HeartBleed – Exploiting the net “CVE-2014-0160″

 

heartbleed

Heartbleed has the potential to be one of the biggest most widespread vulnerability in the history of the modern Internet, at the root of Heartbleed is encryption. The internet has a set of protocols for security and encryption commonly known as “Security Socket Layers” S.S.L and its successor “Transport Layer Security” T.L.S, the most common implementation of SSL and TLS is a set of open source tools known as OpenSSL.

More information are available here : http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html

You can test if your website is vulnerable to Heartbleed attack from this website : https://filippo.io/Heartbleed , well I was thinking about creating a tool that would test a list of websites “TOP 1 Million websites in my case” and if the script finds the target vulnerable it send an email to the webmaster telling him that he should fix it !

I have created that tool and its available for download here : https://github.com/MrNasro/heartbleed/

Before using the tool you need to change the following inside “exploit.py” :

fromaddr = ‘sender@email.com’
username = ‘email_username’
password = ‘email_password’
server = smtplib.SMTP(‘smtp.gmail.com:587′)

After the changes just just place the list of CSV domain names into the script directory and run it from the command line : python heartbleed.py

Screen Shot 2014-04-18 at 6.03.03 PM

Tagged , , , , ,

Vault app isn’t that secure !

Hi,

Some of us ( like me ) depend on vault to hide and secure their contacts, sms, pics and videos .. I figured out that this app takes sometime to load after the phone is booted, so this really gives us access to protected apps like “Contacts” before it loads !

This is a test video I’ll investigate that behavior and will let you know guys if I find anything in a detailed future post :

HAPPY HACKIN’ :)

Tagged ,

ZynOS – Part 2 ( Taking over the network )

Hello again :)

I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router  ..

We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?

So .. what’s the solution ?

Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!

Are we talking about DNS intercepting ? Hell yeah :D

Here is a list of the tools we’re going to use :

Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE

-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP: 192.168.0.6)

-Burp suite will be running at (IP:192.168.0.10)

First, I’ll explain how I’m going to do the attack :

We’re going to setup our Dnschef proxy

Screen Shot 2014-01-18 at 1.30.27 PM

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

–interface : is going to tell dnschef at what interface it’ll listen for .

–fakeip : this hijacks requests by returning this IP as the result for every request

The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.

Screen Shot 2014-01-18 at 1.38.01 PM

We have to configure burp suite so that it handle requests on port 80

Screen Shot 2014-01-18 at 1.40.00 PM

Have to be invisible ..

Screen Shot 2014-01-18 at 1.40.16 PM

Repeat these steps for port 443 to handle HTTPS traffic .

Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .

Screen Shot 2014-01-18 at 1.49.47 PM

This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if  we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.

ok, so now we’ll have to lunch the browser autopwn module on metasploit .

PS: I’ll be using port “8080″ because webmitm is already using port “80″ to forward traffic .

Screen Shot 2014-01-18 at 2.10.54 PM

Screen Shot 2014-01-18 at 2.12.09 PM

it’s loaded and waiting for victims to browse :)

Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “http://192.168.0.6:8080/” that’s listening on Metasploit.

Screen Shot 2014-01-18 at 2.11.33 PM

DEMO :

After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .

Screen Shot 2014-01-18 at 2.18.13 PM

We got 3 meterpreter sessions :D,

DO YOU REALIZE WHAT CAN SOMEONE DO IF HE HACKS INTO YOUR ROUTER WITH SOME VULNERABILITY OR JUST DEFAULT PASSWORDS THAT YOU DIDN’T CHANGE ?

Any questions or comments feel free to contact me. And as always : Happy Hacking :)

How I saved your a** from the ZynOS (rom-0) attack !! ( Full disclosure )

Hello everyone, I just wanted to discuss some vulnerability I found and exploited for GOODNESS .. just so that SCRIPT KIDIES won’t attack your home/business network .

Well, in Algeria the main ISP ( Algerie Telecom ) provide you with a router when you pay for an internet plan. So you can conclude that every subscriber is using that router . TD-W8951ND is one of them, I did some ip scanning and I found that every router is using ZYXEL embedded firmware.

Analysis :

Let’s download an update and take a look at it and try to find some vulnerabilities. ( http://www.tp-link.com/Resources/software/TD-W8951ND_V3.0_110729_FI.rar )

Image

The ras file is in LIF format !! …
Hmmm let’s put that file for Binwalk test for God’s sake ! ( check : http://code.google.com/p/binwalk/wiki/Installation for more informations on how to install it ).

This is what Binwalk told me about that file :
Image

You can clearly see and confirm that the router is using zynos firmware. We can also see that there is two blocks of LZMA compressed data … let’s extract them and have a look.
Image

The problem is that when I tried to decompress the two blocks I get an error : ” Compressed data is corrupt “Image

Hmm, first the “ras” file was in LIF format .. and now the lzma compress blocks are corrupted !!
I googled this and tried to find a solution for this, FOUND NOTHING . How am I going to solve this ??
One idea came in my mind .. “Strings” command and here is what I got :

Image

Aaaah ! so the blocks aren’t compressed with LZMA or anything ! and the whole “ras” firmware file is just big chunk of data in clear text.
Ok, let’s try and find some useful STRINGS …

After some time searching “I” didn’t find the useful thing that will help us find vulnerabilities on the firmware !!

I didn’t give up …
I just was thinking and questioning :

  • Me: What do you want from this firmware file !
  • Me: I want to find remote vulnerabilities that will help me extract the “admin” password.
  • Me: Does the web interface let you save the current configuration ?

