12 Aug 2013

Penetration With BackTrack - Engaged!

Offensive Security - PWB course

 Start date: 11-08-13


Dear Readers,

It has been a while since I posted something.
I am now official started on this course which I had in mind for over 2 years. This was my dream. The dream came to reality. I am looking forward to give it my all and complete this in 60 days.


 I will soon do a little update again.
Keep in touch.

/T1m3

28 Apr 2013

Exploitation - Testing environment

Well I messed a little bit around with some shellcoding atm,
and tested things in my Virtual Environment - Got a Shell, but because of the Effective User ID is set to r3verse, is on purpose, since I wanted to see the function in action.

Anyways -
Success on SHELL by using Netcat to enstablish a TCP bind socket connection on port 31337.

Using a program I used from AoE, I managed to get a shell enstablished.

As image shows bellow.




Newly exploited Tinyweb server, and got r00t access! =)

Took a bit of time to figure out, but while I was calculating about how large my NOP sled should be and allign the 78-byte shellcode, since the buffer was 500 bytes I knew that I had a chance to get control over the program execution - and thereby exploited the web server! ...  It's a good day!

9 Mar 2013

AoE - Started & recent coding projects

Dear readers,

I have begun on reading The Art of Exploitation, and I love reading every bit, while doing something pratical, as in follow in the book, and complete the exploits my self on the distro I have gotten from the book I bought.

I already love this book :) - and by that I mean, every page!
I wonder why I didn't start reading this earlier on.. but anyways, I will complete this book and will post some useful information regarding exploit development.

A little example of my first program I did examine memory in x86 architecture in my Linux Distro.
Simple program that looks up from the ASCII chart and prints to the screen "Hello".


Now back to reading! - although I got my 2'th semestre examination, I hope to still be able to follow through the process.


Lately I did complete coding a Recycling system, and now finished my job with making a simple bouncing ball game!






And the ball bouncing game as follows:



That's enough information for now.
I hope to make a new post soon enough with my new acknowledgement in exploit development! =)

5 Mar 2013

Next book upcoming! - The Art of Exploitation 2nd edition

Dear Readers,


If you have been followed my postings so far, I have been posted within my expertise from the book I did read - Gret hat Hacking 3ed. I will might do a review on it soon...




4 Mar 2013

AccessChk - Win Escalate privileges






Cesar Cerrudo, an Argentinean pen-tester who focuses on Windows Access Control, coined the phrase “token kidnapping” to describe an escalation technique involving pro- cess and thread ACLs. The steps in the “token kidnapping” process are outlined here:
1. Start with SeImpersonatePrivilege and NetworkService privileges. The most likely paths to get those privileges are as follows: 

- Attacker has permission to place custom ASP pages within IIS directory running in classic ASP or “full trust” ASP.NET
- Attacker compromises SQL Server administrative account 
- Attacker compromises any Windows service
  1. The RPCSS service runs under the NetworkService account, so an attacker running as NetworkService can access internals of the RPCSS process.
  2. Use the OpenThreadToken function to get the security token from one of the RPCSS threads.
  3. Iterate through all security tokens in the RPCSS process to find one running as SYSTEM.
  4. Create a new process using the SYSTEM token found in the RPCSS process.
Microsoft addressed this specific escalation path with MS09-012. However, other similar escalation paths may exist in third-party services.
Cesar’s excellent “Practical 10 Minutes Security Audit: Oracle Case” guide has other examples of process ACL abuse, one being a NULL DACL on an Oracle process allowing code injection. You can find a link to it in the following “References” section. 


2 Mar 2013

Hunting Malicious Code


AxMan


Is a tool which enumerate all methods that an ActiveX control supports. When you’re hunting for a vulnerability and see methods such as CreateObject() or Launch() or Run(), take a close look to make sure they can’t be repurposed to run malicious code. 

Little background story:
 
WScript.Shell directly from the Internet zone will fail, as it is only to be used in a trusted environment such as the Local Machine zone. However, Russian hackers discovered that instantiating the safe-for-scripting WMIScriptUtils. WMIObjectBroker2 ActiveX control, and then calling the method CreateObject() de- fined on the ActiveX control, allowed them to create any arbitrary object, bypassing security checks! They promptly used this client-side vulnerability to install malware by hosting the exploit code on hundreds of adult websites. At the time it was being abused, no other IE zero-day vulnerability was widely known in the community, so anybody who wanted to install malware was using this vulnerability. 

For example examine this code at first:


<script>
      var o = new ActiveXObject("WMIScriptUtils.WMIObjectBroker2");
      var x = o.CreateObject("WScript.Shell");
      x.run("cmd.exe /k");
</script>

You will notice that WScript.shell is not a secure Object to call.


