To search through payloads in metasploit. One thing that doesn’t work is:

./msfvenom -l payloads |grep php

because output is directed to STDERR. So to search through metasploit modules from the command line, one way is to redirect STDERR to STDOUT.

./msfvenom -l payloads 2>&1 |grep php

2. Using ‘reload’, ‘jobs’, and ‘resource’ for module testing

When I was first modifying metasploit code, I restarted metasploit… which takes quite a bit of time and is a pain if you’ve only done like a one line change. But there’s a reload command that just reloads the module you’re working on, so that’s obviously much nicer.

Another couple commands that are handy for testing are ‘jobs’ and ‘resource’. ‘jobs’ will enumerate things that are running (and kill them, if you tell it to). ‘resource’ simply is a set of commands which will execute as if you entered them in the console. I used ‘resource’ for unit testing, and when I demo some more complicated attacks that will require actual code (coming soon), I’ll need to put that in a resource file.

3. Nop sled Generation

I recently ran into an exploit where the binary would look for repeating sequences (e.g. ‘x90x90…’), so I needed a custom nop sled. Also, I wanted to save the value of some registers. I was (coincidentally) pointed at Metasploit’s Opty2. The usage is:

> use nop/x86/opty2
msf nop(opty2) > generate -h
Usage: generate [options] length

Generates a NOP sled of a given length.

OPTIONS:

-b The list of characters to avoid: ‘x00xff’
-h Help banner.
-s The comma separated list of registers to save.
-t The output type: ruby, perl, c, or raw.

I was totally nervous. This was my first ‘con’ and the room was packed (people standing at the wall), I spotted relatively famous hackers in the audience, etc. I needed more beer!

Hopefully the next one I’ll relax, slow down, not use filler words, etc :)

Proxying port scans can be handy if you want the address to come from something else. For example, you might have an ssh server somewhere that you’d like to scan from. Or you might want to port scan through tor. To porscan through an ssh server

ssh -D 2323 mysshserver

#edit /etc/proxychains.conf  so socks4 is set to 2323

#socks4  127.0.0.1 2323

proxychains nmap -T4…

then all nmap traffic will appear to come from your ssh server. Very cool! In addition, you can set up a tor proxy, haver proxychains point to it from proxychains.conf, and launch your program similarly using proxychains. This has the advantage of having everything go through tor. So if you wanted you could port scan through tor.

A usually more legitimate use would be to launch firefox using proxychains through tor. This is superior to simply setting the proxy through ff itself because when ff sets a local proxy there is still dns leakage, potential flash leakage etc. If it is launched through the proxy, all children of the process go through tor.

Or maybe where was the Dev in the room?

Imagine you’re sitting at a computer logged into your favorite website, lolcats, and you click on a shady link while logged in. There are a lot of attack scenarios that start this way.

Browsers have a cross domain policy that prevent the shady site from accessing any of your lolcats cookies, which typically contain your authentication tokens. But BY DESIGN, the shady site is certainly allowed to do requests (eg POST or GET) across domains. So there’s nothing to prevent the shady site from framing lolcats in an invisible iframe and having you play an animated whack-a-mole game, clicking exactly where the invisible lolcats site is having you inadvertently  rank the attacker’s disgusting kitten as cute. This is performed with your very own account, because the cookies are all legitimate from being logged in. This makes all your lolcats buddies laugh at your bad taste.

This is contrived, sure. But tools are getting a lot better to automate this sort of thing. You don’t need a whack-a-mole game to do clickjacking anymore, there are whole Javascript frameworks to automate everything. In fact, the attack is as easy as just getting them to visit the shady site, no clicks required. One such tool is:

http://www.contextis.co.uk/resources/tools/clickjacking-tool/

Currently clickjacking defense is treated somewhat less importantly than XSRFf, but the fact is, the surface area for a clickjacking attack is basically identical to XSRF. Both are confused deputy problems.

