I will show how simple the basics of exploitation are. And I mean it's really simple.
We will illustrate what happens when program takes user input, what happens when a buffer is overflowed and take control of the execution of the program and redirect it to an area you do not have access.
Now this program reads user input into a buffer and then outputs it. Then there is this other function that says you exploited a vulnerability. In theory you can never get that function to run. "i" is set to 0 and need to equal 1. Go ahead and try it. only the return_input function works.
here's a first try:
I wrote 10 A's and it wrote back 10 A's on the screen.
What if I try more A's:
Thats what we want! Lets take a look in a debugger:
Lets crash it and check the registers. Remember, the eip is what will give you control of the program. If we can overwrite that register, we can gain control of execution.
Lets try:
yes! We overwrote the eip register with 43s (i.e. D).
We need to overwrite exactly the 4bytes of eip. lets try:
Bingo! we overwrote the eip with our 4 As.
Now we couold replace the 4 As with an actual address, but what? Sometimes it is enough to access an unauthorized part of a program rather than have a shell, so lets keep it simple and try that.
Let's see what the program looks like with [disas main] and find where we want to go:
At address 0x08048463, it calls the bingo function, a function I cannot access. (you could pretend it's authentication etc.)
Well we have our address, lets quit the debugger and exploit the program. Remember, we have to reverse the bytes!
Voila, we got the program to access a function that we had no access to!
See, the underlying basics of exploitation are really simple.
“In the midst of chaos, there is also opportunity”
― Sun-Tzu
Tuesday, 31 December 2013
Monday, 30 December 2013
t3h l33t 5cr1pt, where you can speak like a leet faster than your shadow
When I started to learn python, I was looking for small projects. I decided to make a script that would make me type like a a script kiddie without having to do so... It does serve a purpose tho, besides annoying people on IRC: deception! But be warned, you will probably be banned if you use it!
“Appear weak when you are strong, and strong when you are weak.” ― Sun Tzu, The Art of War
Tuesday, 2 April 2013
Hacking a windows host's smb service with metasploit
Using the metasploit framework (available at http://www.metasploit.com/) here's an attack you can launch with a high success rate on a windows host.
Start msfconsole and issue the following commands:
RHOST is the remote windows host. You can either scan your subnet for it's IP address or since you're testing your network., go on the windows OS, click start, click run and type cmd.exe in the box. Within your command shell, type "ipconfig" to get your IP address.
LHOST is your IP address. From linux, type "ifconfig" to get it.
LPORT is a port you have available to listen for the connection back.
If all works fine, you should land in the meterpreter:
From there we have a multitude of options available. Type "help" to list all available options. Some fun commands can take a snapshot from the victim's webcam, reboot or shutdown the computer, etc.
To know more about the system, type "sys info" or to get the usernames and password hashes on the machine, type "hashdump". See you could put to use some of the scripts you worked on in "Cracking passwords with python".
Another interesting feature of the meterpreter is the ability to record keystrokes which can grab passwords from everywhere, doesnt matter if its facebook or a bank. And if you want to get a shell, you can type "execute -i -f cmd.exe".
That was easy right... Since we know a little programming, and we do not want to manually test all of our hosts on our subnet, lets write a script that will automactically find all the vulnerable hosts. And since we already know how to bruteforce a service, we will bruteforce all the other hosts that are patched:
Hope that helps you play around with metasploit and how to interact with it using a programming language!
Start msfconsole and issue the following commands:
RHOST is the remote windows host. You can either scan your subnet for it's IP address or since you're testing your network., go on the windows OS, click start, click run and type cmd.exe in the box. Within your command shell, type "ipconfig" to get your IP address.
LHOST is your IP address. From linux, type "ifconfig" to get it.
LPORT is a port you have available to listen for the connection back.
If all works fine, you should land in the meterpreter:
From there we have a multitude of options available. Type "help" to list all available options. Some fun commands can take a snapshot from the victim's webcam, reboot or shutdown the computer, etc.
