Backtrack 5 is finally available for download. It is available in two version Backtrack 5 & Backtrack 5 R1.
It now supports three architectures, ARM, 32 bit & 64 bit. To download click here.
WarVOX - Wardialing Tool Suite (Explore, Classify & Audit Telephone Systems)
WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.
WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.
WarVOX requires no telephony hardware and is massively scalable by leveraging Internet-based VoIP providers. A single instance of WarVOX on a residential broadband connection, with a typical VoIP account, can scan over 1,000 numbers per hour. The speed of WarVOX is limited only by downstream bandwidth and the limitations of the VoIP service. Using two providers with over 40 concurrent lines we have been able to scan entire 10,000 number prefixes within 3 hours.
The resulting call audio can be used to extract a list of modems that can be fed into a standard modem-based wardialing application for fingerprinting and banner collection. One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.
Download here
The latest development version of WarVOX can be accessed from Subversion with the following command:
$ svn co http://metasploit.com/svn/warvox/trunk/
For more info
VideoJak - IP Video Security Assessment Tool
VideoJak is an IP Video security assessment tool that can simulate a proof of concept DoS against a targeted, user-selected video session and IP video phone. VideoJak is the first of its kind security tool that analyzes video codec standards such as H.264.
VideoJak works by first capturing the RTP port used in a video conversation and analyzing the RTP packets, collecting the RTP sequence numbers and timestamp values used between the phones. Then VideoJak creates a custom video payload by changing the sequence numbers and timestamp values used in the original RTP packets between the two phones. After the user selects a targeted phone to attack in an ongoing video session, VideoJak delivers the payload over the learned RTP port against the target. This attack results in severely degraded video and audio quality.
Features
* VLAN Discovery (CDP) and VLAN Hop
* Call pattern tracking for SIP and SCCP signaling protocols
* Audio codec (G.711u, G.722) and Video codec (H.263, H.264) support
* Creates custom payload from H.263/H.264 packet capture
* MitM functions and host management
* Allows user to select ongoing video call from a menu
* Allows user to select a targeted IP Phone for DoS within the video session
* Enables the user to send the attack during an active, ongoing video call
Download here
For more info
Backtrack 4 Beta Released
The long awaited next beta release of Backtrack is out. Intially it was only released at the Shmoo Convention and got a great response. The iso and Vmware images are available for download.
* Iso Image with md5 and sha512sum
* Vmware Image with md5 and sha512sum
New Features
* Kernel 2.6.28.1 with better hardware support.
* Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.
* Support for PXE Boot - Boot BackTrack over the network with PXE supported cards!
* SAINT EXPLOIT - kindly provided by SAINT corporation for our users with a limited number of free IPs.
* MALTEGO - The guys over at Paterva did outstanding work with Maltego 2.0.2 - which is featured in BackTrack as a community edition.
* The latest mac80211 wireless injection patches are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.
* Unicornscan - Fully functional with postgress logging support and a web front end.
* RFID support
* Pyrit CUDA support…
* New and updated tools - the list is endless!
For more info checkout its official blog http://backtrack4.blogspot.com
MultiInjector v0.3 released
MultiInjector which claims to the first configurable automatic website defacement tool.
Features
* Receives a list of URLs as input
* Recognizes the parameterized URLs from the list
* Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
* Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun
* OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
* Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
* Optional use of an HTTP proxy to mask the origin of the attacks
CHANGELOG
- Added 4 more menu options. Now supports the following list of actions:
1) Automatic defacement:
Try to concatenate a string to all user-defined text fields in DB
2) Run OS shell command on DB server:
Run any OS command as if you're running a command console on the DB machine
3) Run SQL query on DB server:
Execute SQL commands of your choice
4) Enable OS shell procedure on DB:
Revive the good old XP_CMDSHELL where it was turned off
(default mode in MSSQL-2005)
5) Add administrative user to DB server with password: T0pSeKret
Automagically join the Administrators family on DB machine
6) Enable remote desktop on DB server:
Turn remote terminal services back on...
- Fixed nvarchar cast to varchar. Verified against MS-SQL 2000
- Added numeric / string parameter type detection
- Improved defacement content handling by escaping quotation marks
- Improved support for Linux systems
- Fixed the "invalid number of concurrent connections" failure due to non-parameterized URLs
README
MultiInjector Feature List:
1. Receives a list of URLs as input
2. Recognizes the parameterized URLs from the list
3. Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
4. Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old "cyber graffiti" fun
5. OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user
6. Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks
7. Optional use of an HTTP proxy to mask the origin of the attacks
Requirements:
--------------
* Python >= 2.4
* Pycurl (compatible with the above version of Python)
* Psyco (compatible with the above version of Python)
Windows Support
-----------------
The binary has been compiled using the wonderful Pyinstaller.
