PART - I
"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.
First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.
Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.
First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:
nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..
Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..
hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms
Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."
Read More
PART - II
"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.
First, lets find our network printers..
./jetpwn.pl eth0
Using range 10.0.0.1-255
Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ
Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "
Read More
Tuesday, June 15, 2010
Wednesday, June 9, 2010
Researchers use new exploit to bypass 100 percent of tested AV software
"The Internet just got more dangerous, in terms of malware, if this study is correct. Researchers have discovered a method of bypassing security software, one that they said tested successfully against all 34 of the products tested.
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
Man infects himself with computer virus
"University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
Friday, March 5, 2010
Robbed in London : New email scam
Recently I came across a new email scam strategy. It's like you will get a mail from your friend's email address that your friend went to some place (London preferably) for vacation and got mugged in the hotel. She lost everything except the passport. Now she needs money to pay the hotel bills and come back to her place. So she requests you to loan her some money (mostly around $1000) which she promises to pay back once she will be back. Also the money has to be transferred through Western Union Money Trasnfer. Following is the exact content:
"From:YOUR FRIEND
Sent: Wednesday, March 03, 2010 11:15 PM
Subject: Sad News!!!
I'm writing this with tears in my eyes,my fam and I came down here to London,England for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off
us but luckily for us we still have our passports with us.
We've been to the embassy and the Police here but they're not helping issues at all and our flight leaves in less than 3hrs from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.
Am freaked out at the moment.."
Seems like they first hack the email account, change the password so that the victim won't be able to access her account. Then send mails to the people in the contact list. Though it's new to me but seems similar stuff already happened through Facebook. Details of the earlier incidents were reported here. Also here is a funny discussion of the hacker and a person to whom the hacker was seeking help after compromising a facebook account.
But this time in case of my friend it was not facebook but msn. So seems like they are now spreading their access over the accounts. Now once your are victimized what should you do???
Well, following are few things you could do to prevent your friends from falling prey of the trap:
1. Firstly make sure you have a strong password for your account containing upper case and lowercase letters, digits and at least one special symbol like #, $, & etc.
2. Better to change your password every 3 months or so.
These reduces the probabilities of being hacked. But still there is a chance and if that happens and your friends start getting scam mails from your account, do the following:
1. Try to login to the compromised account. If you are lucky enough to get into the account change the password immediately. You can also try "Forgot Password" option if that is working.
2. If you could login to the account, mail all your contact stating that your this account was hacked and do not reply to any mail from this account.
3. Also if you have any other accounts (facebook, orkut, linkedin etc), please update your status with the same information so that others will be informed about the same.
4. If you have any other email account, log in to that and inform everybody in you contact. (Luckily you might have the same set of contacts that the compromised account has.)
5. If you are using the same password in your other accounts change it immediately.
6. Also you can try reporting the incident to your email service provide and request them to block or reset the account and give it back to you. This process varies for different email service providers. For gmail try this, for hotmail/msn try this, for yahoo this could be helpful.
7. If you want to go further, you can contact the corresponding law and enforcement agency who deals with cyber crime for further investigation.
8. Incase of investigation, email headers of the scam mails could be useful as that could gives the ip addresses of the hacker which could lead to her location. So better ask your friends who got the mails to keep the mails/capture the email header and store for further investigation.
9. Also using ReadNotify you can trace the hacker and give that information to the law and enforcement agency.
10. Last but not the least, it could be possible that the hacker was using some sort of trojan or keylogger in your computer to get the account information. So scan your computer by antivirus/antitrojan software to ensure that your machine is clean.
Also keep yourself always updated with the knowledge of various scams and let others know.
Monday, March 1, 2010
Nmap using TOR
Got a good video about how to do a scanning using nmap and TOR. It increases the anonymity factor.
Send gmail from command prompt
Recently I was just playing with telnet, ssl etc. Reason being, learning how to check http web server on port 80 using telnet. It is a faster approach than opening a browser and type url and wait from the page to load, blah blah.... Specially when your intention is just to verify and not bothered about the content much and you are doing it frequently and multiple times.
telnet www.your_website.com 80
(Enter)
GET /index.php HTTP/1.1
host: www.your_website.com
(Enter)
(Enter)
(Enter)
GET /index.php HTTP/1.1
host: www.your_website.com
(Enter)
(Enter)
And you should be able to see the content there in the command prompt. Then this thing came to my mind, can I also send mail or receive mail from the command prompt. Well yah, very much.... So here is how did I send mail from my gmail account:
Steps:
1. You need to get into the SMTP server via telnet if it is not encrypted, or via SSL/TLS (encrypted), gmail uses encrypted communication.