To know more about the system, type "sys info" or to get the usernames and password hashes on the machine, type "hashdump". See you could put to use some of the scripts you worked on in "Cracking passwords with python".
Another interesting feature of the meterpreter is the ability to record keystrokes which can grab passwords from everywhere, doesnt matter if its facebook or a bank. And if you want to get a shell, you can type "execute -i -f cmd.exe".
That was easy right... Since we know a little programming, and we do not want to manually test all of our hosts on our subnet, lets write a script that will automactically find all the vulnerable hosts. And since we already know how to bruteforce a service, we will bruteforce all the other hosts that are patched:
Hope that helps you play around with metasploit and how to interact with it using a programming language!
Monday, 1 April 2013
Cracking passwords with python
Like i mentionned in "How to think like a hacker", programming is a fundamental skill, and python is an excellent language to start learning. What kind of exercice can we do? Well since we're interested in security applications, why not write scripts that can crack passwords! Let's try cracking zipfiles, SHA-512 hashes and a SSH server using python. I will assume you already have basic programming knowledge, at least understand the "hello world!" script. While there are already tools available to do so, like hashcat and hydra for example, and while I do not believe in reinventing the wheel, one must be at least able to build a somewhat "round wheel" before using such tools to understand the hacker's mindset.
We'll need to zip a file and lock it with a password to experiment with. In linux, we can use the following command to do so:
Now let's write our script:
Make the script executable with "chmod +x" and running it will produce this output:
In Linux, information about each users and their passwords is stored in /etc/shadow. In fact, it contains the hash of a user's password, and a salt. The default hash algorithm is SHA-512.
SHA stands for Secure Hash Algorithm and is a set of cryptographic hash functions designed by the National Security Agency. The process is irreversible therefore the only mean to find the password is to compare the hash values. Let's give it a try using python:
and the output:
We could use different algorithms as well. Some would require different functions to import such as the poplar phpbb3 used in web applications. Here's a way to test these passwords:
And the output:
Hope this will help you get started to craft your own tools to learn programming. Another lesson here:Use strong passwords!
Cracking password-protected zipfiles
We'll need to zip a file and lock it with a password to experiment with. In linux, we can use the following command to do so:
Now let's write our script:
Make the script executable with "chmod +x" and running it will produce this output:
Cracking SHA-512 hashes
In Linux, information about each users and their passwords is stored in /etc/shadow. In fact, it contains the hash of a user's password, and a salt. The default hash algorithm is SHA-512.
SHA stands for Secure Hash Algorithm and is a set of cryptographic hash functions designed by the National Security Agency. The process is irreversible therefore the only mean to find the password is to compare the hash values. Let's give it a try using python:
and the output:
We could use different algorithms as well. Some would require different functions to import such as the poplar phpbb3 used in web applications. Here's a way to test these passwords:
Bruteforcing SSH servers
Finally, lets see how to bruteforce a service such as SSH using python. I'll leave it to you to optimize it (hint: threading):And the output:
Hope this will help you get started to craft your own tools to learn programming. Another lesson here:Use strong passwords!
You can ensure the safety of your defense if you only hold positions that cannot be attacked.
An introduction to debugging with Linux
And reverse-engineering
For this tutorial on how tu use gdb, I picked the first level on IO at smashthestack's wargame.
The vulnerable program to privilege escalation as this info on it:
"usage: %s "
So here, since its probably a program that looks for a specific string to grant you access to the next level, you have to think how the programmer coded the application since you cannot see it.
So in general, its probably an application along these lines:
if the command line argument == string
execute /bin/sh
First, lets get a general idea of what main() looks like with objdump:
when you see "intel" its because i want the intel syntax rather than AT&T, i find it easier to read through.
from the man page:
objdump displays information about one or more object files. The options control
what particular information to display. This information is mostly useful to
programmers who are working on the compilation tools, as opposed to programmers who
just want their program to compile and work.
objfile... are the object files to be examined. When you specify archives, objdump
shows information on each of the member object files.