You may custom compile it yourself by downloading Pyinstaller and following the
straightforward instructions attached, describing how to compile on Windows.
Linux Support
---------------
Simply remove or comment out the "import psyco" line
You may also use Pyinstaller as described in the Windows section above to compile native
UNIX binaries.
To download click here
A demonstration of attacks using MultiInjector will be presented at the
12th Annual Security Users' Festival in Korea.
Presentation
Data Recovery software - Test Disk
TestDisk is OpenSource software and is licensed under the terms of the GNU Public License (GPL).
TestDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table).
TestDisk can
* Fix partition table, recover deleted partition
* Recover FAT32 boot sector from its backup
* Rebuild FAT12/FAT16/FAT32 boot sector
* Fix FAT tables
* Rebuild NTFS boot sector
* Recover NTFS boot sector from its backup
* Fix MFT using MFT mirror
* Locate ext2/ext3 Backup SuperBlock
* Undelete files from FAT, NTFS and ext2 filesystem
* Copy files from deleted FAT, NTFS and ext2/ext3 partitions.
TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.
Operating systems supported
* DOS (either real or in a Windows 9x DOS-box),
* Windows (NT4, 2000, XP, 2003, Vista),
* Linux,
* FreeBSD, NetBSD, OpenBSD,
* SunOS and
* MacOS
Filesystems
TestDisk can find lost partitions for all of these file systems:
* BeFS ( BeOS )
* BSD disklabel ( FreeBSD/OpenBSD/NetBSD )
* CramFS, Compressed File System
* DOS/Windows FAT12, FAT16 and FAT32
* HFS, HFS+ and HFSX, Hierarchical File System
* JFS, IBM's Journaled File System
* Linux ext2 and ext3
* Linux LUKS encrypted partition
* Linux RAID md 0.9/1.0/1.1/1.2
o RAID 1: mirroring
o RAID 4: striped array with parity device
o RAID 5: striped array with distributed parity information
o RAID 6: striped array with distributed dual redundancy information
* Linux Swap (versions 1 and 2)
* LVM and LVM2, Linux Logical Volume Manager
* Mac partition map
* Novell Storage Services NSS
* NTFS ( Windows NT/2000/XP/2003/Vista/2008 )
* ReiserFS 3.5, 3.6 and 4
* Sun Solaris i386 disklabel
* Unix File System UFS and UFS2 (Sun/BSD/...)
* XFS, SGI's Journaled File System
To download click here
Advanced application-level OS fingerprinting
Today i want to share an article which i stumbled online. The following whole is thing is by Dan Crowley.
Advanced application-level OS fingerprinting: Practical approaches and examples
Dan Crowley
The current state of OS fingerprinting involves, for the most part, layer 3 & 4 requests and responses. This includes tools like nmap, nessus, p0f, and sinFP. These tools make specific queries and examine the response for things like TCP/IP stack settings, TCP option support, the number of syn+ack packets sent before a timeout, the time interval between syn+ack packets, and the presence of a rst packet sent at timeout. Many of these things are manipulated or deformed by intermediary devices, and much of it can be fairly easily spoofed using freely available tools like IP Personality and Security Cloak.
Application-level OS fingerprinting, on the other hand, relies on data gleaned from an application running on the target host. The current methods include the identification of OS-specific applications, such as Remote Desktop, and "banner grabbing", which involves connecting to a cross-platform application and recording what operating system it claims to be running, usually in the welcome banner (thus the name). Banner grabbing is trivial to fool, usually requiring nothing more complicated than a change in a configuration file. It's not unheard of, for instance, for Apache servers to report that they are running on a Commodore 64.
Considering this, I present an alternate approach to application-level OS fingerprinting. The general idea is that there are certain requests that can be made to cross-platform applications which result in OS-dependant responses. This can be in the form of the data returned by the application, the lack of response, or timing differences in the response, although this is almost certainly not a comprehensive list. One example of existing usage of this technique is in [5]. Based on known differences in responses and known OSes associated with specific responses, one can determine the OS of a host running a service for which such signatures exist.
