Monday, December 13, 2010

Metasploit HTTP fuzzer v0.2 - Tutorial

The main idea of this post is give an overview of the fuzzer that I developed. I don't think it is an state of the art fuzzer. Actually, I think it is pretty dumb fuzzer but I feel it can help a lot if you know how to configure it and use metasploit at the same time.

To start using the fuzzer download the file from here and save it in the metasploit msf3 folder under "/modules/auxiliary/fuzzers/http/"

Start msfconsole and type: use auxiliary/fuzzers/http/http_fuzz

Now, starting with the basic, the options. This tool can provide different kind of fuzzing types depending on what the user needs. The main idea behind the tool is to help in the discovery of common problems on web applications and also help with the identification of vulnerabilities by fuzzing specific parameters. The following are the options that the fuzzer provides.



Some of this options I feel are self explanatory if you look at the description. However, some of this might not be so intuitive. Because of this I will explain with some examples.

Example 1 - NUMERIC Fuzzing (TYPE 1)
1. Configure fuzzing point
The first thing that you have to do is to pick the parameter of the application that you want to fuzz. You can do this by browsing through the application (using a proxy or not) and selecting the parameters that you want to test. In this example I will use the fuzzer just to discover specific valid pages on the application and identify valid pages. Lets say that we find a website that will allow the follow GET request: http://web_app/about/news?id=24 . Now, if we want to play with the id  parameter the only thing that we will have to do is configure the fuzzing point. On mfconsole type:

msf auxiliary(http_fuzz) > set VHOST web_app
VHOST => web_app
msf auxiliary(http_fuzz) > set RHOST host_IP
RHOST => host_IP
msf auxiliary(http_fuzz) > set PATH /about/news?id={X}24{X}
PATH => /about/news?id={X}24{X}


2. Configure METHOD

msf auxiliary(http_fuzz) > set METHOD GET
METHOD => GET


3. Configure TYPE of fuzzing - Now you just have to select the TYPE of fuzzing and depending on that other parameters will have to be configured. For this example we will select Numeric fuzzing.

msf auxiliary(http_fuzz) > set TYPE 1
TYPE => 1


4. Configure START and STOP

msf auxiliary(http_fuzz) > set START 24
START => 24
msf auxiliary(http_fuzz) > set STOP 100
STOP => 100


5. Start the fuzzer

msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Start number: 24
[*] Stop Number: 100
[*] Iterations 77
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] You need to create a database and connect to it if you the DATABASE option to work.
[*] Running fuzzer against http//ip_address/about/news?id={X}24{X}
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  302 |  350  | 0.348529465 | 24
[*] | 2 |  302 |  350  | 0.302565619 | 25
[*] | 3 |  302 |  350  | 0.377012325 | 26
[*] | 4 |  302 |  350  | 0.335730538 | 27
[*] | 5 |  302 |  350  | 0.399629274 | 28
[*] | 6 |  302 |  350  | 0.301453555 | 29
...
[*] | 77 |  302 |  350  | 0.301453555 | 100
[*] Auxiliary module execution completed
msf auxiliary(http_fuzz) > 


Example 2 - STRING Fuzzing (TYPE 2)
A similar kind of  fuzzing can be done using the STRING fuzzing (set TYPE 2). The only difference is that instead of providing numbers at the START and STOP options you will have to provide strings. For example:

msf auxiliary(http_fuzz) set START a
msf auxiliary(http_fuzz) set STOP zzzzz

This will basically go through all the string from a-zzzz on the selected parameter

Example 3 - CUSTOM Fuzzing (TYPE 3)
I will assume that selecting a fuzzing point and a method (GET or POST) are already explained in Example 1. For using the custom fuzzing option you just have to define the characters that you want to use during fuzzing. In this example it is assumed that the fuzzing point has been already selected.

