BruteForcing login with Hydra

Without any doubt, Hydra is one of the best tool to bruteforce passwords. It has support for many protocols, but it can be used with standard web sites as well forcing a standard POST based login. The syntax is a little bit different from a normal scan, like SSH and is similar to this cmdline.

./hydra -l username -P x:\temp\rockyou.txt hostname –s port http-post-form “/loginpage-address:user=^USER^&password=^PASS^:Invalid password!”

Dissecting the parameters you have

-l: specify a username you want to try, you can also specify a file containing all the username you want to try
-P: specify a file with all the password you want to try, rockyou.txt is a notable standard
-s: service, it should be the port the site is listening to

After these three parameters it comes the part needed to select the site and the payload you want to sent to the site. You start with http-post-form to specify that you want POST request with form urlencoded, followed by a special string composed by three parts separated by semicolon.

The first part is the page that will be called, the second part is the payload, with ^USER^ and ^PASS^ placeholder that will be substituted by Hydra at each tentative, finally, the last part is the text that hydra should look to understand if access is denied. Once launched it will try to bruteforce the password with tremendous speed.

image

Figure 1: Hydra in action

As you can see it works perfectly also on Windows.

Gian Maria.

Security in 2019, still unprotected ElasticSearch instance exists

I’ve received today a notification from https://haveibeenpwned.com/ because one of my emails was present in a data breach.

image

Ok, it happens, but two things disturbed me, the first is that I really never heard of those guys (People Data Labs), this because they are one of the companies that harvest public data from online sources, aggregates them and re-sell as “Data enrichment”. This means that they probably have only public data on me. If you are interested you can read article by Troy Hunt https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/ on details about this breach.

But the second, and more disturbing issue is that, in 2019, still people left ElasticSearch open and unprotected in the wild. This demonstrates really low attention about security, especially in situation where you have Elasticsearch on server that have a public exposure. It is really sad to see that Security is still a second citizen in software development, if not, such trivial errors would not be done.

Leaving ElasticSearch unprotected binded to a public IP address is sign of zero attention to security.

If you have ElasticSearch in a server with public access (such as machines in the cloud) you should:

  • 1) Pay for Authentication Module so you can secure your instance or, at least, use some open source module for basic auth). No Elasticsearch that is installed in a machine with a public access can be left without auth.
  • 2) Bind ElasticSearch instance on private ip address only (the same used by all legitimate machine that should contact ES), be 100% sure that it does not listen on public address.
  • 3) add firewall rule to explicitly close port 9200 for public networks (in case someone messed with rule 2)
  • 4) Open port 9200 only for internal ip that are legitimate to access Elastic Search

Finally you should check with some automatic tool if, for any reason, your ES instance starts responding on port 9200 in public ip address, to verify if someone messed with the aforementioned rules.

Gian Maria.

Quick Peek at Microsoft Security Code Analysis: Credential Scanner

Microsoft Security Code Analysis contains a set of Tasks for Azure DevOps pipeline to automate some security checks during building of your software. Automatic security scanning tools are not a substitute in any way for human security analysis, remember: if you develop code ignoring security, no tool can save you.

Despite this fact, there are situation where static analysis can really give you benefit, because it can avoid you some simple and silly errors, that can lead to troubles. All Tasks in Microsoft Security Code Analysis package are designed to solve a particular problem and to prevent some common mistake.

Remember that security cannot be enforced only with automated tools; nevertheless they are useful to avoid some common mistakes and are not meant to replace security audit of your code.

The first task I suggest you to look at is Credential Scanner, a simple task that searches source code for potential credentials inside files.

image

Figure 1: Credential scanner task

Modern projects, especially those designed for the cloud, use tons of sensitive data that can be mistakenly stored in source code. The easiest mistake is storing credential for databases or other services inside configuration file, like web.config for ASP.Net projects or we can left some Token for Cloud resource or services, leaving that resource unprotected.

Including Credential Scanner in your azure pipeline can save you troubles, with minimal configuration you can have it scan your source code to find credentials. All you need to do is drop the task in the pipeline, use default configuration and you are ready to go. Full details on configuring the task could be found here.

image

Figure 2: Configuration pane for Credential Scanner

Credential scan will run in your pipeline and report problem found.

image

Figure 3: Credential scanner found a match.