-D flag --disassemble-all
Like -d, but disassemble the contents of all sections, not just those expected
to contain instructions.
If the target is an ARM architecture this switch also has the effect of forcing
the disassembler to decode pieces of data found in code sections as if they
were instructions.
grep -A20 main.:
grep searches the named input FILEs (or standard input if no files are named, or if
a single hyphen-minus (-) is given as file name) for lines containing a match to
the given PATTERN. By default, grep prints the matching lines.
-A NUM, --after-context=NUM
Print NUM lines of trailing context after matching lines. Places a line
containing a group separator (--) between contiguous groups of matches.
With the -o or --only-matching option, this has no effect and a warning is
given.
so basically i just want to grep the first lines of main()
-------------------------------------------------------------------------
so when i read these instructions here:
8048409: c7 45 f4 c8 85 04 08 mov DWORD PTR [ebp-0xc],0x80485c8
8048410: 8b 45 e0 mov eax,DWORD PTR [ebp-0x20]
8048413: 83 38 02 cmp DWORD PTR [eax],0x2
8048416: 74 21 je 8048439
we are creating a *pointer than will contain the value located at the address 0x80485c8, which would have been given at the data declaration, which we will compare and if equal we will jump to the given address.
Since my assumptions of the code, i think the password (or string to compare) is located at the memory address 0x80485c8
so im going to run the debugger and check the value of that address, i could probably see that value before i have checked it, but i know that when we are to compare it, it has to contain the right value.
so btw, you can see i had not yet set the intel syntax in there and can see the difference between intel and AT&T (for those who didnt know about the different syntax).
so basically break main, will stop the program right before the _main_ function gets executed. from there, i r eip will show me what the EIP register is pointing to (the next instruction). x/5i will show me the next 5 instrucitons.
so i use 'nexti' to move to the next instruction, unjtil i get to where i want to be. like i said i could have probably stopped before that, but i know for sure that the value is written at the memory address i want to look at (because data can be changed, but the value we are comparing is the right one), as seen by objdump;. (you could also run disassemble main from gdb instead and when the program was compiled using the -g flag, you can even list the source code with the list function).
so to look at what is the value at the memory address i suspect the password to be, i use 'x' which is short for examine. thus x/s will show me the value in a string format.
so x/s will examine the value at the address specified and BINGO, we have the password.
there is an easier way, which is the strings function. since the password was in clear text, the string function will print out the strings out of the binary file:
Hope this helps to get you started debugging applications.
"take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots." --Sun Tzu
Labels:
cracking,
debugging,
engineering,
gdb,
hacking,
linux,
penetration,
reverse,
security,
testing
How to find a bug, exploit it and write your own 0day exploit
In order to think like a hacker, we'll need to examine and practice their methodology and test it against our own system.
Lets say we have a target (ourselves) and ran nmap (a portscanner) on it and discovered open port. The service running on it is SLmail v 5.5.
How do we look for a vulnerability? Since its a binary thus the source isnt available, all we can do is download a trial version, reverse engineer it or fuzz test the software. Let's try fuzzing, i.e. sending expected, or random data to the inputs of a computer program.
Here, im running linux on my attacking machine and installed SLmail on a windows XP xp2 and I want to test the POP service on port 110. Since I do not know the account credentials, the only commands I can fuzz on that service are USER and PASS. On the windows machine, install and start SLMail. Then attach ollydbg to it. (just start ollydbg and click file, select "attach" and select SLmail)
There are several fuzzers available, spike being my favourite, but to keep it simple I'll write a very basic fuzzer in python to illustrate the concept:
In the above code, I skipped the USER command fuzzing since it didnt crash. To fuzz PASS, you need to first input a "USER username" command first. Now we're ready to fuzz PASS. The program will connect to port 110, supply a user name and then send a bunch of A's, if it doesnt crash the program, it will send more A's, on so on (until I send about 5000 A's in this scenario).
We check Ollydbg and oops we do get a memory access violation!