1. Configure TYPE of fuzzing

msf auxiliary(http_fuzz) > set TYPE 3
TYPE = 3


2. Configure CHARS for fuzzing. The default CHARS to use while using this option are: abcdefghijklmnopqrstwxiz1234567890$%/(= . Look at the advanced options of this module to review them (show advanced)

msf auxiliary(http_fuzz) > show advanced

If you want to change this characters use the set CHARS command. For example:

msf auxiliary(http_fuzz) > set CHARS abc123&^$
CHARS => abc123&^$

3. Set the number of POSITIONS that you want the fuzzer to test. For example if you select only two CHARS ("ab") and two POSITIONS. The fuzzer will try the following strings: [a,b,ab,ba,aa,bb] . It is recommended that the number of positions matches the number of character provided by the user. This is the only way to provide all possible options.

msf auxiliary(http_fuzz) > set POSITIONS 3
POSITIONS => 3
msf auxiliary(http_fuzz) > set CHARS abc
CHARS => abc


4. Run the FUZZER over the specific parameters that you want to test. Remember to always enclose the parameter that you want to substitute on the request with: {X}PARAMETER{X}

msf auxiliary(http_fuzz) > run


Example 4 - FILE Fuzzing (TYPE 4)
I guess this option could be also called fuzzing using a file instead of "file fuzzing" to avoid confusions. I apologize if I made someone believe that this option is the typical file fuzzing .

FILE fuzzing is option '4' of the fuzzer. This option will basically allow you to choose a file that will contain a sequential list of all the words/characters/numbers or whatever thing makes sense to use for fuzzing. The idea of this options to allow the user to dynamically use any word list that they want to use. I have used this to discover files or directories on web servers but it can basically used depending on any situation that you want. Another way that I have used this I have put together a list of SQL injections or XSS commands and fuzz on an specific parameter. For a list of this that you can include in this file I recommend the tool created by Rsnake a couple o years ago: "NoMore1=1" (or something like that..)  At the end of the day it is up to you to imagine how to use this functionality...

A small example would be:

msf auxiliary(http_fuzz) > set TYPE 4
TYPE => 4
msf auxiliary(http_fuzz) > set PATH /{X}a{X}/
PATH => /{X}a{X}/
msf auxiliary(http_fuzz) > set RHOST host_ip
RHOST => IP_ADDRESS
msf auxiliary(http_fuzz) > set VHOST web_app.com
VHOST => IP_ADDRESS

msf auxiliary(http_fuzz) > set FILE wmap_dirs.txt
FILE => wmap_dirs.txt

msf auxiliary(http_fuzz) > run


[*] Fuzzing...
[*] Number of requests 2346
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against http//IP_ADDRESS/{X}a{X}/
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  404 |  1635  | 0.125380119 | 0
[*] | 2 |  404 |  1635  | 0.140205328 | 00001
[*] | 3 |  404 |  1635  | 0.137170723 | 0001
[*] | 4 |  404 |  1635  | 0.15165385 | .CVS
[*] | 5 |  404 |  1635  | 0.134547762 | ...
[*] | 6 |  404 |  1635  | 0.150078353 | 0day
[*] | 7 |  404 |  1635  | 0.147979133 | 001
[*] | 8 |  404 |  1635  | 0.151717669 | 1
[*] | 9 |  404 |  1635  | 0.152698101 | 007
[*] | 10 |  404 |  1635  | 0.184284936 | 04
.
.
... and so on

Example 5 - RADOM CHARS Fuzzing (TYPE 5)
Although this option might seem repetitive I believe it is not, I'll explain. Sometimes when you are looking for specific vulnerabilities in an web application it is easier to use random characters in a number of parameters and identify how the application responds to them. This will help the attacker to identify injection points (sql or XSS) or other any strange behavior on the application such as redirections. Although this same type of fuzzing might be accomplished by configuring option '3' of the fuzzer I though it come really handy to have it just by changing the fuzzing type.

msf auxiliary(http_fuzz) > set TYPE 5
msf auxiliary(http_fuzz) > set PATH /eng/News.asp?id={X}a{X}
PATH => /eng/News.asp?id={X}a{X}
msf auxiliary(http_fuzz) > set RHOST host_ip
RHOST => IP_ADDRESS
msf auxiliary(http_fuzz) > set VHOST web_app.com
VHOST => IP_ADDRESS
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Number of requests 185372
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against http//ip_address/eng/News.asp?id={X}a{X}
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  200 |  133  | 0.544628639 | '
[*] | 2 |  200 |  17922  | 0.662964496 | /
[*] | 3 |  200 |  17922  | 0.693027466 | |
[*] | 4 |  200 |  17922  | 0.712019893 | "
.
.
... and so on

In this specific example although we get as a response a HTTP CODE 200 when you look at the LENGTH column you can see that something is happening in the application when we use the ' (single column) character. That is the main purpose of this option; identify the character that might lead to an injection or something worth to look further more.