One of the first ways to defend against this attack was frame busting scripts, which are snippets of Javascript and HTML to try to make it so websites can’t be invisibly framed. These are notoriously difficult, and can vary from application to application. To deal with this problem, Spencer Low went into a cave of solitude for some time and came up with a pretty good framebusting solution. Unfortunately, it turns out whatever frame busting solution you have is circumventable using IE’s XSS filter in IE8 or IE9. Details are

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=225200337

So there is only one defense that really works to defend against clickjacking, and this is X-FRAME-OPTIONs.  X-FRAME-OPTIONs is a newish header designed by Microsoft that’s now included in all modern browsers (chrome, Firefox, Safari, in addition to IE8 and IE9). What X-FRAME-OPTIONs does is set a header that says this response cannot be framed except under certain circumstances. There does need to be work on server applications to add this header, but I believe this is fundamentally the right approach to stop clickjacking. You don’t want lolcats framed by the shady site? Just configure lolcats to put the X-FRAME-OPTIONs header in the response and it cannot be framed.

Here’s the problem, X-FRAME-OPTIONs has three options: ALLOW, SAMEORIGIN, and DENY. That’s it. And they do exactly what you’d think they do.

What if, by design, I want my application to be framed by something in a different domain? There are a lot of legitimate circumstances this happens, and they pop up all the time in Online Services.

As a security industry, what we do right now in these situations is say there’s no good and easy defense. Web applications are sometimes vulnerable to clickjacking because the fact is there’s nothing good we can really do on these edge case scenarios. We can (and do) develop frame busting scripts that takes a lot of work, probably have holes, and are certainly bypassible in IE8 and IE9 due to the XSS protection unless we just explicitly switch off the XSS protection. It’s an active problem to determine if switching off XSS protection in order to hopefully develop a script that might with enough effort prevent clickjacking is worth it.

I wonder why when designing X-FRAME-OPTIONs it wasn’t just designed as a whitelist solution. Instead of only having the ALLOW, SAMEORIGIN, and DENY options, it could have a list of domains that are allowed to frame the content. It would make so much more sense to explicitly allow domains that are allowed to frame our application instead of being arbitrarily restricted to sameorigin. It would give us flexibility while at the same time allowing us to be safe.

I applaud the IE team for coming up with X-FRAME-OPTIONs in the first place, and for other browsers to adopt it. It can protect 95% of sites from clickjacking. I just wish that we didn’t have to have vulnerable sections of applications just because of the limitation of options.

-D_FORTIFY_SOURCE=2

This should get rid of some buffer overflows that can be analyzed statically and some obvious ones (strcpying input, format string vulnerabilities).

More information can be found here: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

-fstack-protector-all

From the man page:

Emit extra code to check for buffer overflows, such as stack smashing attacks.  This is done by adding a guard variable to functions with vulnerable objects.  This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits.  If a guard check fails, an error message is printed and the program exits.

(this is enabled by default in recent versions of Ubuntu)

#!/usr/bin/env python

import readline

"""The shell class is the front end for cryptanal"""

class shell:
  def __init__(self, filename=None):
    print"""
WWW         WW eEeEeEeE LL        CCCCC    OOOO    MMMM    MMMM  eEeEeEeE
 WW         W  EE       LL       Cc      OOO  OOO  MM MM  M  MM  EE
  WW       WW  EeEeE    LL      CC       OO    OO  MM  MMM   MM  EeEeE
  WWw WW  WW   EE       LL       Cc      OOO  OOO  MM        MM  EE
   WWW  WWW    eEeEeEeE LlLlLlL   CCCCC    OOOO    MM        MM  eEeEeEeE

                             TO CRYPTO-SHELL
  (Useful for deciphering what little Susie is writing to little Billy)
"""

    self.filename = filename
    self.crypto = None
    #if self.filename != None:
      #self.crypto = freqcount.subCryptAnal(self.filename)

    #setup the tab completion information here
    self.commands = ["help", "printfreq"]
    readline.set_completer(self.completer)
    readline.parse_and_bind("tab: complete")

  #completer funtion for tab complete
  def completer(self, word, index):
    matches =
    try:
      return matches[index] + " "
    except IndexError:
      pass