As you can see, we have overwritten the EIP with A's (represented by 41)
Since the EIP register controls the execution flow of the program, that means we can now control the application and redirect it to do whatever we want. A shell would be nice!
Now we must find the exact 4 bytes in our buffer to overwrite it. Here's a way to narrow it down:
If we overwrite the EIP with A's in this new code, that means the 4 bytes overwriting the EIP are located in the first 1000 byte range, if B's, in-between 1000 and 2000, and do on.
Lets see what happens in ollydbg:
Looking at the EIP register, we can see that we have overwritten in with E's (\x45), thus the 4 bytes we're looking after are in-between 4000-5000 in our buffer. We could do this for a while until we get them but I'll let you on a a neat tool by metasploit. pattern_create.rb, it creates a specific pattern and will provide us with the exact location. So we need a length of 5000 so we issue the following command:
we copy the output and paste it in our buffer:
We send it and check the result in ollydbg.
We take the bytes that overwrote the EIP and we need to convert them since they're in hex and reverse them because of the order they go in the EIP. To save you the trouble, i wrote a little script that will sort this out for you:
The output was z1Fz. So now we use the other tool provided by metasploit to know the exact location of the EIP.
We now have the location of the EIP, at 4654. lets test it with our script:
Here we send 4654 A's, then 4B's and then C's. So we shoud overwrite the EIP with B's(\x42), lets check ollydbg:
Bingo, we overwrote exacty with 4 B's the EIP. We are in full control of th EIP. Whats left to do is to find a convenient location for our shellcode. To do that we need to examine the CPU registers right after the crash. click on the ESP register (stack pointer) and select follow in dump. Nice, i have a 1000s C's at that location, more than enough room for my shellcode.
To find a way to ensure we get to the ESP, we need a way to get to the ESP address. For that let's click the 'E' button (Executable Modules button) to look at the DLL's. USER32.DLL is convenient since it's in the core DLL system and its address is static accross service packs. From there we need to find a 'JMP ESP' instruction. So just click on USER32.DLL and click 'search for' and type in 'JMP ESP'. Here;s its at 77D718FC. So in our script, we will now send 4654 A's, then overwrite the EIP with that address so that it will use the JMP ESP instruction to send us to our shellcode. But for testing, we'll send C's after:
You probably noticed the \x90 in my code, its a NOP instruction, which is no instruction. This is just in case I do not land precisely at the address of my shellcode, it will slide the NOPs to it.
Lets's check ollydbg:
Bingo, look in the bottom right corner, we landed right in my NOPs followed by Cs! All we have to do is replace the C's by the shellcode!
You can find shellcodes on the net, although it can be risky, you can write your own or use a metasploit to provide you one. You can use a shellcode that will bind a shell on a port on the target machine, but if he's behind a router, that’s not very effective, so I'll show you how to use a metasploit tool to write a shellcode that will make the target machine connect to us instead:
So the target machine will connect to me, in that case 192.168.2.37 because we are on the same subnet, but that works over the internet as well. so we add our shellcode to the script:
Now we need to have a listener on port 4444 to receive our shell from our victim. Metasploit provides a nice handler for that.
Start metasploit then:
Now that we are listening on port 4444, we launch our exploit!
bingo we get a connection!
From there we can set up a keylogger, etc, but anyway, to get a shell, just use the following command:
Congratulations, you have a shell!:
For those of you reading that are unfamiliar with python, programming and the tools mentionned in this article, no worries, I'll soon keep you posted on how to use them.
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots." --Sun Tzu
The art of exploitation
Lets say we have a target (ourselves) and ran nmap (a portscanner) on it and discovered open port. The service running on it is SLmail v 5.5.
How do we look for a vulnerability? Since its a binary thus the source isnt available, all we can do is download a trial version, reverse engineer it or fuzz test the software. Let's try fuzzing, i.e. sending expected, or random data to the inputs of a computer program.