Example 6 -SQL injection Fuzzing (TYPE 6)
The main purpose of this options is to use it once you already detected an injection point and run it on that parameter just. I mean in my opinion this is straight forward. Set the fuzzing parameter and run the module. In order for this option to work you can have to download the sql_injections file that is in the site where and save it under the msf directory /msf3/data/wordlists/. Go here if you want to download it.

msf auxiliary(http_fuzz) > set TYPE 6
TYPE => 6
msf auxiliary(http_fuzz) > set PATH /english/news.php?id=48{X}a{X}

msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Number of requests 151
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against http//host_ip/english/news.php?id=48{X}a{X}
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  200 |  8792  | 0.369505342 | ' or 'one'='one
[*] | 1 |  200 |  8792  | 0.417652944 | ' and 'one'='one
[*] | 1 |  200 |  11846  | 0.493800398 | and 1=1
[*] | 1 |  200 |  11846  | 0.537422557 | ' or 'one'='one--
[*] | 1 |  200 |  11846  | 0.598660924 | and 1=1--


Example 7 - LONG Strings (TYPE 7)
This is basically a regular dumb fuzzing type. With this option the only thing that you have to do is define the parameter to be fuzzed, define the STEP (number of characters increased every request) and the DEPTH (maximum number of characters to be used). NOTE:  STEP<= DEPTH

msf auxiliary(http_fuzz) > set TYPE 7
TYPE => 7
msf auxiliary(http_fuzz) > set PATH /english/news.php?id={X}a{X}
PATH => /english/news.php?id={X}a{X}
msf auxiliary(http_fuzz) > set DEPTH 1000
DEPTH => 1000
msf auxiliary(http_fuzz) > set STEP 10
STEP => 10
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Number of requests 101
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against http//host_ip/english/news.php?id={X}a{X}
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  200 |  8611  | 0.331915432 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] | 2 |  200 |  8611  | 0.334508011 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] | 3 |  200 |  8611  | 0.351879703 | XXXXXXXXXXXXXXXXXXXX
[*] | 4 |  200 |  8611  | 0.41747247 | X
[*] | 5 |  200 |  8611  | 0.442105074 | XXXXXXXXXX
[*] | 6 |  200 |  8611  | 0.318690562 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] | 7 |  200 |  8611  | 0.326300747 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[*] | 8 |  200 |  8611  | 0.361352691 | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

NOTE:* During this fuzzing option the advanced option PRINT_PARAM might come handy. Look at the end of this post for the description of advanced options.


Example 8 -TRANSVERSAL Fuzzing (TYPE 8)
The last option is also straight forward. This will do a transversal fuzzing where the fuzzing parameter is defined.  

msf auxiliary(http_fuzz) > set TYPE 8
TYPE => 8
msf auxiliary(http_fuzz) > set PATH /{X}a{X}
PATH => /{X}a{X}
msf auxiliary(http_fuzz) > set DEPTH 1000
DEPTH => 1000
msf auxiliary(http_fuzz) > set STEP 10
STEP => 10
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Number of requests 84
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against http//host_ip/{X}a{X}
[*] | ID | CODE |  LENGTH | RESP TIME | TEST VALUE

[*] | 1 |  400 |  226  | 0.236811028 | ..\
[*] | 2 |  400 |  226  | 0.250760777 | %2e2e%2f
[*] | 3 |  400 |  226  | 0.22901241 | %2e2e%5c
[*] | 4 |  400 |  226  | 0.246130438 | ..%255c
[*] | 5 |  400 |  226  | 0.240181706 | ../
[*] | 6 |  400 |  226  | 0.163898769 | ..%u2216
[*] | 7 |  404 |  228  | 0.168686738 | ..\..\..\..\..\..\..\..\..\..\
[*] | 8 |  400 |  226  | 0.173574304 | %2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c
[*] | 9 |  400 |  226  | 0.183728038 | %2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f%2e2e%2f
[*] | 10 |  400 |  226  | 0.198060237 | ../../../../../../../../../../
[*] | 11 |  404 |  278  | 0.157729548 | %2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c%2e2e%5c
[*] | 12 |  400 |  226  | 0.163983692 | ..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216..%u2216
[*] | 13 |  400 |  226  | 0.160496726 | ../../../../../../../../../../../../../../../../../../../../
.
.
.
and so on

Database Support
I hate doing this but this is not yet supported. Although this is something that I feel it is awesome about mestaploit and I want to use it for this tool I have not been able to store all the responses in the database without raising exceptions on the encoding. When I fix this bug I will put a complete tutorial on the support of this. The main idea will be to do:

set DATABASE true
db_connect user@DATABASE

and from this pront forward everything will be stored on a database that later on you can use for reference.

