Tuesday, June 23, 2009

BackTrack4 Pre-Release

I have just grabbed a copy of the latest release of BackTrack4 and it's gotta be the best yet. It works perfectly in a parallels VM and will soom be making it's way onto my hacktop.



From the start of July, each week I'll be picking a tool from the distribution and digging down into it to hopefully demonstrate the usage and possible scenarios where the tool may be employed.

This is something I have been meaning to do for quite a while and now with the new release upon us it seems like the perfect chance. I know I'll certainly benefit from becoming familiar with these tools and maybe someone else will get something from my posts as well.

Syn

Wednesday, June 10, 2009

An Accidental Google Hack

Whilst looking at the security of a web application today I was able to extract the usernames and passwords using SQL Injection, which was nice. Well being a bit of a newbie after I got the passwords I was confused about the encoding/encryption. I managed to figure it out by using the encoding page on Clez.net and by encoding/decoding one of the password that I knew the cleartext of (my test account). It was using Base64 reversed. I also noticed that many of the passwords were =Qmcvd3czFGc which decoded to password (after reversing it).


Now the accidental bit.

My friend Bob got to hear of this and decided to Google the reverse Base64 string "=Qmcvd3czFGc". He got a few hits, but the first result was real interesting.



It seems his fist hit returned email addresses, login names, weird strings that might be base64 reverse encoded passwords (he'll look into that later I imagine).

Then Bob put his Google Fu to work. Seeing that the site had some interesting details available to just about anyone he wondered just how much Google had indexed.

site:yimwhan.com filetype:txt intext:password



Oh dear...within seconds Bob found a password. Surely it was old and probably not active anymore?



Well we all know Bob, his curiosity gets the better of him.




Bob just couldn't help himself could he!

I think this clearly demonstrates that anything you send can and probably will be picked up by Google and someone like Bob might just stumble across it at some time in the future. It might be an idea to think before you post!


UPDATE:

I have also posted this on the Bob Stories Site.

Sunday, June 7, 2009

Get Your Hacking Videos Here!

Well not here as in the SynJunkie blog but here, as in the Learn Security Online site. The guys over at LSO have revamped the site and it's looking pretty sweet.



Whenever I have a few minutes spare I love to watch how some of the experts out there attack systems and use the tools that projects such as BackTrack and Metasploit make available to us. Or if I am learning something new it's great to see a demonstration of a tool or process. So the guys over at LSO have done all the hard work for us and linked to them all. As well as all of there own vidoes there are links to over 80 non-LSO videos.

So if you want to see how the experts perform SQL Injection or run the latest MetaSploit exploits then check out the video section at Learn Security Online.

Thursday, June 4, 2009

Getting Closer to God with Privilege Escalation

Whilst assessing vulnerabilities in the PC build I have I found the following. Now I always get pissed off when I hear people rattle on about the AT command and using that to get a SYSTEM shell. In my experience after XP SP2 you’re required to be an admin to run AT, so what’s the point really?

So rather than just focussing on holes in the Microsoft system, which frankly I'm not really talented enough to find much there, I decided to look at the configuration and implementation. In my opinion I would have much better luck looking for mistakes made by people not necessarily trying to secure a system but more trying to get a system to work.

In this post I'll focus a common mistake made by the guys who build the system which allows a standard user to escalate to have full system privileges.


Looking at Services

It would be nice to use WMIC to look for services that are in a directory that I can write to and that start automatically:

wmic service get name,startmode,pathname | find /i "auto"

However, when trying to run WMIC I get an error telling me that I need to be a member of the Administrators group. I could just go to the Services.msc but this means that I have to go through each service to get that path to the executable. A better tool I found for this is MSInfo32.exe



As can be seen in the screenshot I can quickly scan down the autostarted services for ones that have paths that I can write to. I also need the service to be running with an account with some decent privileges.

OK, VNC looks pretty good.

I go to the directory that VNC runs from and rename the executable. I copy Taskmgr.exe from System32 to the VNC directory and rename it as the VNC executable.



After a restart I see that I have no VNC in the system tray, so I go to the Services.msc and start it. Task Manager starts up for about a minute and then closes. Ok, that’s good. I start the service again and quickly launch a command shell before it closes, great now I have my system command shell. From here I can add accounts, change settings, install software etc... But maybe I want my full desktop. I launch Taskmgr.exe from the command shell, kill explorer from the process list and the launch explorer from File menu. Fantastic, I have a whole desktop running as System, now I really am closer to god!