Here, im running linux on my attacking machine and installed SLmail on a windows XP xp2 and I want to test the POP service on port 110. Since I do not know the account credentials, the only commands I can fuzz on that service are USER and PASS. On the windows machine, install and start SLMail. Then attach ollydbg to it. (just start ollydbg and click file, select "attach" and select SLmail)
There are several fuzzers available, spike being my favourite, but to keep it simple I'll write a very basic fuzzer in python to illustrate the concept:
In the above code, I skipped the USER command fuzzing since it didnt crash. To fuzz PASS, you need to first input a "USER username" command first. Now we're ready to fuzz PASS. The program will connect to port 110, supply a user name and then send a bunch of A's, if it doesnt crash the program, it will send more A's, on so on (until I send about 5000 A's in this scenario).
We check Ollydbg and oops we do get a memory access violation!
As you can see, we have overwritten the EIP with A's (represented by 41)
Since the EIP register controls the execution flow of the program, that means we can now control the application and redirect it to do whatever we want. A shell would be nice!
Now we must find the exact 4 bytes in our buffer to overwrite it. Here's a way to narrow it down:
If we overwrite the EIP with A's in this new code, that means the 4 bytes overwriting the EIP are located in the first 1000 byte range, if B's, in-between 1000 and 2000, and do on.
Lets see what happens in ollydbg:
Looking at the EIP register, we can see that we have overwritten in with E's (\x45), thus the 4 bytes we're looking after are in-between 4000-5000 in our buffer. We could do this for a while until we get them but I'll let you on a a neat tool by metasploit. pattern_create.rb, it creates a specific pattern and will provide us with the exact location. So we need a length of 5000 so we issue the following command:
we copy the output and paste it in our buffer:
We send it and check the result in ollydbg.
We take the bytes that overwrote the EIP and we need to convert them since they're in hex and reverse them because of the order they go in the EIP. To save you the trouble, i wrote a little script that will sort this out for you:
The output was z1Fz. So now we use the other tool provided by metasploit to know the exact location of the EIP.
We now have the location of the EIP, at 4654. lets test it with our script:
Here we send 4654 A's, then 4B's and then C's. So we shoud overwrite the EIP with B's(\x42), lets check ollydbg:
Bingo, we overwrote exacty with 4 B's the EIP. We are in full control of th EIP. Whats left to do is to find a convenient location for our shellcode. To do that we need to examine the CPU registers right after the crash. click on the ESP register (stack pointer) and select follow in dump. Nice, i have a 1000s C's at that location, more than enough room for my shellcode.
To find a way to ensure we get to the ESP, we need a way to get to the ESP address. For that let's click the 'E' button (Executable Modules button) to look at the DLL's. USER32.DLL is convenient since it's in the core DLL system and its address is static accross service packs. From there we need to find a 'JMP ESP' instruction. So just click on USER32.DLL and click 'search for' and type in 'JMP ESP'. Here;s its at 77D718FC. So in our script, we will now send 4654 A's, then overwrite the EIP with that address so that it will use the JMP ESP instruction to send us to our shellcode. But for testing, we'll send C's after:
You probably noticed the \x90 in my code, its a NOP instruction, which is no instruction. This is just in case I do not land precisely at the address of my shellcode, it will slide the NOPs to it.
Lets's check ollydbg:
Bingo, look in the bottom right corner, we landed right in my NOPs followed by Cs! All we have to do is replace the C's by the shellcode!
You can find shellcodes on the net, although it can be risky, you can write your own or use a metasploit to provide you one. You can use a shellcode that will bind a shell on a port on the target machine, but if he's behind a router, that’s not very effective, so I'll show you how to use a metasploit tool to write a shellcode that will make the target machine connect to us instead:
So the target machine will connect to me, in that case 192.168.2.37 because we are on the same subnet, but that works over the internet as well. so we add our shellcode to the script:
Now we need to have a listener on port 4444 to receive our shell from our victim. Metasploit provides a nice handler for that.
Start metasploit then:
Now that we are listening on port 4444, we launch our exploit!
bingo we get a connection!