If you have an idea or have gone through this problem a solution will be greatly appreciated and payed with a beer at Defcon.

NOTE: If you want to enable database support please on the metasploit console write: gem install htmlentities

Advanced options explained
Almost all metasploit modules have advanced options that should be considered while running them. This is not the exception (command:"show advanced"). The following are the options that will allow the user to have a more fitted fuzzing.

CODE and USE_HTTP_CODE

This option will make the fuzzer to display on the console only the error code that you are interested in (e.g. 500). Usually when an injection point or something else interesting in the application is identified the web server will return an internal error code: 500. That is why this is the default value in this tool. However, as you might already know you can configure the webserver to return only specific codes. That is why you can choose whatever code makes more sense to you and the application you are testing: 302, 200, 401, etc

Name           : USE_HTTP_CODE
Current Setting: false
Description    : Only display HTTP responses that with an specific HTTP code


Name           : CODE

Current Setting: 500
Description    : Response HTTP code to display during fuzzing. . e.g. 500



PHRASE
This option allows you to search for specific phrase on the response while fuzzing a web server. Lets say that you are looking for an error based injection and you are only concerned when the response from the server contains the following text: "
Warning: mysql_num_rows()". The only thing that you have to do is to set the PHRASE to that specific text that you are looking for. This is only an example but it can also be helpful to search for specific thing on javascript.



Name           : PHRASE
Current Setting: 
Description    : Phrase or string to look for in the response body


PRINT_PARAM
This option allows you to configure the fuzzer to not print the test parameter that it using on each request. This is incredibly helpful when you use options number 7 or 8 (LONG STRINGS or TRANSVERSAL) which will basically print a lot of character on the console.

Name           : PRINT_PARAM
Current Setting: true
Description    : Print fuzz parameneter on the status.

THREADS
Number of threads that you want to use while fuzzing. The default number is 5 although you can set it up to whatever number you want. Please be careful if you play with this option since this will consume a significant amount of memory if you set it to a bigger number.

Name           : THREADS
Current Setting: 5
Description    : Number of Threads


Again, I hope this helps someone. 

c4an.




Monday, November 15, 2010

VXworks - Open can of worms...

I am not sure why I forgot to publish a comments about this before. Probably because I was busy with other things at the time. Anyways, as a lot of you guys already might know, HD Moore gave a presentation on Defcon about VXworks operating system and some security vulnerabilities that he identified during his investigation over a number of devices that use this operating system. A lot of the details have already been published by HD in the metasploit blog. However, I would like to add, people if you have not tested or use these modules on your pentests I will just say: DO IT!!

I remember one of the things that HD Moore mentioned starting his presentation at Defcon was: "Have you ever seen some high weired ports on your pentests and just because you did not know what the service was about you will move to the next service, well.."... I mean it was something like that. Well I remember having at least two pentests where I saw some of these VXworks ports and did not pay a lot of attention after playing with them a little bit. Shame on me... the UDP port 17185 does not ring a bell but after you read the info in the metasploit blog it will.

Well, I just wanted to throw this out there and since all the info is already posted out I will not waste your time anymore.

Happy hacking.

c4an.

SAP application server default passwords

This is something that I want to share here just because sometimes I forget the links that I see out there. So just for the sake of it this a link to another page where I found the following info:



SAP*:06071992 clients: 000 001 066 and custom
DDIC:19920706 clients: 000 001 066 and custom
SAPCPIC:admin clients: 000 001
EARLYWATCH:support clients: 000 001 066
TMSADM:password clients: 000 001

Sunday, September 5, 2010

Metasploit HTTP fuzzer

This is a tool that I developed because I thought it was kind of missing on the metasploit framework. The main purpose of this tool is to help testing a web app for different problems using a custom requests. I think this is needed because scanners often the miss simple vulnerabilities because of the fact that they rely on a specific signature to identify them. Although they are really helpful to identify vulnerabilities on large web apps, almost all the times will miss basic vulnerabilities like SQL injections or XSS just because they did not test a parameter or because they are looking for a specific response code that in a lot of cases will never be returned by the web site. My opinion is that manual and semi-automated testing is the best approach to identify web app vulns. This is where this tool might be helpful.

