Hard coded encryption keys and more WordPress fun
A few days ago I was chatting with pasv about a recent vulnerability he discovered. Apparently there was demand for Razer Synapse which syncs the configuration for a Razer mouse to the “cloud”. Syncing configurations to the cloud was most likely needed since some of Razer models have so many buttons the mouse has its own full blown number pad on the side. Pasv got bored and did what any good bored security professional does and reverse engineered the Razer Synapse installer. He discovered that the encryption key and IV were hard coded for the “Remember my password” feature (PoC).
The vulnerability was recently fixed before the new year (12/27/12), via an auto-update in the Razer Synapse software but we figure there are probably at least a few configuration files still sitting out there. This vulnerability was very similar to a recent metasploit module @zeknox and I released about Spark IM so it was fairly painless to write up a new module to exploit this configuration.
WordPress Pingback Portscanner – Metasploit Module
The latest version of WordPress, version 3.5 was recently released on December 11, 2012. This latest version of WordPress comes pre-packaged with the XML-RPC interface enabled by default. This is just the type of configuration that us pentesters love to see during an engagment. This additional attack surface may be just the little extra that a pentester needs.
Recover Spark IM Stored Passwords with Metasploit
Metasploit Module [1]
I recently added a post exploit module to the metasploit framework. The module will extract and decrypt passwords that are stored by the Spark Instant Messenger client. The passwords are stored in a file on the local HDD (spark.properties) using Triple DES encryption. This sounds all fine and dandy, but this all goes out the door when they hardcoded the key and made it publicly documented.
The vulnerability isn’t that new since it was documented by Adam Caudill back in July 2012 when he disclosed the details and PoC code in .net that illustrates how the attack can be completed. Mubix recently submitted a request to add this post exploit module into the framework. Well, SmilingRacoon and myself decided to answer the call and work up a module to accomplish this task.
NetLM Downgrade Attacks with Metasploit
Metasploit Module [1]
Recently I added a post exploit module to the metasploit framework that will help automate the NetLM Downgrade attack. If you are not familiar with the attack, I highly suggest you read the following article by Dave Howard before continuing.
The purpose of this article is not to describe the NetLM attack, but rather demonstrate how the post exploit module functions and how it can save time on a pentest or even get you that next step in order to take over the network.
Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb)
Earlier this week I released a blog post on the Accuvant website explaining at a high level some of the techniques and use cases for my recently developed Metasploit modules. This article will be the first in a series of tutorials where I plan to do a deeper dive into the individual modules and some of their many uses during an Information Security Assessment or Penetration Testing exercise.
The ntds_hashextract.rb script is a standalone tool that can be used to quickly and efficiently extract Active Directory domain password hashes from the exported datatable of an NTDS.dit database. As it turns out, exporting the datatable can sometimes be tricky so here is a detailed tutorial covering the methodology that I use and continue to have success with.
Step 1 – Install Libesedb
Libesedb is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL
Read More
Finding Logged In Users – Metasploit Module
Sometimes during an Information Security Assessment I find myself spending a fair amount of effort locating a server or workstation with a specific user logged into it. This could be because I am searching for a box with a Domain Admin, or maybe my engagement’s scope has a CTF style scope that requires me to find a single user logged into a large enterprise domain.
Whatever the reason, this processes can sometimes take a long time. Especially on a sizable network. Like most security auditors I’m not a big fan of doing the same thing over and over again so I decided to build a tool to help automate this process.
First we query HKEY_USERS to find out how many legitimate SIDs are currently logged in. We should see an output simalr to this.
Find Local Admin with Metasploit
Metasploit Module [1]
When conducting email phishing engagements I often run into situations where I gain a meterpreter session on the internal network, but I don’t have local admin privileges. Often times many penetration testers give up on the assessment because they have already illustrated access to the internal network and consider that adequate on an external engagement. I like to go that extra mile and really make an impact by showing what a malicious user can do once inside.
I feel many penetration testers ignore the fact that a user executed the payload. A user that is most likely part of a domain, and may have access to many additional resources on the internal network that we wouldn’t otherwise have access to.
Jigsaw.rb Now With SQLite3 Database Support
Get The Code:
https://github.com/pentestgeek/jigsaw/tree/dev
This is just a quick post to highlight some of the new features added to the developmental branch of Jigsaw with SQLite3 support. In order to use this tool you’ll need to first install the ‘sqlite3-ruby’ gem. I do all of my ruby development using version 1.9.2 installed via RVM, so I recommend a similar environment because In my experience installing gems can be tricky when not using RVM.
[crayon show-plain-default=”true”]
$gem install sqlite3-ruby
[/crayon]
The help menu says that you can write to a database instead of a CSV file by using the -D option and specify the name of the .db file you want to output too.
Read More
Email Address Harvesting
Introduction
Harvesting email addresses is a common part of any external penetration test. Several tools exist that can be easily found with a simple google search that can greatly decrease the amount of time spent combing through search engine results.
I have recently released a new tool into the BackTrack Linux penetration testing distribution that has proven useful on many of my external gigs.
Introducing Jigsaw. Jigsaw is a simple ruby script that searches www.jigsaw.com for employee records and crafts email addresses based on first and last name entries pulled down from their website.
Read More
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless
Metasploit
Web Application Hacking
Copyright 2024