Image

  • Me: yes !!
  • Me: Is the page password protected ?

Image

  • Me: No !!! I tired to access that page on a different IP and it didn’t require a passowrd !

Ok, enough questions haha ..

Now, when I activated TamperData and clicked “ROMFILE SAVE”  I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything.

So we are able to download the configuration file which contains the “admin” password. I took a look at rom-0 file and couldn’t figure out how to reverse-engineer it, and when you don’t know something it’s not a shame to ask for help .. and that’s what I did !
I contacted “Craig” from devttys0.com, he is an expect when it comes to hacking embdded devices . He’s a great guy and he replied to my email and pointed me to http://50.57.229.26/zynos.php which is a free rom-0 file decompressor .

Image

When you upload and submit the rom-0 file there, the php page replies back with the configuration in clear text ( INCLUDING THE PASSWORD ) .

So what i need to do now is to automate the process of :

  • Download rom-0 file.
  • Upload it to http://50.57.229.26/zynos.php
  • get the repy back and extract the admin password from it.
  • loop this process to a range of ip addresses.

And that’s exactly what I did, I opened an OLD OLD poc python script of mine that accessed routers via telnet using the default passwords. So what I just need to do now is to add some functionality to it.

Well I thought about  this, and I’m posting this script online ONLY FOR EDUCATIONAL PURPOSES.

You can find the scripts here : https://github.com/MrNasro/zynos-attacker/

Demo :

Image

PS : I OWN ALL THE IP RANGE I WAS SCANNING ” FOR SURE ;)

Prevention :

Now ! how do you prevent attackers from downloading your rom-0 configuration file and manipulating your router ? This is pretty simple if you think about it ..
You just have to forward port 80 on the router to and inused IP address on your network :
forward

THATS ALL, or if you want to play a little with attackers that are using scripts too .. just forward port 80 to you local http server and put a LARGE file in the root directory and name it rom-0 .. just let them download like 1GB rom-0 file haha haha .. I have also automated the process of port forwarding and I’m running the scripts daily just to prevent hackers from attacking weak users …

In the next post I’ll demonstrate how would a malicious hacker exploit this to hack TONS of networks and get a meterpreter/reverse_shell on every PC on the target network ..

Hope you enjoyed this analysis, if you have anything to add or any questions to ask don’t hesitate to contact me ! BE THEIR HERO, HAPPY HACKING ;)

UPDATE:

The decoded.php script is now located at : http://198.61.167.113/zynos/decoded.php , I have updated the code.py script

Tagged , , , , , ,

About WordPress Security

WordPress based websites are mostly targeted through vulnerable plugins, themes installed on a WP website. They tend to inject their malicious code in header.php or footer.php under /wp-content/themes/<theme_name> as it loads up with every page of your website. It’s a smart way to infect full website with just one file.

There are few basic steps that need to be performed immediately whenever the website is hacked :

  1. Replace your website folder with clean copy of website.
  2. Perform a sucuri malware scan i.e. http://sitecheck.sucuri.net/scanner/ to check if you are already blacklisted
  3. Inspect your plugins or themes folder for malicious code
  4. Remove the malicious code from infected files

Once done, next step is to inspect your WP database.

WP Database Inspection

It is equally important to inspect and clean your WP database after you clean WP website files. This is to ensure that the malicious code does not appear again and you have a fully cleaned website. WP database can be accessed using PHPMyAdmin. Below is the quickest way to do a database inspection:

  1. Login to PHPMyAdmin
  2. Click on database_name in use ( ex. wordpress_database )
  3. Export your complete database in a .sql format and open it in a text editor
  4. Do a search for malicious code or any suspicious encoding
One final note .. the most important things to remember if you own a WP site are:
  1. Backup your website DAILY if possible.
  2. Keep your WP version up-to-date
  3. Have few of the security plugins installed for your WP website

The end of “Windows XP”

Microsoft will stop delivering security updates for the second most popular operating system in the world “Windows XP“. The company issued several blog posts urging users to upgrade to newer Windows versions before it was too late.

” NOW is the time to move to a more modern Windows operating system and modernize your IT infrastructure. “

According to metrics firm NetMarketShare, XP is second only to Windows 7 in terms of usage with 38.73 percent of the worldwide operating system market share, but what if there will still be some ( a couple of million ) using it after the END DATE ?, this will open a large door for hackers and motivate them to find more vulnerabilities and exploits inside “XP”. 

So like it or not, as the company is moving on you probably should too.

 

Tagged ,

w3af – Open Source Web Application Security Scanner ( UBUNTU installation )

Introduction : 

W3AF is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.The framework is developed using Python to be easy to use and extend, and licensed under GPLv2.0.

Installation :

Step 1 : (Install pip) 

$ sudo apt-get install python-pip

Step 2 : (Install dependencies)

$ sudo apt-get install python2.7 python2.7-dev
sudo pip install fpconst
sudo pip install nltk
sudo pip install SOAPpy
sudo pip install pyPdf
sudo apt-get install libxml2-dev
sudo apt-get install libxslt-dev
sudo pip install lxml
sudo pip install pyopenssl
sudo pip install python-scrapy
wget http://pysvn.barrys-emacs.org/source_kits/pysvn-1.7.8.tar.gz
sudo pip install pysvn-1.7.6.tar.gz
sudo pip install pybloomfiltermmap

Step 3 : (Install w3af)

$ git clone https://github.com/andresriancho/w3af.git

$ cd w3af

$ ./w3af_gui

If all packages are installed, you should see :
Image

 

 

Tagged , ,
Follow

Get every new post delivered to your Inbox.

Join 160 other followers