain of waiting for 10 minutes for each http response) that they successfully managed to find n00bSecret.txt in /opt/<some random directory string>/n00bSecret.txt . With that they printed it out to the webapp using “cat /opt/<some random directory string>/n00bSecret.txt” as I suggested to them. I decided not to continue the tournament anymore because of the lag.

I talked with the admin known as muts about the lag on the dotDefender application. He claims (in a private message) that there was an Intrusion Prevention System (IPS), and that I was tripping it (which was causing my lag issues). No other person I talked to that entered phase 2 found a way to not trip this IPS (if there even was one that people were tripping in this way).  They all seemed to use burpsuite to modify the post data for the dotDefender exploit I posted earlier in this blog entry. Afterall, it couldn’t possibly be that 100′s of people trying to log on to a remote management application (that wasn’t intended to be used by multiple users) and executing shell commands on the box could cause the lag I was experiencing right (*sarcasm*)?  We will see what Offensive Security has to say if they ever post the solutions to their vulnerabilites like they said they would:

Dialogue from #hsiyf (May 8th):

07:32 < Abo3abd> @muts, can you please share ths solutions after end the tournament?
07:32 <@ryujin> we will Abo3abd
07:33 < Abo3abd> Thanks a lot

Critique:

I’d like to thank the folks at Offensive Security for hosting this tournament. It was a lot of fun. They did a great job at designing a neat little game for us all to play. The two biggest suggestions that I have been hearing for next time though are (1) please let us start at the same time instead of relying on SMTP to email people their passwords and (2) don’t use vulnerable software that is too laggy for people to exploit.

So I just rolled out my new website today and in shopping for content management systems (CMSs) there were 3 things I always look for when shopping around:

1. Is the CMS secure?
2. Can I apply my own theme/template easily to the website?
3. Does the CMS have a good editing system to insert new content?

I saw this awesome theme for Nucleus CMS called Terminal , but when I looked at this security vulnerability in Nucleus (that was published just last month on exploit db) found here: http://www.exploit-db.com/exploits/12241 I was turned off by Nucleus CMS. Basically the way they use their DIR_LIBS variable they shot themselves in the foot and have allowed users to back up and access files on their hard disk by inserting ../../../whatever/path/you/want/textfile.txt . Seems harmless right? So what if you’re running apache as root (dumb to do yes) and you do something like ../../etc/shadow and download the shadow file for someones linux box?  Are you going to let someone dump your MD5 hashes for your account, crack your password for your username, and log into your box via SSH? Well, I’m not about to do that. I thought about applying to be a developer and applying a patch for this bug, but I needed to get a website up fast. Thus sadly I went with wordpress with this nice kuublack theme.