Thursday 28 January 2016

Snarf man-in-the-middle

Snarf is a software suite to help increase the value of man-in-the-middle attacks. Many historical applications of techniques like SMB-Relay rely on assumptions, and relegate these attacks to exploitation, rather than the discovery / enumeration phase of the penetration test. While Snarf doesn't introduce new vulnerabilities, it does introduce a new capability to capitalize on exploiting familiar vulnerabilities.  



The Fundamental Idea

At its core, Snarf has one key principle in play: when you MITM something, don't throw it away. Don't just try to lob a payload through it and hope it works. Instead, we relay a connection for a client, and keep the connection to the server when the client is done. We hold onto it, and provide a facility to jack in additional tools to that same, preserved connection. This way, once we middle a connection, we can explore it. Use multiple tools, assess what privileges or rights we have, etc. -- all to give the penetration tester more direct control of the situation.

Prerequisites

You will need several key things. First, Snarf relies on iptables, so it is Linux-specific. It may be possible to move it to something like PF, but that is currently unknown. At any rate, here is a list of basic requirements:
  • Linux (Kali works fine)
  • NodeJS -- Snarf is implemented in Node to take advantage of it's snazzy event-driven I/O
  • An existing MITM / redirection strategy -- Snarf will not MITM the victim, it will only capitalize on it
    • ARP poisoning
    • DHCP poisoning
    • LLMNR poisoning
    • ICMP redirect
    • GRE tunnels
    • etc.
In most Linux distributions, the only thing you'll have to do is install Node. In a Debian-derived distribution, this would look something like this (works in Kali):
$ sudo apt-get install nodejs

Running Snarf

Here's the basic process:
  1. Do a man-in-the-middle -- Linux must be routing the traffic of your victim
  2. Run Snarf as root, binding to your LAN IP
    $ sudo node snarf.js
  3. Run the iptables rule to move traffic to SNARF's chain:
    $ sudo iptables -t nat -A PREROUTING -p tcp --dport 445 -j SNARF
  4. Open a web browser to http://localhost:4001/
  5. Wait for a connection to come through
  6. Either wait for the connection to "complete" or "expire" it manually with the provided buttons
  7. Connect your own tools (e.g., for SMB use smbclient, net, Metasploit, etc.) to 127.0.0.1. (Note, the username and password you use don't matter -- Snarf will authenticate it no matter what. The resulting session will use the snarfed connection to the server and, with it, the victim's credentials)

Known Issues

  1. For SMB, Snarf only does username/password auth, not anonymous sessions. You will want to provide a "-U user%pass" to any Samba-derived tools to make sure this will work.
  2. Snarf makes minimal changes to your traffic. So, when you do a TREE_CONNECT, it will pass the destination hostname unchanged. If you make it "localhost", then the server will give you an error about a duplicate name. This is because servers don't like being called "localhost". Instead, connect to "127.0.0.1" -- Windows doesn't mind this. In other words, run "smbclient -U b%b //127.0.0.1/c$", and don't use the name "localhost" in the command.
  3. Windows does weird and unpredictable things. Sometimes, you may end up with a session that doesn't work. This could be a bug (so feel free to let us know about it), but it could also just be a vagary of SMB. Servers don't always keep sessions around as reliably as we want, etc. So, while Snarf will dramatically improve your ability to get value out of a middled connection, remember that there is still a probabilistic aspect to any MITM attack.
  4. Make sure you follow the on-screen instructions for completing the iptables setup -- we don't apply the last iptables rule in the code because MITM is inherently dangerous. Think carefully about how that rule should be used. You probably don't want hundreds of systems coming through, so you can adjust the parameters on the "iptables -t nat -I PREROUTING -p tcp --dport 445 -j SNARF" command to ensure that only the desired systems get snarfed. 

Download tool : https://goo.gl/zukxDk
Posted by at No comments:

Android vulnerability scanner

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.
Version: 1.0.0

Features:

  • Find security vulnerabilities in an Android app
  • Check if the code is missing best practices
  • Check dangerous shell commands (e.g. “su”)
  • Collect Information from millions of apps
  • Check the app’s security protection (marked as <Hacker>, designed for app repackaging hacking)

Author

  • Yu-Cheng Lin (androbugs.framework at gmail.com, @AndroBugs)

Steup Steps and Usage for Windows

Easy to use for Android developers or hackers on Microsoft Windows: (a) No need to install Python 2.7 (b) No need to install any 3rd-party library (c) No need to install AndroBugs Framework
  1. mkdir C:\AndroBugs_Framework
  2. cd C:\AndroBugs_Framework
  3. Unzip the latest Windows version of AndroBugs Framework from Windows releases
  4. Go to Computer->System Properties->Advanced->Environment Variables. Add "C:\AndroBugs_Framework" to the "Path" variable
  5. androbugs.exe -h
  6. androbugs.exe -f [APK file]

Massive Analysis Tool Steup Steps and Usage for Windows

  1. Complete the Steup Steps and Usage for Windows first
  2. Install the Windows version of MongoDB (https://www.mongodb.org/downloads)
  3. Install PyMongo library
  4. Config your own MongoDB settings: C:\AndroBugs_Framework\androbugs-db.cfg
  5. Choose your preferred MongoDB management tool (http://mongodb-tools.com/)
  6. AndroBugs_MassiveAnalysis.exe -h
    • Example: AndroBugs_MassiveAnalysis.exe -b 20151112 -t BlackHat -d .\All_Your_Apps\ -o .\Massive_Analysis_Reports
  7. AndroBugs_ReportByVectorKey.exe -h
    • Example: AndroBugs_ReportByVectorKey.exe -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat

Usage for Unix/Linux

To run the AndroBugs Framework:

python androbugs.py -f [APK file]

To check the usage:

python androbugs.py -h

Usage of Massive Analysis Tools for Unix/Linux

Prerequisite: Setup MongoDB and config your own MongoDB settings in "androbugs-db.cfg"

To run the massive analysis for AndroBugs Framework:

python AndroBugs_MassiveAnalysis.py -b [Your_Analysis_Number] -t [Your_Analysis_Tag] -d [APKs input directory] -o [Report output directory]
Example:
python AndroBugs_MassiveAnalysis.py -b 20151112 -t BlackHat -d ~/All_Your_Apps/ -o ~/Massive_Analysis_Reports

To get the summary report and all the vectors of massive analysis:

python AndroBugs_ReportSummary.py -m massive -b [Your_Analysis_Number] -t [Your_Analysis_Tag]
Example:
python AndroBugs_ReportSummary.py -m massive -b 20151112 -t BlackHat

To list the potentially vulnerable apps by Vector ID and Severity Level (Log Level):

python AndroBugs_ReportByVectorKey.py -v [Vector ID] -l [Log Level] -b [Your_Analysis_Number] -t [Your_Analysis_Tag]
python AndroBugs_ReportByVectorKey.py -v [Vector ID] -l [Log Level] -b [Your_Analysis_Number] -t [Your_Analysis_Tag] -a
Example:
python AndroBugs_ReportByVectorKey.py -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat
python AndroBugs_ReportByVectorKey.py -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat -a
AndroBugs_ReportSummary.py
AndroBugs_ReportByVectorKey.py

Requirements

  • Python 2.7.x (DO NOT USE Python 3.X)
  • PyMongo library (If you want to use the massive analysis tool)


Download tool : https://goo.gl/9Dc3Ea
Posted by at No comments:
Subscribe to: Posts (Atom)