  #this is the main event loop
  def mainloop(self):
    while 1:
      command=raw_input('> ').lstrip()
      if command.lower().startswith('help'):
        self.help(command[4:].lstrip())
      else:
        print "Error: command not recognized"

  def help(self, args):
    print "HELP"

if __name__ == '__main__':
  thisshell = shell()
  thisshell.mainloop()

Do a ps -ef on your system where an underprivilidged user is logged in via ssh.  eg

# ps -ef |grep sshd |grep myuser
root       28694  7865  0 Mar25 ?        00:00:00 sshd: myuser [priv]
myuser     28703 28694  0 Mar25 ?        00:00:00 sshd: myuser@pts/2

While that [priv] may seem disconcerting, it (by itself) shouldn’t be.  There is privilege seperation in sshd  so that if an exploit is found in the child does not result in a system compromise.

http://www.citi.umich.edu/u/provos/ssh/privsep.html

apache

Go into /etc/apache2/apache2.conf and change

ServerTokens Full

to

ServerTokens Prod

This will change your info for things like 404s, so instead of listing your exact os, version of apache, etc, it will only say something like ‘Apache Server at progeny.isu.edu Port 80′

postfix

change the smtpd_banner line to something like “smtpd_banner = $myhostname ESMTP $mail_name (Linux)” which will be much harder to figure out than all the crap this normally prints, which, once again, is the exact version of postfix you are running along with the os.

bind

By default, bind also lets people know all this info.  You can change this by changing the version = lines as follows

options {
…
version “back off, dirt bag!”;
…
}

Though many of these services can still be fingerprinted without too much effort, not reporting your version info for every service you run is probably a good idea.  So, for example, because of this, you may have a harder time figuring out that this server is running apache2.2 on ubuntu7.04 and postfix2.5… damn it.

dig @dnsserver.net version.bind txt ch

will give you what you need. However, this is a configuration option that can be turned off. ie, in named.conf they could have set the following

options {
…
version “back off!”;
…
}

and, uhh, yeah. that will return “back off!” for our version number, which isn’t very helpful.

Enter fpdns.

From the man page:

fpdns is a program that remotely determines DNS server versions. It does this by sending
a series of borderline DNS queries which are compared against a table of responses and
server versions.

False positives or incorrect versions may be reported when trying to identify a set of
servers residing behind a load-balancing apparatus where the servers are of different
implementations, when a specific implementation behaves like a forwarder, behind a fire‐
wall without statefull inspection or without Application Intelligence.

and it works pretty well from my preliminary tests.

<mopey> has anyone ever gotten sshrc to succesfully set ssh environment variables?
<mopey> it *should* be straightforward
<mopey> the sshd man page says:  8.  If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists, runs it; otherwise runs xauth.  The “rc” files are
<mopey>  given the X11 authentication protocol and cookie in standard input.
<mopey> is this not run (when I do ‘ssh compute-0-0 env’) because it is too late in the process?
<mopey> because my $HOME/.ssh/environment _is_ run, and I can set them that way.  Except that I want to do it for all users and that seems to be a lame solution.
<mopey> It seems like the command should be executed *after* the rc files are read (it’s step 9)
<mopey> So I wonder why the hell it’s being ignored…
<mopey> staynalive, you said you use “PermitUserEnvironment yes”.  So do you just set a $HOME/.ssh/environment for each user?

…

<mopey> haha
<mopey> for those who care, pam overrides my ssh variables for the most part
<mopey> so you can define variables in /etc/security/pam_env.conf
<mopey> god, that took forever to figure out why my /etc/environment variables weren’t getting set over ssh
* Vog-work has quit (“ChatZilla 0.9.79 [Firefox 2.0.0.10/2007111504]“)
<twinprism> thanks for sharing, mopey, I care…
<mopey> weird.
<mopey> :)
<_sera> I don’y
<_sera> sheesh… don’t
<mopey> Normally it probably doesn’t matter I’m sure.  Like if you get a bash shell and can actually execute profile/bashrc
<mopey> But if you have a crippled pvm shell or something, it’s way important
<mopey> plus I think pam_env is how PATHs and junk get set on login – at least on ubuntu
<mopey> *gdm/kdm/xdm login