2. You need to authenticate yourself using your gmail username and password.
3. Specify the sender's and receiver's address.
4. Type in the subject and content.
5. Send it.
Generally for an unencrypted custom SMTP server, it is quite simpler and explained here.
But this uses SSL/TLS. So here is it:
1. Login to gmail smtp server
openssl s_client -crlf -connect smtp.gmail.com:465
It will reply a lot of test and at the end of it you should seee
220 mx.google.com ESMTP 14sm2559253gxk.11
220 code means OK.
2. Authenticate yourself:
You need to encrypt your username and password first:
perl -MMIME::Base64 -e 'print encode_base64("\000My_EMAIL\@DOMAIN.com\000MY_PASSWORD")'
Once you give your username and password there properly, you should get an encrypted test in response. Copy that. Go back to your SMTP server prompt and type the following:
AUTH PLAIN your_encrypted_password_from_previous_step
235 2.7.0 Accepted
3. Specify the sender's and receiver's address.
mail from:
250 2.1.0 OK 14sm2559253gxk.11
rcpt to:
250 2.1.5 OK 14sm2559253gxk.11
4. Type in the subject and content: It starts with the "data" keyword.
data
354 Go ahead 14sm2559253gxk.11
subject: test
(enter)
(enter)
hello, This is my content
5. Send it: Once you are done writing the content, type "." (dot) and it enter twice to send it accross.
.
(enter)
(enter)
250 2.0.0 OK 1267453152 14sm2559253gxk.11
The last "." in the command signifies the end of the mail and sends it across. And!!! Trinnnn, youv'e got a mail....
Sunday, February 14, 2010
Nullcon Capture The Flag 2010 hacking competition : How did I crack it
Recently I had been to Nullcon, Goa, 2010 - Internation Hacking and Security Conference.Well a lot to say. It was a great experience. My first hacking experience, unforgettable. Here is the details:
Goal : There was a server, we had to shut it down.
Hint: "Its there in the air"
Step 1: I found the wireless network they have configured for the challenge. Definitely the server is inside that network. It was WEP encrypted network. I used aircrack-ng in Backtrack 4. Steps are explained here. Better explanation could be helpful. Still confused!!! then watch this:
Step 2: Once I got the key and connected the network, I started looking for the server. Now here they had configured two network one with 192 series ip that I was connected to and another one with 172 series ip where the server is. Also they have configured the firewall in the router so that no packets could reach to 172 network. So first firwall had to be disabled. But root priviledge was required to do so. So task is, gain root access to the router 192.68.1.1.
fingerprinting using nmap (nmap -O ip) gave the firmware details of the router: it was dd-wrt firmware. Searched for the existing vulnerabilities or exploits for that and foung cgi-bin vulnerability. It could be exploited by command-line approach or using metasploit. I found metasploit easier and faster as well. Once done successfully, I got the root shell in the router.
Step 3: Now disable the firewall.
They had set up iptable rules to drop the packet. So here are the commands:
iptables -L -nv
It showed the configured rule to drop all the packets mentioned earlier.
Now,
iptables -P FORWARD ACCEPT
iptables -F FORWARD
It allowed the connections through. If you want to allow only traffic from your machine then,
iptables -I FORWARD -p all -d
Once this is done. I was able to reach the server which was 172.16.1.2 (I guess).
Step 4: Now I could ping the server. Now I had to get into the server. So did a port scanning on that machine
nmap -sS -PT 172.16.1.2 (requires root privilege)
Found port 445 was open. It was SMB over TCP. Already an exploit was available in metasploit. So just ran that and BINGO... I got the command promt of the server.
Step 5: Shoutdown the server. Since I was already inside the server. Only thing required was to run the following:
SHUTDOWN -s -t 01
And I was done...
Subscribe to:
Posts (Atom)
