Author Archives: Anant Shrivastava

About Anant Shrivastava

Anant Shrivastava is a Independent Security Consultant and Trainer. He holds various certifications like SANS GWAPT, CEH and RHCE. He has been Speaker / Trainer at various conferences like Nullcon, C0c0n, Clubhack, G0s, Rootconf. He specialize in Web Application Security, and Mobile Security. He is also developers / maintainer of androidtamer (Live ISO for Android work), WP-Filemanager (Wordpress file manager plugin), SVN-Extractor (pentest tool to extract svn details) and more.

Cloning all github repositories of a user / organization

Github has become a new trend and people have started placing lots and lots of code on the website. So i have also been following this github trends and have pushed, cloned, forked multiple repositories. (total count of 72)

So today i wanted to create a backup of all github repositories under my account or under my organization account.I saw couple of solutions being provided here and here however most of the solutions are ruby based code.

So i thought lets see how much time and efforts it takes to write a simple python script to do the same. So here is the python version of github user/organization cloning script.

Script here

#!/usr/local/bin/python
import json
import requests
import argparse
import os
import sys
from git import Repo

def main(argv):
    global outp
    desc="""This program is used to  clone github repositories of a user / organization"""
    epilog="""Credit (C) Anant Shrivastava http://anantshri.info"""
    parser = argparse.ArgumentParser(description=desc,epilog=epilog)
    parser.add_argument("--name",help="User name",dest='target',required=True)
    parser.add_argument("--output",help="Output Directory",dest='out',required=False)
    x=parser.parse_args()
    target=x.target
    output=x.out
    if not output:
        output = os.path.curdir
    cnt=1
    while (cnt > 0):
        url="https://api.github.com/users/" + target + "/repos?page=" + str(cnt) + "&per_page=100"
        r=requests.get(url)
        js_data=json.loads(r.content)
        if len(js_data) == 0:
            print "No more repositories"
            cnt = -10
        else:
            print 'count: ' +  str(cnt) + ' : ' + str(len(js_data))
            if  "message" in js_data and "API rate limit exceeded" in js_data["message"]:
                print "Rate limit reached"
                cnt = -10
            else:
                for x in js_data:
                    git_url=x["clone_url"]
                    out_name=os.path.join(output, x["name"])

                    print git_url
                    Repo.clone_from(git_url, out_name)
        cnt=cnt+1


if __name__ == "__main__":
    main(sys.argv[1:])

Hope this can help someone.
Github url here

Example Usage
python -t github_clone_user.py --name anantshri --output "/tmp/test"

Also as it goes for anything publically available. It might contain errors and issues, don’t blame me if it blows your computer but if you do find ways to improve it or find better alternatives do drop a line in comments below.

P.S. at this point I needed user cloning stuff on priority so did that, organization cloning would be done but not today.

Adventure with .git folder

During my recent pentest i found one interesting entry in nikto scan logs :

git_nikto

Now “.git” being exposed online and issues around it are pretty much discussed at multiple places already, I will not go into the details of that. For those interested check here and here.

However as with most of the pen-testing works every scenario is a new scenarios. so here is what i encountered.

  1. .git was present and if you call specific file you do get it.
  2. Directory indexing was disabled.
  3. Not all objects were present on server. and it was a time bound test.
  4. All automated tools failed to reconstruct the files for me although they did downloaded .git folder with some success.

Now these tools claim to retrieve all .git folder and then restore the code from it by doing a hard reset of git repository brining back the git content from objects / changelogs, however that soon turned into a nightmare for me.

Most sucessfull tool for me was  “dvcs-ripper” and it did its job quite well till it started getting into endless list of 404’s and this being time restricted i was forced to stop it after running it for 2hrs or so.

git_404s

and most importantly a git reset on this folder gave me following.

git_reset_fail

Now as automated tools failed the next option was to get your hands dirty. First thought was to understand the .git folder structure so some quick google search pointed me to this and this 

Now this pointed that I was suppose to look inside .git/objects, so being a linux command-line effectionate : i fired up my command line and first thing that came to my mind was to check what the hell is object files and the results surprized me.

git_file

That lead nowhere, and i was clueless what VAX COFF is, so back to google and after first searches lead me to  :

git_vax_search

 

Link : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509942

This cleared the doubts and hence the result was that the files are actually zlib compressed without the zlib header.