There are, of course, many differences in operating systems, but only some of them are actually feasible to measure remotely (in general scenarios). Here's a non-comprehensive list:
Newline characters
==================
0x0d -> Classic Mac OS
0x0d0a -> win32, DOS, OS/2, SymbianOS
0x0a -> *nix
0x15 -> EBCDIC-based
Bit bucket
==========
/dev/null -> *nix
NUL -> Win32, DOS, OS/2
NIL -> Amiga
SYS$NULL: -> OpenVMS
*DUMMY -> Univac
Directory separator [1]
===================
backslash -> win32, OS/2, symbianOS
slash -> *nix, amiga, domain, menuet
dot -> openVMS, riscOS
colon -> Classic Mac OS
Root directory [1]
==============
/ -> *nix, menuetOS
\ -> SymbianOS
// -> Domain/OS
[drive letter]:\ -> win32, OS/2, DOS
[drive letter]:/ -> win32
[device name]: or [NODE"accountname password"]::[device name]: -> OpenVMS
[drive name]: -> Classic Mac OS, AmigaOS
[volume or assign name]: -> AmigaOS
[fs type]::[drive number or disc name].$ -> RiscOS
EOF marker
==========
0x1a -> Windows;
(int) -1 -> Pretty much everything else
Filesystem differences
======================
Maximum path length
Maximum filename length
Illegal characters
Case sensitivity
Reserved filenames, special files
***ILLEGAL NTFS CHARS***
" / \ * ? < > | :
***ILLEGAL FAT CHARS***
" + , . / : ; < = > [ \ ] | .
***ILLEGAL HPFS CHARS***
" / : < > \ |
any char below 0x20
Data alignment, word size, the existance of OS-specific binaries, and processor feature support are more criteria that can be used, but are less commonly determinable remotely.
Additionally, there are differences that are specific to an application that can be used. This varies widely from application to application, but often, these differences take one of a couple of forms. They can be vulnerabilities, or code written to patch those vulnerabilities that exist only on certain platforms (Fyodor has already discussed exploit chronology in [2] but does not discuss testing the existance of mitigation code). Certain features of programs will not be supported on some OSes, and will on others. The presence of these features eliminates unsupported OSes as a possibility. Finally, certain applications will have features which give out system details very freely. As a part of a default Apache installation, a test perl cgi script, printenv.pl, is placed in the cgi-bin directory. This script, when run, prints all environment variables. This is more or less advanced banner grabbing, but it makes a nice example of leaky features that can be found in certain applications.
But enough talk. Let's get to some real examples!
Example 1 - Apache 2.2.9
========================
http://unix.example.com/\\\.
-URL must not be URL-encoded: PuTTY or an intercepting http-proxy can be used to ensure this
-Will return a 404 Not Found error
-Unix platform
http://win32.example.com/\\\.
-Again, no URL-encoding
-Will return 200 OK and load front page
-Win32 platform
(This is an example of mitigation code that exists only on Win32 installations of Apache. Apache, when compiled for Windows, will convert backslashes to slashes. On *nix, it will not. This would work even if there wasn't specific mitigation code for Win32, but the fact that Apache on *nix doesn't change the backslashes to slashes means that backslashes will be interpreted as a part of a filename, and will just be extraneous slashes to Win32, resulting in \\\. being interpreted as a filename on *nix, and as a reference to the root dir of the website on a win32 machine.)
Example 2 - Apache 2.2.9
========================
http://unix.example.com/nul
-Returns 404 Not Found
-Not a windows based system
http://win32.example.com/nul
-Returns 403 Forbidden
-Win32
(This works because Apache won’t have read access to the bit bucket… nothing should!
On DOS-style systems, special files like nul and con “exist” and can be accessed from all directories. This should also work on other cross-platform web servers, ftp daemons, etc but I haven’t tested it)
Example 3 - Apache 2.2.9
========================
http://unix.example.com/%1a
-404 Not Found
http://win32.example.com/%1a
-403 Forbidden
(Apache on Win32 doesn’t appreciate EOF markers being stuck into URIs
Funny enough, it doesn’t like anything but GL codes(0x20-0x7f). I don’t know where in the code this happens. I think it’s likely a limitation of the system-level functions failing with characters outside a given range. Other operating systems aren’t as picky.)
