Bypassing Address Space Layout Randomization

Currently only in the initial beta stage, but includes basic checking of files including the Apache server-status as well as well IIS WebDAV and Microsoft FrontPage Extensions, many more features will be added to this tool which will make alot of the enumeration process quick and simple.

Version 0.2 adds scanning of SSL / TLS as well as an option for probing delays and general bug fixes.

Version 0.3 adds support for vMicrosoft SharePoint as well as WebDAV for Apache httpd.

The Python Script and files can be downloaded from www.thexero.co.uk/downloads/http-enum.tar

Stay tuned for updates.
TheXero

This was a quick and dirty script, but is very useful when looking for Buffer Overflow conditions within locally running FTP Servers and has been used in the real world to find vulnerable servers.

This was a quick and dirty script, but is very useful when looking for Buffer Overflow conditions within locally running TFTP Servers and has been used in the real world to find vulnerable servers.

In this video we attempt to break into a secure network behind a basic Windows 2003 firewall and AD infrastructure in a Network Address Translation environment.

After we have run our Passive Information Gathering we begin Active Information Gathering and launching a quick nmap scan of our target no ports are open and are either closed or filtered.

Usually in these circumstances we’d perform further enumeration on the target however we quickly realize that attacks directly at the server are not likely to work, so we decide to attack a client within the NAT environment using the Internet Explorer Aurora exploit available in the metasploit framework.

During Passive Information Gathering we are likely to come across several email addresses used by employee’s which we can use in our next PenTest efforts to help with Client Side attacks.

We start up the Aurora exploit and send an email to the client. When the client clicks on the email link and opens the web page his browser crashes and sends us a remote Meterpreter shell on his machine using his limited credentials.

First thing we decide to do is elevate our privileges to local system which will hopefully give us unrestricted access to the machine. Once we acquire system access we decide to dump the local hashes and copy the Administrator hash to our clipboard hoping that they are unfortunately using the same Administrator credentials on other parts of the network.

Considering the netmask and IP range of the network we can safely assume that the domain controller is located at 192.168.0.1 so we decide to use the client as a pivot point meaning that we can continue our attacks using the client as a proxy.

We choose to load the psexec exploit module and set the remote host to 192.168.0.1 which is the default gateway for the network and the domain controller. Note that this attack will travel through our already compromised host on the network so it would appear the client is doing the attacking, not an outsider.

As we don’t know the password for the administrator account we use the already obtained hash for the admin and perform a PassTheHash technique. What this does, is rather than encrypting the password into a hash to send to the remote machine it will just pass the already encrypted hash to the target machine.

We get another meterpreter session this time from the domain controller and again we attempt to elevate our privileges to local system. We also dump the Active Directory hashes and attempt to crack them using the Ophcrack rainbow table cracking software and successfully crack all hashes in under 10 minutes.

We then attempt to create a new user called thexero and add him to the administrators group and the remote desktop users. Once completed we attempt to enable remote desktop assuming that it had been disabled for security reasons and we login with the new credentials that we had just created using the IP address we scanned earlier.

Once you have successfully developed a working exploit, you will soon realize that it’s alot simpler and less of a black art than people think.

To start with, generally a Stack based Buffer Over Flow condition causes the target application to crash by overwriting the pointer to the next instruction, called EIP (Extended Instruction Pointer).

We first load up a simple python based fuzzer script and attempt to fuzz a free FTP server called FreeFloat FTP Server which is hosted on a machine in the lab with the IP of 192.168.72.129.

The program stops responding to our FTP requests after about 300 A’s after the command USER.

We then load the program into Immunity Debugger and attempt to replicate the crash once again and hopefully it will tell us a little bit more about the crash. In this case the target application crashed because EIP has been completely overwritten with 41414141 which is the hex equivalent to (4) letter A’s.

For simplicities sake we decide to export the target IP address and port to our local environment variables so that the potential of entering the wrong target address is minimized.

We then load up Metasploit’s tool Pattern Create and this creates us a unique string that we can use to replace the buffer to help identify the exact position before we get to the EIP overwrite, which turns out to be 230.

We then modify our buffer to include 230 A’s then send a DEADBEEF as the address to overwrite EIP and the rest of our buffer overflows into the ESP register which means that if we overwrite EIP to a memory address that has the assembly instruction of JMP ESP, then hopefully the we can jump to ESP and the next set of instructions.

We then send all hex bytes (minus the 00 as it would kill our TCP connection to the FTP server) and attempt to identify any bad characters that may be included in our shellcode later on.

Metasploit is then opened with the console interface and we begin to create test shellcode, while excluding the bad characters from the payload (identified previously) that will run the Windows calculator application. As the payload will be encoded we had to add 8 NOPs to our buffer so that there was sufficient room for the payload to decode itself.

Once the test shellcode is added we test our exploit which will hopefully crash the application once again but at the same time execute our code and open the Windows calculator, which ended up working as planned.

We go back to metasploit and create a Windows reverse shell payload, again excluding the bad characters found and write all the hex bytes to a file called shellcode which we then open with gedit.

We then replaced the test Windows calculator payload with the first stage of our newly created staged Windows reverse shell payload to complete our exploit.

Then we set up a metasploit to listen on port 4444 for a staged Windows reverse shell and executed our exploit, which resulted in the target machine connecting back to our machine. As we chose a staged payload our machine delivered stage 2 of the payload creating a full reverse Windows command prompt to be given to our machine and from then on we had full control over that session.

In this demonstration, we attempt to break into a hidden network. These networks won’t allow you to connect them like the usual WiFi network as you won’t be able to see it as it does not broadcast its SSID.

Firstly after activating monitor mode on my Alfa AWUS036H adapter, we start airodump-ng on channel 6 and listened for any networks.

After noticing the hidden network we stop airodump-ng and started it again on channel 6 and to save the captured data to a file called hidden.

Noticing there was an already authenticated client we start up aireplay-ng and attempted to de-authenticate the client forcing it to re-authenticate with the network revealing that the hidden SSID, which in this case was Cisco.

After we discovered the SSID we then attempt to authenticate with the network Cisco and started the ARP Request Replay attack to increase the rate of new IV’s generated and crack the WEP key for the network.

Using ARP to our advantage we can greatly increase our IV generate rates. ARP amplification is a very advanced topic and this should not be attempted by new comers.

In this demonstration, we first perform a standard 1 – 1 attack by creating a generic ARP broadcast request and our injection rates are around 400, which is considered pretty good.

While attacking a network it is possible to find out the address ranges that are used and even associated client’s IP using attacks like the Korek Chop Chop. With this information you can potentially more than double your IV generation rates by sending an ARP request to a existing WiFi client which will create a 1 -3 IV generation rate.