Blog

Application - DaemonPrivilege escalation and remote inter-protocol exploitation with EXTRACT 0.5.1

Howdy folks. Today I'll be introducing you to the EXTRAnet Collaboration Tool (EXTRACT) 0.5.1 (Homepage and Source).

We'll explore leveraging EXTRACT to escalate privileges with a 0day bug. I'll also show you how you can enjoy some remote shell goodness thanks to inter-protocol exploitation (with some luck and a little user interaction).

Application - Web BrowserAbusing browser news URL handlers

Time for some more fun with browser URL handlers! This time we'll take a look into abusing the handlers for news/snews/nntp.

NetworkBitcoin - fun, profit and anonymity on the wire - part 1

Bitcoin - fun, profit and anonymity on the wire. A brief analysis of the BitCoin network.

Application - Web BrowserAbusing the "data" Protocol to Patsy Third Parties

It is possible to send traffic to a third-party website without leaking the referer. With this knowledge it is possible to "patsy" a third party by forcing their browser to submit "evil" requests to a target server.

Malware - WormsSavSys - A Flashback to Microsoft Word Macro Worms

I recently noticed brief mentions of "SAVSys" in the rogue security tool Security Antivirus in use by the Koobface worm.

Back in 2002 I put together a macro worm targeting Microsoft Word 97 under the name "SavSys". It was more an experiment than anything - using very little stealth and mostly well known techniques circa 1995-2001. I never released the code.

Macro worms appeared in 1995 and were still fairly new to anti-virus in 2002. Some macros spread enough to gain media attention, such as Melissa and ILOVEYOU aka LoveBug.

NetworkIntroduction to Web Application Fingerprinting

The process of discovering web applications and their current version on a target domain is known as web application fingerprinting. Effective fingerprinting enables a penetration tester to perform targeted exploit delivery as knowing the version is good enough to infer vulnerabilities.

NetworkUsing HTTP Referrers for Targeted XSS Attacks

Cross site scripting is a tricky but powerful attack vector to use. Driveby CSRF/XSS and spamming links via emails, forums, etc will get fast results but these methods are far from stealthy and may compromise third parties. Using HTTP referers provides a stealthier method of targeting cross site scripting attacks. This method allows us to target our XSS payload directly at a web application on our target's network while the user is logged in. This is a fairly simple way to stealthily target xss payloads.

Application - Web BrowserFingerprinting Browsers Using Protocol Handlers

If a user is masking their user-agent in Internet Explorer or Mozilla Firefox it is still possible to identify their browser and operating system using protocols which are unique to the browser.

Malware - RootkitsObfuscating Hacker Defender INI Files

Hacker Defender is one of the most widely deployed rootkits in the wild. There's plenty of talk about obfuscating binaries to avoid anti-virus detection but you won't find that here. Just shift a few bytes or use a packer - you know the drill. Instead I'm going to focus on obfuscating the Hacker Defender INI configuration file to avoid detection by anti-virus programs.

MeatwareProfiling Gamers

This is a brief article about digging up information on people who play online video games. To begin with you may only have the gamer's username/handle. This is often enough to track down an avid gamer.

Malware - Reverse ShellReverse shell with IExpress.exe Win32 Cabinet Self-Extractor

I recently discovered Adrian's article on binding binaries with Splice & IExpress. While binding is hardly a new way to trick unsuspecting users into running trojans, I found IExpress interesting in that it's a windows binary and the resulting .exe may be enough to trick users and anti-virus with its Microsoft meta-data. It also accepts command line arguments to files which will be extracted at run time.

NetworkHelpful commands (Win32/64)

Helpful commands (Win32/64)

ExploitationExploiting environment variables

The $IFS environment variable is used to delimit shell parameters. Let’s assume a program took advantage of the system("/bin/ls") call, an attacker could change the $IFS variable to "/" causing the shell to interpret "/bin/ls" as "bin ls", two separate programs in the users $PATH.

HardwarePort forwarding on Cisco 800 Series

This article will cover port forwarding using Network Address Translation on Cisco 800 Series

ExploitationExploiting VLANs with Yersinia

VLANs are not secure, and are quite often mistaken to be secure. By default, trunk ports have access to all VLANs, and this presents a security issue. A network can easily be taken oven if an attacker can turn a port into a trunk(by default, all switch ports are non-trunking)

CrackingCracking Cisco service password encryption (type-7)

Cisco devices store passwords in NVRAM (Non-Volatile Random Access Memory) in configuration files. Quite often one will stumble on copies of configuration files lying around on public servers and if you are lucky enough, the passwords are stored in a type of encryption called service password encryption.

HardwareCreating backdoors in Cisco IOS using TCL script

This article covers backdooring later versions of Cisco IOS to allow an attacker to maintain access to the device without knowledge of the passwords set by the administrator.

ExploitationThe importance of file and directory permissions

File and directory permissions are very important when discussing security, consider the ramifications if an attacker had write access to system log files, they would be able to modify log entries, to prevent tracing or notification that an attacker had breached the system.

NetworkRemote GUI Access on Windows

In this article, I will cover how to remotely control a target windows machine by installing and running a VNC program without the targets knowledge. This is best done when the machine is idle, as interfacing directly with the GUI can be seen on the target’s monitor. eg; the mouse cursor movements are seen, etc.

ExploitationExploiting hard links

A hard link is an additional name for an existing file. One thing to note about hard links is they are unable to traverse separate partitions and may not cross directory boundaries.

NetworkAIX and EtherChannel

EtherChannel is a network link aggregation technology that allows you to basically create one logical interface combining the bandwidth of multiple physical interfaces. It is a good solution to not only increase bandwidth, but also increase redundancy in your network link.

NetworkNetwork Information Services (NIS) on Debian GNULinux

Network Information Services (NIS) on Debian GNULinux. This short tutorial is focused on how to setup NIS clients & servers on Debian Linux.

ForensicsSolaris 10 & BART (Basic Audit and Reporting Tool)

Solaris 10 comes prepackaged with BART – a great tool that allows you to compare the contents of an entire filesystem at any two points in time.

NetworkARP spoofing/poisoning on switched networks using the dsniff package

ARP spoofing which is often also called ARP poisoning is a technique used to attack a switched ethernet based network, which allows an attacker to sniff data frames, modify the traffic, or halt the traffic altogether.It is often used in situations where the attacker wishes to read the clear text protocols that the target is using, eg. POP authentication details.

NetworkUseful proc security modifications

Useful proc security modifications.