If you look in Figure 3: Credential scanner found a match, but the task does not make the build fails (as you could expect). This is normal behvior, because all security tasks are meant to produce an output file with scan result, and it is duty of another dedicated task to analyze all results file and make the build fail if problems are found.

It is normal to have security related tasks not to fail the build immediately, a dedicated tasks is needed to analyze ALL log files and fail the build if needed

Post Analysis task is your friends here.

image

Figure 4: Add a Post Analysis task to have the build fails if some of the security related task failed

Actually this special task allows you to specify which of the security task you want to analyze and this is the reason why the build does not fails immediately when Credential Scanner found a problem. The goal here is running ALL security related tasks, then analyze all of them and have the build fails if problems where found.

image

Figure 5: Choose which analyzer you want to use to make the build fail.

After you added this task at the end of the build, your build fails if security problems are found.

image

Figure 6: Build fails because some of the analysis found some problems. In this specific situation we have credentials in code.

As you can see from Figure 6 Credential Scan task is green and is the Security Post Analysis Task that made the build fails. It also log some information in build errors page as you can see from Figure 7.

image

Figure 7: Build fails for issues in credential scanner

Now the final question is: where can I found the csv file generated by the tool? The answer is simple, there is another special task whose purpose is upload all logs as artifacts of the build.

image

Figure 8: Simply use the PublishSecurityAnalysisLog task to have all security related logs published as artifacts.

As you can see from Figure 9 all the logs are correctly uploaded as artifacts and divided by tool type.  In this example I’ve ran only the Credential Scanner Tool so it is the only output I have in my artifacts folder.

image

Figure 9: Credential Scanner output included as artifact build.

Downloading the file you can open it with excel (I usually use csv file output for Credential Scanner) and find what’s wrong.

image

Figure 10: Csv output contains the file with the error, the number of the line but everything else is redacted out for security

As I can verify from csv output, I’ve some problem at line 9 of config.json file, time to look at the code and find the problem.

SNAGHTML7881da

Figure 11: Password included in a config file.

In CSV output file, Credential Scanner task only store file, row number and hash of the credential found, this is needed to avoid the credential leak from build output.

Now, this example was made for this post, so do not try that password against me, it will just not work :). If you think that you never fall for this silly mistake remember that noone is perfect. Even if I’m trying to avoid these kind of errors, I must admit that some years ago I was contacted by a nice guy that told me that I’ve left a valid token in one of my sample source. Shame on me, but this kind of errors could happen. Thanks to Credential Scanner you can really mitigate them.

If you wonder what kind of rules the task uses to identify password, the documentation states that

CredScan relies on a set of content searchers commonly defined in the buildsearchers.xml file. The file contains an array of XML serialized objects that represent a ContentSearcher object. The program is distributed with a set of searchers that have been well tested but it does allow you to implement your own custom searchers too.

So you can download the task, and examine the dll, but the nice aspect is that you can include your own searcher too.

If the tool find false positive and you are really sure that the match is really a false positive, you can use an exclude file as for the documentation.

image

Figure 12: Suppression rules for the task.

I must admit that Credential Scanner is really a powerful tool that should be included in every build, especially if you are developing open source code. Remember that there are lots of tools made to scavenge projects for this kind of vulnerabilities in code, so, if you publish some sensitive password or keys in open source project, it constitutes a big problem. Sooner or later this will bite you.

Gian Maria

Exploiting VulnHub Tr0ll2 machine

This is an unusual post, it deal on how I exploited Tr0ll2 machine of vulnhub. Practicing with real machine helps you to put in practice some of the stuff you learn on security. It was a real long time (almost 20 years) that I do not immerse myself in security, doing some exercise on the machine is good to spent some hours :).

I run all the machine in VMWare esxi servers, in an isolated network, behind a router and a firewall with a DNS on my kali linux machine. I’m pretty cautious when I run some machine in my network so it is always good for me to have a complete separate network, completely isolated from my real work network. Thanks to VmWare I can simply use the console to access the machine even if cannot contact directly through the network.