The zib decompression options are available with openssl >=1.0.0 (Refer this)

git_openssl_zlib

Now considering the files at hand were far more then i can do sanely (>800) Hence i started looking for more options. That’s when i was reminded of a git gui, it kind of solved my problem instantaneously

git_gut

now this tool clearly showed me the tree structure and allowed me to retrieve specific files by reverting the changes. (Reverting of change as we only had .git and not other files hence repository was considering all files as removed / deleted)

Although as not all objects were downloaded this was not possible to revert entire tree structure but this tool provided a simpler way to restore specific files if there objects were present.

And Hence the journey ends from mere file paths / directory listing disclosed => downloading the whole source => corrupt .git folder => extracting useful content out of broken .git repository.

Plain Text Pages/Posts in WordPress

While experimenting with wordpress i was tasked with a situation where i am suppose to present some static text content on the website. However uploading a text file was out of question and the author wanted to keep everything controlled inside wordpress.

So i created a simple text only theme template for him and this combined with the plugin allowing custom permalinks provide us with options of having a custom name and still showing the wordpress page as static text only page.

Template Page is available online at : https://github.com/anantshri/wordpress_tricks/blob/master/plain_text_page.php

Source Code for viewing pleasure.

<?php
/*
* This templete will show all content as text only. in order to retain text only post while you save text in wordpress editor i would suggest add the text inside <pre></pre> tag
* the below code will remove any html / php tag that it will find in content and will only display the textual part of the file.
*/
header('Content-type: text/plain'); 
/**
 * Template Name: content text only
 * Description: Only Post content text only
 * @package WordPress 
 */
if (have_posts()) : 
	while (have_posts()) : the_post(); 
		$content=get_the_content();
		$cnt=strip_tags($content);
		echo $cnt;
	endwhile; // end of the loop. 
endif; 
?>

P.S. I suspect there might be better ways of dealing with this situation but my limited google skills didn’t provided a result in first 5 minutes so instead i spend 2 minutes on crafting this. If you do know a better way then feel free to suggest it via comments.

Mission attachment protection

Earlier today @Rsnake posted about a flaw in how wordpress handles the attachments

Here is my observation on the same listed below

Note : observations are based on latest 3.5.2 version of wordpress and with an image uploaded as attachment. (anyone running older than this seriously need to check)

In short Yes the vulnerability is real but with lots of warning.

if attachment not linked to post than site/?attachment_id= is 200 ok and does provide the attachment
if attachment linked to post/page available online then response is 301
if attachment not available then 404 error

also if post is in draft but attachment is added in post then 404 is received or 301 if post has canonical name

WPScan leading vulnerability scanner for wordpress has this issue opened here : https://github.com/wpscanteam/wpscan/issues/172

So what we can do about it.

Here is a quick Htaccess patch that can be applied on your wordpress instance

Apply the below code in .htaccess file in root of your wordpress installation.

Patch listed below

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} attachment_id=([0-9]*)
RewriteRule ^(.*)$ /index.php [F,L]

Note : this is only tested on my personal website and does result is getting 403 error while displaying back the home page for all url’s with attachment_id=

However one should also keep in mind if they have uploaded an attachment online there are other ways to access the attachment so if you are not ready to expose the attachment to world its better not to upload it.

Shameless Plug : Many such similar tricks are shared here https://github.com/anantshri/wp-security anyone concerned with WordPress security should definitely visit the page. Feel free to contribute too.

More information will be updated as and when spotted.

SVN Extractor for Web Pentesters

Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.

1) Uncover hidden files and folder names

2) Access the source code of the files.

3) download files even if the restrictions are in place at htaccess.

How this could be achieved.

1) Uncover hidden files and folder names

There are two ways in which this can be achieved based on the version of SVN in use.

for <1.6 we had .svn/entries files which contained list of files / folders as well as usernames used for commiting those files.

for >1.6 we have .svn/wc.db which contains simmilar data but in a sqlite3 format.

Those files could be directly accessible through url.

2) Access the source code / download files even if htaccess blocks its access.

SVN keeps a backup copy of all files in two seperate locations.

1) .svn/text-base/“filename”.svn-base

2) .svn/pristine/“XX”/“CHECKSUM”.svn-base

where

filename is actual name of file.

CHECKSUM is Sha1 sum of the file

XX is first two character of CHECKSUM.

first type of entries has one limitations suppose file name is testme.php so path becomes.

.svn/text-base/testme.php.svn-base

a large number of servers will execute the file using php engine and serve the output.

that’s where option 2 shines however this information is available only in case of wc.db (>1.6 SVN version) and this requires that .sv/pristine directory should be web accessible.

However after searching a lot i was not able to find a single code which can do both these things in one go.

so here is a tool which can perform both the operations in one script.