Example 4
=========
http://winme.example.com/images/thumbs.db
-Has drive and pathnames in file
http://winxp.example.com/images/thumbs.db
-No drive or pathnames in file
http://xpmedia.example.com/images/ehthumbs.db
-Unique to XP Media Center
Thumbs.db
-Auto-generated image thumbnail database
-Exists in every dir with images (or certain other files) viewed in Windows Explorer with thumbnails on (even if images are later deleted)
-Generated on 98, ME, 2K, XP, 2003 (Maybe more, documentation is very sparse)
-Differs in contents between 98/ME/2K and XP/2003
-Win2k will use alternate data streams for thumbnail storage on NTFS volumes and thumbs.db on FAT partitions
-Windows XP Media Center Edition will also create ehthumbs.db for videos
(table expanded from [3])
System | Win98 | WinME | Win2k | WinXP | Win2k3
--------+---------------+---------------+---------------+---------------+---------------
Drive | Yes | Yes | Yes | No | No
Filename| Yes | Yes | Yes | Yes | Yes
Path | Yes | Yes | Yes | No | No
Last Mod| Yes | Yes | Yes | Yes | Yes
(One note about this: I was confronted with a problem with this method by Mike Eddington of Leviathan Security, who pointed out the possibility that a thumbs.db file could be uploaded to a webserver along with the corresponding images. After some thought, I realized that you could check the last modified date of the thumbs.db file as sent by the web server and the last modified date as recorded in the file. If they match, it was updated by the server itself!)
Example 5 - IIS [4]
===============
This one's pretty simple. IIS versions correspond to specific versions of Windows. Enumerate the IIS version, and you get the OS version.
IIS version | OS version
----------------+------------------
1.0 | NT 3.51 SP3
2.0 | NT 4.0
3.0 | NT 4.0 SP3
4.0 | NT 4.0 SP3
5.0 | Win2k
5.1 | XP Pro
6.0 | Server 2003
7.0 | Vista, Server 2008
(I haven't figured out ways to determine between IIS versions, although exploit chronology and feature support would likely be good candidates, and the version of IIS being reported should give a good indication. I suspect, however, that it should be easy for an admin to spoof.)
Example 6 - default FTP daemons
===============================
Run the raw ftp commands “rnfr .” and then “rnto .” against a default FTP daemon on a writable directory. It will generally spit back "350 File exists, ready for destination name" followed by a message about what happened with the operation…
OpenBSD 4.0
550 rename: Is a directory.
FreeBSD 7.0
250 RNTO command successful
OpenSolaris 2008.05
550 rename: Invalid argument.
Ubuntu 8.04 server
550 rename: Device or resource busy.
More quick examples
===================
Win32 Apache doesn’t like colons in urls, other OSes don't care so much
Win32 Apache will accept, for example, /BLAHBL~1.HTM as a valid replacement for blahblahblah.html where it will not on other OSes
(This one kinda sounds like security hell)
Other (less useful) signatures
==============================
The presence of $MFT in the root of a volume suggests an NTFS volume
Accessing a directory as a file will work on BSD systems
-FreeBSD and NetBSD will spit back binary data
-OpenBSD will return nothing but won’t complain
Windows can only use one audio input source at a time
(I came up with these too and wanted to include them for completeness, but they're so case-specific that I didn't want to give them too much time.)
If you'd like to find some signatures yourself, try grepping for #ifdef and #ifndef in the sources of any given application (if you have sources and they're C). "Linux", "BSD", "MacOS", etc are also nice candidates. Additionally, the basis for many of the examples I've given here should apply to many different applications which do similar operations or make similar system calls. Requesting nul from any application that serves or queries for files should quickly identify a Windows system.
In conclusion, application-level OS fingerprinting using multi-platform applications is possible and plausible without using banner-grabbing. OS identity info leakage in applications is not well considered (I based this on the fact that I was able to find 3 leaks with the latest version of Apache in 1 hour of searching). This method is user, and can be combined with other fingerprinting methods, which is where I feel it would be most effective, though with enough signatures, this method could stand entirely on its own.
As for further work that can be done in this field, there are definitely timing differences in application responses that could be used for OS fingerprinting. It should also be possible to find OS-version-specific responses in platform-specific applications, much like the IIS version-to-OS version example. Also, these techniques could be coded into a tool, but I'm not a great coder by any means. I hope to release some python scripts for a few of these examples shortly after the paper is released. And finally, there's more applications out there to use for fingerprinting!
Thank you for reading!
References
[1] http://en.wikipedia.org/wiki/Path_(computing)
[2] http://nmap.org/nmap-fingerprinting-article.txt
[3] http://www.acquisitiondata.com/white_papers/thumbsdbfiles.pdf
[4] http://support.microsoft.com/kb/224609
[5] http://lwn.net/2001/0222/a/sec-lpddetect.php3
To download original paper click here.
Hope all like it.
Subscribe to:
Posts (Atom)
Posts