Microsoft Security Bulletin MS06-073 (WMIScriptUtils)
www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Metasploit exploit www.metasploit.com/modules/

1 Mar 2013

Fuzzing tools and advices



Spike

is designed to assist in the creation of network-oriented fuzzers and supports sending data via TCP or UDP. Additionally, SPIKE provides several example fuzzers for protocols ranging from HTTP to Microsoft Remote Procedure Call (MSRPC). SPIKE libraries can be used to form the foundation of custom fuzzers, or SPIKE’s scripting capabilities can be used to rapidly develop fuzzers without requiring detailed knowledge of C program- ming. 

Spikes can contain static data, dynamic fuzzing variables, dynamic length val- ues, and grouping structures called blocks. 

Spike Proxy

Handles all the fuzzing and is capable of performing attacks such as SQL injection and cross-site scripting. SPIKE Proxy is written in Python and can be tailored to suit your needs. Basically it makes sure that you are able to bypass the application WAF within your attempt to i.e(Brute force every single combination of a password and username within the web application server).
  

Mangleme





References:


http://resources.infosecinstitute.com/intro-to-fuzzing/ 

http://freecode.com/projects/mangleme 

26 Feb 2013

Source Code Auditing Tools


Source Code Auditing Tools
Many source code auditing tools are freely available on the Internet. Some of the more common ones include ITS4, RATS (Rough Auditing Tool for Security), Flawfinder, and Splint (Secure Programming Lint). 

 The command line for RATS example here examined:

# ./rats -i -w 1 -d rats-c.xml find.c

Many programming languages allow the programmer to ignore the values returned by functions.This is a dangerous practice because function return values are often used to indicate error conditions.Assuming that all functions complete successfully is another common programming problem that leads to crashes.

In example:

If you are writing a Java program to construct 2 parameters, as such:

public static string getWord(String num, int mon){

 ...... Pre & post conditions
.... Statements 


return num; }

BugScam - IDC utillity ( Scripting language for IDA )








http://www.openrce.org/downloads/details/69/Bugscam




References 

Hex Blog www.hexblog.com
Hex-Rays forum www.hex-rays.com/forum
“IDA Plug-in Writing in C/C++ Tutorial” (Steve Micallef) http://binarypool.com/idapluginwriting/
IDAPython plug-in code.google.com/p/idapython/
IdaRub plug-in www.metasploit.com/users/spoonm/idarub/ ida-x86emu plug-in sourceforge.net/projects/ida-x86emu/ OpenRCE forums www.openrce.org/forums/

22 Feb 2013

PDF forensics tool













21 Jan 2013

Grey Hat Hacking & Standford

 

Standford University - Cryptography Course, Completed.
I could not be more satisfied with that being completed.. It has taken a lot of my time, and I were almost about to lose it, but got through it with a great result. I am awaiting my certification by Dan Boneh.

This book, I have gotten inspired of, and are hooked! - now I'm getting back on track where my motivation comes in, and just swallow page by page.

I got inspired by some InfoSec guy, and I have being followed him for some time. Although I decided to move on from Secrets and lies to this one, since I did not found that book to be in my entire interest! .. But I have to mention, sooner or later I will complete it :-) .. Just not ATM!

 I find it most essential to study this e-book. The thing is, I'm starting on The Business Academy the 24'th January 2013 - 2'th Semester in Computer Science, and do not got that much time off probalby to read, since there would most likely be a lot of challenges within scope of 2013. 

Mentally, I'm ready for the challenges and unexpected, so I'll give it my 110%!.

The Website www.maxjensen.dk - Is recently updated with a brand new design, because I felt like there needed to be a bit more structure of my postings and information posting on there. Disregard that one.com - my hosting company allowed me to modify on a Mac, which I am glad for! - the other website I had, I had to go onto my windows computer, and modify everything.. 

 I will be posting my opinion about the book when I finished reading. Meanwhile I will sit back with a nice cup of coffie, and enjoy reading this! 

The place I got inspired of to read this book is listed bellow!


Resource link: http://www.t3rm1t.blogspot.dk/

-----------------------

  • Authentication and authorization The best applications ensure that authentication and authorization steps are complete and cannot be circumvented. 

  • Mistrust of user input Users should be treated as “hostile agents” as data is verified on the server side and strings are stripped of tags to prevent buffer overflows. 

  • End-to-end session encryption Entire sessions should be encrypted, not just portions of activity that contain sensitive information. In addition, secure applications should have short timeout periods that require users to re- authenticate after periods of inactivity. 

  • Safe data handling Secure applications will also ensure data is safe while the system is in an inactive state. For example, passwords should remain encrypted while being stored in databases and secure data segregation should be implemented. Improper implementation of cryptography components have commonly opened many doors for unauthorized access to sensitive data. 

  • Eliminating misconfigurations, backdoors, and default settings A common but insecure practice for many software vendors is to ship software with backdoors, utilities, and administrative features that help the receiving administrator learn and implement the product. The problem is that these enhancements usually contain serious security flaws. These items should always be disabled and require that the customer enable them, and all backdoors should be properly extracted from source code. 

  • Security quality assurance Security should be a core discipline when designing the product, during specification and development phases, and during testing phases. Vendors who create security quality assurance teams (SQA) to manage all security-related issues are practicing due diligence.