Usage

svn-extractor.py –url “url with .svn available”

Source Link : https://github.com/anantshri/svn-extractor

So far only tested on localhost environments however hoping to get some response on the same.

References

It would be unfair to say that i did all the research myself so here are the links to various resources i used to get the info out.

1) http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us (manual technique for wc.db)

2) http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive (manual technique for .svn/entries)

3) http://www.cirt.net/svnpristine (only automated tool i can find online doing 1/2 of what is in the tool)

IronWasp on Linux

Those looking for how to download and install IRONWASP on linux.

One Line copy paste code.

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

Those looking for some read can continue from here.

This post will talk about running IronWasp on Linux. So a little background.

IRONWASP : (from ironwasp.org)

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Where does Linux comes into picture?

IronWASP is based on fiddlercore and uses .net for UI Designing. Hence running on linux was a bit hard. Mono is out of question here as fiddler core doesn’t play well with mono. Me and Lava did worked on checking if mono can support but the efforts didn’t work out. Then Came the crossoveroffice Give away Sale and a surprise tweet from R3dsm0k3 about being able to run ironwasp successfully through crossover office on MAC

ironwasp

From that time i was wondering why only crossover office we should be able to do it directly in wine. Finally today i got some time to sit and see how crossover do it and what could be done with Wine. and here is the output.

Disclaimer : this is in no ways a fully baked script, its bits and pieces joined overnight to get things working. I can’t promise that a new release will be done but would surely help anyone who wants to work on it.

Once you run this script all you need to do is click on next next finish for .net 20 installations and soon you will find an icon on your Linux desktop named IWASP which will launch Ironwasp for you. in the Background script will be automatically downloading and installing various dependencies required and configuring the system

Prerequsites : wine version >= 1.4 and internet connectivity.

Will try to see if i can make a video for the same setup till them this texual output should be enough.

Note: During setup if there is a prompt to restart now or later please select restart now. your system won’t reboot just wine restarts.

Download Link : ironwasp_installer.sh

One Liner

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

 

Feel free to suggest changes or comment.

KNOWN ISSUES

1) UI-Designer doesn’t work for drag and drop UI building, for 32 bit Linux(working on 64 bit linux). (Mac working is confirmed by r3dsm0k3)

CHANGELOG

22-01-2013 :
1) r3dsm0k3 confirmed that script works on Mac too.
2) Code added modified to add reference.
3) Shortcut details updated to correct few issues when the api tree was not visible on right side.
4) dos2unix converted web edit’s caused script to go dos.
5) wineprefix specifically marked as 32bit.

23-01-2013:

1) Customization to make script work on 64bit linux instances.

NOTE

In case you observe that after running the script here is an error from wine suggesting to install mono for linux / windows i would suggest rerunning the script but this time comment out the wget url for cnet and uncomment the wget url for microsoft downloads. both url are used to download .net sp2 but someone one goes down and i had better sucess ratio with cnet link. However YMMV. Feel free to add a comment here in case of any issue but make sure to include the entire output of the about listed command. This helps in quickly solving the issue.

In case you don’t want to add a lot of junk in comment i would suggest email me with the details at [email protected]

script kiddie blocker

this post is in continutation to the thread here : http://www.garage4hackers.com/f11/script-kiddie-blocker-2581.html

based on the details that i have gathered so far here …

Here is a htaccess code which you can use.

#Script kiddie blocker start
#License: GPLv2 or later
#License URI: http://www.gnu.org/licenses/gpl-2.0.html
RewriteEngine On  
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} ^w3af.sourceforge.net [NC,OR]
RewriteCond %{HTTP_USER_AGENT} dirbuster [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nikto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SF [OR]
RewriteCond %{HTTP_USER_AGENT} sqlmap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} fimap [NC,OR]
RewriteCond %{HTTP_USER_AGENT} nessus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} whatweb [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Openvas [NC,OR]
RewriteCond %{HTTP_USER_AGENT} jbrofuzz [NC,OR]
RewriteCond %{HTTP_USER_AGENT} libwhisker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} webshag [NC,OR]
RewriteCond %{HTTP:Acunetix-Product} ^WVS
RewriteRule ^.* http://127.0.0.1 [R=301,L]
</IfModule>

#Script kiddie blocker End

This is a basic setup where we are redirecting these skiddies to there own system’s so that would be a fun to look at :P

I will keep adding more and more enteries as time progresses

 

LSB new twist : text based Stegnograph

Today i am going to discuss about a simple twist in existing Stegnography and text base data hiding techniques. While creating challenges for Preconference hacking challenge “HACKIM” for nullcon conference. we cameup with text based LSB hiding challenge as crypto challenge part 5. today i am releasing tools i used to encoding and decoding such values.