The types of of iterations that you can use are:

1 NUMERIC Fuzzing
2 STRING Fuzzing
3 CUSTOM Fuzzing. Define POSITIONS and advanced option CHARS
4 File (Provide a File to use)
5 RANDOM Characters e.g. �\!"#$%&/()='
6 SQL injection (will use Msf::Config.install_root/data/wordlists/sql_injections.txt)
7 Long strings eg. A x 10000

Things that you might want to try while using this tool:
- Use methods GET or POST
- Configure a COOKIE and fuzz
- Add custom HEADERS and fuzz
- Review log file created at the end of each fuzzing session
- Create your own wordlist file and provide it to the fuzzer using TYPE 4 option
Some ideas of custom files: XSS, SQL Queries, Folders or directories, common files,
transversal, passwords, etc.
- Use advanced options to only show responses with specific CODE (e.g. 500)
- Use advanced options to stop fuzzing when a phrase is found in the response
Phrase example: "[SQLServer]"

Module Options

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options




Basic configuration

msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > show options



msf > use auxiliary/fuzzers/http/http_fuzz
msf auxiliary(http_fuzz) > set RHOST TARGET_IP
RHOST => TARGET_IP
msf auxiliary(http_fuzz) > set PATH /news/news.cfm?ID={X}3869{X}
PATH => /news/news.cfm?ID=3869
msf auxiliary(http_fuzz) > set VHOST TARGET.com
VHOST => TARGET.com
msf auxiliary(http_fuzz) > set TYPE 1
TYPE => 1
msf auxiliary(http_fuzz) > set START 1
START => 1
msf auxiliary(http_fuzz) > set STOP 200
STOP => 200
msf auxiliary(http_fuzz) > run

[*] Fuzzing...
[*] Start number: 1
[*] Stop Number: 200
[*] Iterations 200
[*] No Headers provided
[*] No BODY was provided as a part of the request
[*] No Cookies were provided as a part of the request
[*] Running fuzzer against https//TARGET_IP/news/news.cfm?ID={X}3869{X}
[*] | ID | CODE | LENGTH | RESP TIME | TEST VALUE

[*] | 1 | 301 | 172 | 0.137653884 | 1
[*] | 2 | 301 | 172 | 0.132698855 | 2
[*] | 3 | 301 | 172 | 0.149321481 | 3
[*] | 4 | 301 | 172 | 0.140961011 | 4
[*] | 5 | 301 | 172 | 0.143869671 | 5

... and so on

[*] Log file was created: /opt/metasploit3/msf3/data/fuzz_log/all_req_resp.xml
[*] Auxiliary module execution completed



Download http-fuzz.rb from here and include it into the following metasploit directory: /msf3/modules/auxiliary/fuzzers/http/

Also, download from the same link the sample list of sql injections into the folder /msf3/data/wordlists/ to enable option 6 of the fuzzer.

Things that I know are missing:
- Implement multiple fuzzing parameters
- Threads
- Need to implement follow redirects OPTION (302 response)
- Need to implement NTLM auth to test apps as valid user
- Auxiliary tool to read and search inside log

Other great tools that can be used for the similar purposes are:
- Burp Suite
- CAT (I really recommend this one)
- Webscarab
etc

See post on proxys for further reference: HTTP web proxies

I hope this helps someone. Please send me comments if something is broken or not working. I will be glad to help :)

c4an

Saturday, September 4, 2010

HTTP web proxies

Today I am posting my opinion about the proxies that I have used on my pentests. I am going to focus on three of them since those are the ones that I use the most.

The tools:

When I usually perform external application tests I tend to use Fiddler, Burp Suite and an incredible tool that is called CAT (Context Application Tool). My take on these tools is that they are awesome and provide a great value to people that use them. Obviously, they all have there limitations but overall they help a lot (I cannot imagine person doing a web app test without using a web proxy of some kind). The following is the list of CONS and PROS that I see in each tool after using them for a long time.

Fiddler
MITM proxy for windows developed on .NET. This tool is great to just browse and understand applications. It allows you to look at all sessions being created and since it is developed over .NET will work with all web applications without problems when dealing with certificates or NTLMv2 authentication.