From there we can set up a keylogger, etc, but anyway, to get a shell, just use the following command:
Congratulations, you have a shell!:
For those of you reading that are unfamiliar with python, programming and the tools mentionned in this article, no worries, I'll soon keep you posted on how to use them.
"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots." --Sun Tzu
Labels:
backtrack,
buffer,
computer,
exploitation,
hacking,
metasploit,
overflow,
security
How to think like a hacker
Welcome to my blog! ..and my very first post!
Although there are many more security blogs just like this one, I decided to write mine for one particular reason, amongst others. Keep a journal of what I learned, which will be related to IT security. And if my findings/learnings can help someone else, then its just great! And it can also be a portal for more experienced hackers, security analysts, pen testers that can share with me other views on my methods.
The approach I'm taking to practice IT security is to try and become a hacker myself. I may have studied IT in college, but real hackers are self-taught, its an art that cannot be acquired through school programs or books, it requires practice, creative thinking and dedication. And to defend yourself in cyberspace, you need to think like a hacker to anticipate his moves. You must change your role from being the victim to being the attacker. Just standing on the defensive indicates insufficient strength and you can ensure the safety of your defence if you only hold positions that cannot be attacked, hence Sun Tzu's saying: that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack. Ability to defeat the enemy means taking the offensive.
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. Supreme excellence consists in breaking the enemy's resistance without fighting. The capitulation of the attacker (or hacker) before an attack is the best scenario!
I think Eric Raymond really set out a good path to follow, here's my own interpretation of what he said:
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." --Sun Tzu
Although there are many more security blogs just like this one, I decided to write mine for one particular reason, amongst others. Keep a journal of what I learned, which will be related to IT security. And if my findings/learnings can help someone else, then its just great! And it can also be a portal for more experienced hackers, security analysts, pen testers that can share with me other views on my methods.
It takes a thief to catch a thief
The approach I'm taking to practice IT security is to try and become a hacker myself. I may have studied IT in college, but real hackers are self-taught, its an art that cannot be acquired through school programs or books, it requires practice, creative thinking and dedication. And to defend yourself in cyberspace, you need to think like a hacker to anticipate his moves. You must change your role from being the victim to being the attacker. Just standing on the defensive indicates insufficient strength and you can ensure the safety of your defence if you only hold positions that cannot be attacked, hence Sun Tzu's saying: that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack. Ability to defeat the enemy means taking the offensive.
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. Supreme excellence consists in breaking the enemy's resistance without fighting. The capitulation of the attacker (or hacker) before an attack is the best scenario!
So how do i become a hacker?
I think Eric Raymond really set out a good path to follow, here's my own interpretation of what he said:
- Learn how to program: This is a fundamental hacking skill. To be a hacker is not simply to know how to use a computer, but you must be able to "talk to it". The language you pick is not the important part, its the way you think and use it, in creative ways to solve challenges you set. And thats not thought in books or school (most hackers are self-thought too). Python is an extremely good language to start with. Its cleanly designed, one of the easiest to learn for a beginner while still being a very powerful and flexible language. Point is, just pick one to start and learn it well, then expand.
- Get a unix-based system - Linux: Learn how to install it, run it, customize it, not just use it. Anybody can use a computer nowadays. Some people will say its possible to learn hacking on windows, while being true, its not the most efficient way. Windows systems are binary-distributed, you cant read the code nor modify it, generally speaking. Also,unix is the system of the internet. Yes you can use windows to "go on the internet" but understanding it without understanding unix is making it unjustifiably harder. It might not make sense what im saying now, but you'll understand a little more when you start network programming. Everything is based on the BSD sockets model of network programming, winsocks too.
- Learn HTML: Its the language spoken on the web, know it! Perhaps thats where you should start and we should reverse my list! SQL/php would now fit in this category as well, although when you'll get pro-efficient at the first two points, this will be easier.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." --Sun Tzu
Subscribe to:
Posts (Atom)