The basic prremise behind the tool is the simplest Image based Stegnographic technique where data is hidden in the least significant bit of the Pixel. Here we implemented the same principle on a normal text. The difference in both is in case of the image there is very less distortion and original image is looks pretty much the same however in text implementation the text looks a lot different.

Example

text to hide = a

binary of text to hide = 01000001

So for this we need a cover of size = 8char

lets assume the cover is abcdefgh

We will replace the LSB of each character with one bit of the text which we need to hide. starting from HSB to LSB of text.

S.No Text binary converted Binary Final Text
1 a 01100001 01100000 `
2 b 01100010 01100011 c
3 c 01100011 01100011 c
4 d 01100100 01100100 d
5 e 01100101 01100100 d
6 f 01100110 01100110 f
7 g 01100111 01100110 f
8 h 01101000 01101001 i

now this new text could be send across

final text becomes `ccddffi

Now as we can see the text is changed a lot however the important thing to remember is first and formost the cover is extracted and is most easily available.

by just random variation of 1 and 0 you can get the actual value.

Here is an funny tip

Make your envelop text something interesting so that focus shifts on the envelope rather then the variation in data.

For the above task to be simplified i wrote simple encode and decode scripts as listed below. (Scripts are at there crude level’s right now may improve on them if the need arises.)

Encode

#License : GPL2
#License File : http://www.gnu.org/licenses/gpl-2.0.html
import sys
Key="CoDe"
Cover="Secret is hidden at /home/anant/"
km=""
if (len(Key) * 8) == len(Cover):
	print "Original : " + Cover
	for k in Key:
		km += bin(ord(k))[2:].zfill(8)
	sys.stdout.write("Conceled : ")
	i=0
	for c in Cover:
		y=bin(ord(c))[2:].zfill(8)
		s = list(y)
		s[7]=km[i]
		i+=1
		sys.stdout.write(chr(int('0b' + "".join(s),2)))
	print ""
else:
	print "Invalid Cover Size : " + str(len(Cover)) + " : " + str((len(Key) * 8))

Decoding

#License : GPLv2
#License URL : http://www.gnu.org/licenses/gpl-2.0.html
import sys
crypt="Rebrdt!ir!iheeeo at .inld/an`ot/"
cnt=0
decode=list()
#print len(crypt)
if (len(crypt) % 8) == 0:
	for c in crypt:
		y=bin(ord(c))
		decode.append(y[len(y)-1])
		cnt = cnt + 1
		if (cnt % 8 == 0):
			sys.stdout.write(chr(int('0b' + "".join(decode),2)))
			decode = []
else:
	print "Invalid Input"
print " "

Hope people might find some use of this somewhere..

Standalone Perl on Android

In simmilar lines to standalone python this is the code that could be used for running standalone perl applications.

This script again tries to address some very basic issues.

1) non availability of direct perl calling mechanism while using terminal emulator.

2) Environmental limitations.

3) you can’t pass command-line arguments.

Script enclosed Here

#License: GPLv2 or later
#License URI: http://www.gnu.org/licenses/gpl-2.0.html
PW=`pwd`
cd $PW
export PERL5LIB="/sdcard/haxdroid/perllib"
/data/data/com.googlecode.perlforandroid/files/perl/perl "$@"

this script allows for following things

1) allow us to use this shell script to call perl directly.

2) allows for command line argument passing.

3) relative path references are now working

 

I have named this script as py and placed it in /system/bin/pl location

so basically copying this script in a text file say pl.txt

adb push pl.txt /system/bin/pl

adb shell chmod 04755 /system/bin/pl

 

As always this depends on perl4aandroid project for running properly, you can download from here

https://android-scripting.googlecode.com/files/perl_for_android_r1.apk

DroidCAT – Android Application collection for Security professionals

After a gap of 1 month finally releasing the droidcat application.

DroidCAT application is developed as part of HaXdroiD project which is right now in closed tested status.

Lets talk about DroidCat today.

What is Cat-Droid?
DroidCat is inspired by firecat and aims to be a one stop solution to finding all
ethical hacking / information security related application published in android domain.
This Application is also a part of HaXdroiD suite which aims to empower the
Android handset for Penetration Testing purposes.

So now lets not wait head over to the android market and download the application.

DroidCAT