CONS:
- .NET = Windows (Please don't say MONO. I have not tested over Linux but when doing pentests want I don't want to waste time on functionality issues so I use two different VMs, one linux and one windows for my tests)
- Limited in functionality: No fuzzer included, limited plugins, and search engine is limited when you want to find specific patterns
- Cannot automatically scan

PROS
- Saves all requests and responses into sessions that you can later see for further analysis. Even if you need evidence that you forgot to take
- FREE!
- Plugins available that will also make your life easier
- Loading previous sessions is easy and fast no matter the amount of requests


Burp Suite
Most know tool. This has been out there forever. It started as a free tool and when it started to grow the developers started to charge users for specific functionality (PRO version). I don't thing this is bad since sometimes maintaining a tool like this will take a lot of effort and time. I will focus on the free version since that is what I use.

CONS
- It has happened to me that the tool does not works as expected when the web application uses NTLM authentication
- Limited functionality to send a large a mount of request with different parementers
- I feel that sometimes this tools is slower than the ones that I have seen. But I know CAT it is considerably faster and reliable sending large amount of requests
- The free version doesn't allow you to save sessions so if you close the proxy or if it crashes without saving a screen shoot or something that will help you to remind what were you testing you are screwed.(think that pentests go for more than one day)
- Personally, I hate the java GUI.

PROS
- Embedded spider with tree view
- Not dependent on the operating system, can run on windows and Linux
- Embedded decoder << great feature and really helpful!!
- Embedded sequencer for token or cookie tests
- Overall it is great tool with limitations when used on the free version... as expected

CAT
This tool came out not that long ago and in my opinions it is awesome. It is also developed over .NET and works like a charm almost all the time.

CONS
- .NET = Windows (Please don't say MONO again but feel free to try it)
- Has some problems when handling really long files on the fuzzer for the wordlists
- When fuzzing a lot of words (>10000) and saving the requests on the results window the tool will start to slow down due to memory consumption so you have to periodically
delete requests during large fuzzing or wait until it ends
- When loading previous sessions, if the session involves a lot of fuzzing the tool can just crash or not respond for a loooongg time.

PROS
- Embedded Fuzzer
- XSS, SQLi and CSRF scanner. Usually they work pretty well
- Saves all the sessions and allows you to review them later
- FREE!
- Fuzzer is really fast and allows a lot of customization with easy and straight
forward GUI
- Number of files to try while using the fuzzer (common folders, files, passwords, users, SQL, fuzzing)

My final take on this is that these three tools provide something different and good to users. In most cases they have to be used together while testing web applications since none of them will provide everything. Although I hate to say it the one that I like the most is CAT because of the fuzzing capabilities and because it is free, though I hate is .NET. I guess if I could use Burp Suite Pro capabilities for free and change the java GUI I will stick to that tool. However , I use the three of them in all my tests since I don't have any money or funding.

c4an.

Sunday, August 22, 2010

Cold Fusion article.cfm SQL injection

Hi,

This is another quick post. While browsing through the web and looking at specific pages that I wanted to test there was one website that had Cold Fusion 8 installed to manage content in it. I started playing with the pages and in less than 5 minutes of browsing a SQL injection pop up in front of me. At first I thought that this was only a programming problem on the web site that I was testing but after a digging a little bit more I find out that this is a persisten vuln in a lot of the cold fusion websites that you can find out there.

Now, this was already reported by someone as a problem before (I think it was reported in 2000) so I am not taking responsibility for its discovery and honestly this is so basic that who would like to take the responsibility for reporting this. If you want the details google. However, I wanted to post this article because it was amazing to me the number of sites that have this vuln . So here it comes:

Just look in google using the following query:

inurl:article.cfm

I will sugest that you also try not to touch .com sites and start with sites that are in other remote countries. Also try to test this on sites that use ssl so in case the site is monitored by an IDS or IPS it won't detect you.

The next thing that you have to do is identify all sites that are using something like this:

http://target/article.cfm?id=1

Next thing you know you can exploit a SQL injection or XSS just start playing after the parameter id. For example, the site that I was testing was really straight forward. Somthing like this:

http://target/article.cfm?id=1 UNION select 1,1,1,1,1,1,name from systables;--

And so on..

Have fun ;)

c4an.