First of all I’m cheking DHCP server leases, to find the ip assigned to the troll machine an easy task.

image

Figure 1: Just check the leases /var/lib/dhcp/dhcpd.leases to find ip of tr0ll2 machine

Now a simple nmap reveals port 80, 21 and 22 opened, starting with port 80 I’ve done some checks with burp suite, but I do not find anything useful, just standard troll image.

image

Figure 2: Nothing interesting in home page.

This type of machine does not need brute force, but remembering the first machine of the series, I checked the robots.txt, it reveals a series of possible subdirectories. To avoid testing every entry manually simply save the file and then use software like dirb or OWASP DirBuster to brute force every entry in the file.

image

Figure 3: Some directories found by dirbuster

In all 4 directories we found the very same image, but saving all images on disk, one is slightly lager than the other. Using strings program you can notice a strange string embedded in the image.

image

Figure 4: String embedded in the image.

After some tentative (I’ve tried various stuff on the web site) it comes the light at the end of the tunnel, maybe y0ur_self is some file or directory in the web service, voila, another hidden directory.

image

Figure 5: Content of hidden folder, a file with anwers.

Opening the file I found some encoded strings, it seems Base64, but there are lots of internet sites that can try various encoding for you to avoid losing time.

image

Figure 6: Ok, indeed it is a Base64 string :)

First thing to do is converting all these base64 strings into standard strings, few lines of Python code solved the problem.

image

Figure7: Decode with python, as you can see I’m using Visual Studio Code for the task.

Once I’ve a nice file with lots of strings, the obvious thing to do is trying these password on ssh or ftp, sadly enough, nothing worked. I tried root for the user (I’m pretty sure that is not the user because it would be too easy), I’ve tried Tr0ll user (because of the username in the home page of the site), but nothing.

Now I need to admit I cheated, after being stuck for a while, after hydra and various other tool to brute force either ftp or ssh I’ve searched for an hint in the internet Open-mouthed smile

I was a little bit disappointed because the next step is not really logical, the ftp user is Tr0ll with Tr0ll as password, I really did not though such easy solution.

Moving on, in the ftp I found a single zip file, protected with a password. Now the nice list of strings decoded contains the password for the zip file.

image

Figure 8: Cracking zip file.

Inside zip file there is another file, a nice RSA key file, used to log into ssh

image

Figure 9: Finally a key to login with SSH

I tried user Tr0ll without any success, then, since the file is called noob, I tried the user noob (remembering the trick of the ftp) and it worked, but no console available, I was kicked out immediately.

image

Figure 10: Trolled again Sad smile

Ok, now I need to understand why the ssh server kicked me out all of the time, using –v option I can ask for a verbose diagnostics of what is happening between client and server.

image

Figure 11: Debug of my ssh connection

Output is not really informative, but I tried googling everything, especially a particular string “remote: forced command” that suggested me that the server somewhat has a command whitelist. I found that it is possible to configure SSH only to execute certain commands, so I tried different command, nothing worked.

After some other time googling, I found that ssh forced command can be vulnerable to ShellShock, I was really excited and tried to open a shell exploiting ShellShock bug.

image

Figure 12: ShellShock worked and I was really trolled

HORRAY, ShellShock worked, I’m in but I cannot use ls to list files, pwd commands works, some other command works, but ls gives me permission denied. After browsing with find, for some reason I tried dir command, and LOL dir command works like ls, as you can see in Figure 12, this was the most Troll moment of this hack, I was really shocked Open-mouthed smile.

Once in you can find some interesting folders

image

Figure 13: Finally some interesting files

I found three distinct r00t files inside three folders, all are executables, but running them has the simple result of kicking me out of the ssh for a while. After being puzzled I realized that one of the file is bigger than the other, and it is always in a different place Smile, this explain because all three kicked me out of the ssh, I’ve run the file in door1, then door2, then door3, but probably it was always the same file. As for the images with strings inside, probably the file with different size was the interesting one.

image

Figure 14: Solution is near

Ok, now I’m really frustrated. The reason is, I’ve found a file that has setuid root, and does nothing than output the string I give it as input, thus, the author expects me to perform an exploit with stack overflow, because this is the typical test program used also in books like shellcodes handbook. Uff, more than 15 years that I do not smash a stack, lots of stuff changed with ALSR and other stuff, so I decided to call a day, and give it up, I had enough fun with the machine.