Wednesday, May 26, 2010

FCKeditor not rocket science/fckeditor

Just the other day I was doing a test and I identified a website that used FCKeditor to modify the content of the web pages that they had. Basically this tool is an easy way to allow dum users to update whatever they want on their sites without the lazy and/or busy administrator to give support to the users. Pretty straight forward right? The problem that I found is that basically when this tool is installed and linked with the website some default configuration might be there that will allow internet users to upload files into the web application server. Now, I have to say that the by default extension like .jsp, .aspx or asp are not allowed however they flash files are alloowed and this might be where the fun bigins. The main idea that I have is that someone could basically upload a malicious file executing javascript on any user that opens this page. So the only thing that I did is a metasploit auxiliary module that detects if this tool is being used by a website and if it allowed to upload files into the server.

The module can be founded here: fckeditor-scan

Now if the only thing that you want is test this problem there are several steps that you have to follow.

Step 1

Look for the folder:

http://www.site.com/fckeditor/fckeditor.js

This file will have the configuration of the tool. At the end of the file you can see if the tool is configured to allow uploads of clients files.

Step 2

If the uploading of the files is enabled just open the following html file:

http://www.site.com/fckeditor/editor/filemanager/connectors/test.html

That file might give you all that you need to test if you can or not upload files into the web application server.

Some day I will elaborate a little bit more on this when I have time to test further more this problem but right now I am pretty sure that this caould help some of the people that are out there. Hope it does.


c4an.

Saturday, January 30, 2010

Wmap trace.axd module

This is a nice and easy way to get user credentials and other important information on .NET applications where the programmer has been really clumsy, careless or lazy. Basically, the whole problem starts when an specific web page is configured to trace requests being done by clients. All these requests will be saved to the file trace.axd. However the problem is not configuring web pages to log clients requests, the real problem is allowing access to the trace.axd file from the Internet. I know, it just sounds stupid to allow this kind of access remotely to this file however you would be surprised on how many programmers forget to remove this access and only allow read access locally. In case you want to just take a look of what kind of information you would find on a trace.axd file I suggest a google search, for example:

"Requests to this Application" inurl:trace.axd

OK. Now that this was explained I developed a small metasploit/wmap module that will look for trace.axd files available on an specific file and print sensitive information on the msfconsole. Obviously I took as a template other module and started from there.

The following is an example of how to use this module:

=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 320 exploits - 99 auxiliary
+ -- --=[ 217 payloads - 20 encoders - 6 nops
=[ svn r8140 updated 14 days ago (2010.01.16)
 

msf > use auxiliary/scanner/http/trace_axd
msf auxiliary(trace_axd) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The test path to find trace.axd file
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host

msf auxiliary(trace_axd) > set RHOSTS example.com
RHOSTS => example.com
msf auxiliary(trace_axd) > set PATH /path/
PATH => /path/
msf auxiliary(trace_axd) > run
.
.
.
http(s)://host_ip/path/Trace.axd?id=1
[*] User ID: user_id
[*] Password: pass
[*] Physical Path: \Inetpub\wwwroot\lalala
[*] Session ID: sgwz55xnci4145ahzbas
[*] Local Address: 10.168.10.180
[*] Headers: HEADERS
[*]


Again, I hope this helps someone. If you want to run this module along with the other wmap modules please look at the crawler post in this same blog or wmap documentation. Basically you just have to browse using a proxy and load the db_wmap module.

c4an.

Monday, January 25, 2010

VoIP basic discovery - VLAN hopping and TFTP

This is a quick posting showing how to do a VLAN hopping and what things can you usually do when testing and discovering a VoIP infrastructure. Obviously it is impossible to cover all the possibilities in this small post but this can help anyone to get started. Hope it helps...

1. Connect your laptop to an IP phone.

2. Start Wireshark

3. Listen to traffic and wait until you capture a CDP package.



4. Connect to the http interface of the phone and review the VLAN number




5. Using voiphopper run the following command using the information discovered on the CDP packet and the phone HTTP interface.

./sudo voiphopper -i eth0 -v VLAN# -E DEVICE_NAME -P PORT_ID -C HOST -L DEVICICE_ID -S SOFTWARE_VERSION

It is really important that you know that when you do VLAN hopping you usually can bypass network restrictions that you will usually have connected to a user network, this can be really helpful in any kind of pentest and not only when testing VOIP.

This is a good link that explains the basics of VLAN hopping:
http://www.securityfocus.com/infocus/1892

4. Run nmap to identify the services that are available on your network. It is important that you also identify servers to which the telephones are reporting such as TFTP server.

5. When you identify the TFTP server a good way to learn more about the IP telephony infrastructure you can do the following: Using tftpbrute or a simple TFTP client try different file to download from the TFTP server.

./tftpbrute.pl IP_ADDRESS brutefile.txt 100

List of files that might work:
fsck.fd0a.log
fsck.fd1a.log
jar45sccp.8-3-3-17.sbn
Ringlist.xml
DEVICE_NAME.cnf.xml
term45.default.loads

Test that the TFTP server is well configured and that you cannot upload any random file to it. Please keep in mind whenever you are uploading files to the TFTP server that all IP phones will take this files as configuration files so you can really screw the hole VoIP infrastructure if you are not careful.

c4an.

Exploit writing tutorial! (link to a great blog)

I just want to add for all the people that is starting with the whole exploitation thing this is an incredible set of tutorials that will blow your mind away.

Well here is the link in case someone is interested:

You will find links to the other tutorials at the end of each article.

Enjoy!

Sunday, January 24, 2010

Metasploit: msfproxy, crawler and wmap

This is my first version of a ruby simple crawler. The main idea of this tool is to use it while interacting with the wmap database and populate the request table. Because this is my first version the database interaction is not as clean as I would like but I still believe it can be used. Now, I know for a fact that ET (creator of wmap) is already working on a crawler of its own with a lot of modularity and cleaner options. However since I already had this code with me I thought that it was a good idea to post it. Who knows maybe it will help someone :)

Things that you have to know before you start using this crawler is that it uses hpricot as its primary library. If hpricot is not installed it will use a function that I developed. Hpricot can be installed on ruby by typing:

sudo gem install hpricot


The first thing that you have to do is download the code and save it into the mf3/tools/ .

crawler.rb

Now, there are two options to run the crawler and then being able to run wmap modules based on your discovery:

OPTION 1. Two consoles (you can any crawler with this option)

1. Open two separate consoles and go in both of them to the mf3/tools/ folder.

2. On the first console open a metasploit msfconsole and follow the steps bellow:


| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|


=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 320 exploits - 99 auxiliary
+ -- --=[ 217 payloads - 20 encoders - 6 nops
=[ svn r8140 updated 8 days ago (2010.01.16)

msf > cd tools
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create wm_req.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wm_req.db
msf > load db_wmap
[*] =[ WMAP v0.6 - et [ ] metasploit.com
[*] Successfully loaded plugin: db_wmap
msf > db_connect wm_req.db
[*] Successfully connected to the database
[*] File: wm_req.db

msf > ruby msfproxy.rb -w wm_req.db

3. On the second console run the following command:

ruby crawler.rb -h

Usage: crawler.rb

OPTIONS:

-a Print website structure
-c Create database to interact with wmap
-h Display this help information
-i Listening proxy IP address
-j Number of iterations. If not selected the site will be crawled until all links are visited (This can take a while)
-l Log visited websites in a text file /msf3/tools/crawler.log
-m Add discovered links to wmap database as targets. Options: -c or -w required
-n Print new possible targets during crawling
-p Listening proxy port
-v Verbose
-w Store requests to database .

ruby crawler.rb -i 127.0.0.1 -p 8080 -v -j 1 -t http://www.target.com/

4. After the crawler ends return to the metasploit console, stop the msfproxy and type the following

msf > wmap_targets -r
msf > wmap_run -e


OPTION 2. One console


____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v3.3.2-release [core:3.3 api:1.0]
+ -- --=[ 463 exploits - 218 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7808 updated 40 days ago (2009.12.10)

Warning: This copy of the Metasploit Framework was last updated 40 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating

msf > cd tools
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create wm_req.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wm_req.db
msf > load db_wmap
[*] =[ WMAP v0.6 - et [ ] metasploit.com
[*] Successfully loaded plugin: db_wmap
msf > db_connect wm_req.db
[*] Successfully connected to the database
[*] File: wm_req.db
msf > ruby crawler.rb -v -j 1 -w wm_req.db -t http://www.target.com/
.
.
.
msf > wmap_targets -r
msf > wmap_run -e


Hope this helps someone.

Thanks

c4an.