……
……

After a couple of days, I had still a bitter sensation in my mouth, I was near to finish the machine, I cannot surrender. Thanks a lot to Pluralsight (you guys have tons of exceptional courses) I’ve found a course on creating exploit with metasploit, and the TOC reveals that it could be a refresher for my rusty buffer overflow knowledge. The course was great and it gives me al the tool to try to do an exploit. R00t file is 32 bit, so I’ve not to deal with 64 bit stack, it turns out that it could be easier than I though.

Step1, use metasploit utility to create a payload that allows me to locate the offset to overwrite the EIP register. The utility is pattern_create.rb and given a length (in this example 300 chars) it generates a unique string that allows me to locate the right offset.

image

Figure 15: Pattern_create.rb in action.

Now I can launch the r00t program into gdb debugger (I’ve no fancy GUI debugger with ssh and shellshock, but luckly enough I’m old enough to be familiar with command line debugger). Just run gdb r00t then after the debugger starts type run followed by the arguments, using pattern of increasing length until you crashed the program.

image

Figure 16: Debugger show the crash and the instruction that causes segmentation fault.

The situation is the following, I’ve overwritten the stack with a specific sequence of chars generated by pattern_create.rb and the offending pointer is 0x6a413969, that is now the content of the EIP register, then next instruction pointer. Now I can use another tool called pattern_offset.rb

image

Figure 17: Pattern_offset allows me to easily find the offset.

As you can see in Figure 17, with metasploit, finding the offset is a breeze, the EIP overwrite location is as offset 268. Now I simply followed the instruction of Pluralsight course, trying to have a better understaing of what happened. Using Python is really simple to generate a pattern to verify the assumption

image

Figure 18: Creating a specific pattern to verify what is in memory

Using that specific pattern allows me to verify what is in stack memory after buffer overflow.

image

Figure 19: Registers after buffer overflow

Ok, the assumptions are right, the ebp registers contain a sequence of A characters, then EIP contains a sequence of B, this confirms that the offset is good. Now I dump memory pointed by the esp register to verify what is in the stack, and I found all letter C. Everything is good and ready to run. I will done a final test, and instead of using all C after the EIP pointer I put 40 bytes of \x90 (NOP instructions). Here is the result

image

Figure 20: Memory layout pointed by esp after the overflow

As you can see from Figure 20, at memory address pointed by esp (0xbffffb10) there are my 40 NOPs and then letters C. Now I only need a payload, remembering the book Shellcodes handbook I search for a simple execve shell on exploit-db and the result is

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

This is really nice, I really love shellcode is almost magic because it is binary code that can be forced into a program to be executed. Now I verify again the layout of the memory after the overflow with this new code

image

Figure 21: Buffer overflow is almost ready.

It is really important that you do this final run with the exact length of the payload, now from Figure 21 I can easily see my 40 NOPs SLED starting at 0xbffffb60, then my shellcode. As first tentative I tried to overwrite EIP with 0xbffffb68 (Figure 22, remember that x86 are little endian); if everything is ok, after the overflow the execution will jump into my NOP Sled and finally executes the shell code, launching a new bash with user root (remember that r00t program has setuid root)

image

Figure 22: Final Shell code

I was really excited and really surprised when it works at the very first tentative. Many tank to Gus Khawaja for his course, it gave me all the information that I need.

image

Figure 23: I’m Groot Smile with tongue out

Gian Maria.

Azure DevOps and SecDevOps

One of the cool aspect of Azure DevOps is the extendibility through marketplace api, and for security you can find a nice marketplace addin called Owasp ZAP (https://marketplace.visualstudio.com/items?itemName=kasunkodagoda.owasp-zap-scan) that can be used to automate OWASP test for web application.

You can also check this nice article in MSDN https://devblogs.microsoft.com/premier-developer/azure-devops-pipelines-leveraging-owasp-zap-in-the-release-pipeline/ that explain how you can leverage OWASP ZAP analysis during a deploy with release pipeline.

REally good stuff to read / use.