Category Archives: hacking

Adventure with .git folder

During my recent pentest i found one interesting entry in nikto scan logs :

git_nikto

Now “.git” being exposed online and issues around it are pretty much discussed at multiple places already, I will not go into the details of that. For those interested check here and here.

However as with most of the pen-testing works every scenario is a new scenarios. so here is what i encountered.

  1. .git was present and if you call specific file you do get it.
  2. Directory indexing was disabled.
  3. Not all objects were present on server. and it was a time bound test.
  4. All automated tools failed to reconstruct the files for me although they did downloaded .git folder with some success.

Now these tools claim to retrieve all .git folder and then restore the code from it by doing a hard reset of git repository brining back the git content from objects / changelogs, however that soon turned into a nightmare for me.

Most sucessfull tool for me was  “dvcs-ripper” and it did its job quite well till it started getting into endless list of 404’s and this being time restricted i was forced to stop it after running it for 2hrs or so.

git_404s

and most importantly a git reset on this folder gave me following.

git_reset_fail

Now as automated tools failed the next option was to get your hands dirty. First thought was to understand the .git folder structure so some quick google search pointed me to this and this 

Now this pointed that I was suppose to look inside .git/objects, so being a linux command-line effectionate : i fired up my command line and first thing that came to my mind was to check what the hell is object files and the results surprized me.

git_file

That lead nowhere, and i was clueless what VAX COFF is, so back to google and after first searches lead me to  :

git_vax_search

 

Link : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509942

This cleared the doubts and hence the result was that the files are actually zlib compressed without the zlib header.

The zib decompression options are available with openssl >=1.0.0 (Refer this)

git_openssl_zlib

Now considering the files at hand were far more then i can do sanely (>800) Hence i started looking for more options. That’s when i was reminded of a git gui, it kind of solved my problem instantaneously

git_gut

now this tool clearly showed me the tree structure and allowed me to retrieve specific files by reverting the changes. (Reverting of change as we only had .git and not other files hence repository was considering all files as removed / deleted)

Although as not all objects were downloaded this was not possible to revert entire tree structure but this tool provided a simpler way to restore specific files if there objects were present.

And Hence the journey ends from mere file paths / directory listing disclosed => downloading the whole source => corrupt .git folder => extracting useful content out of broken .git repository.

Mission attachment protection

Earlier today @Rsnake posted about a flaw in how wordpress handles the attachments

Here is my observation on the same listed below

Note : observations are based on latest 3.5.2 version of wordpress and with an image uploaded as attachment. (anyone running older than this seriously need to check)

In short Yes the vulnerability is real but with lots of warning.

if attachment not linked to post than site/?attachment_id= is 200 ok and does provide the attachment
if attachment linked to post/page available online then response is 301
if attachment not available then 404 error

also if post is in draft but attachment is added in post then 404 is received or 301 if post has canonical name

WPScan leading vulnerability scanner for wordpress has this issue opened here : https://github.com/wpscanteam/wpscan/issues/172

So what we can do about it.

Here is a quick Htaccess patch that can be applied on your wordpress instance

Apply the below code in .htaccess file in root of your wordpress installation.

Patch listed below

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} attachment_id=([0-9]*)
RewriteRule ^(.*)$ /index.php [F,L]

Note : this is only tested on my personal website and does result is getting 403 error while displaying back the home page for all url’s with attachment_id=

However one should also keep in mind if they have uploaded an attachment online there are other ways to access the attachment so if you are not ready to expose the attachment to world its better not to upload it.

Shameless Plug : Many such similar tricks are shared here https://github.com/anantshri/wp-security anyone concerned with WordPress security should definitely visit the page. Feel free to contribute too.

More information will be updated as and when spotted.

SVN Extractor for Web Pentesters

Many a times web application pen-testers are encountered with the presence of .svn folders. For those not aware .svn folder is used by SVN version control system to perform its operations. For a blackbox pentester this folder contains huge amount of information.

1) Uncover hidden files and folder names

2) Access the source code of the files.

3) download files even if the restrictions are in place at htaccess.

How this could be achieved.

1) Uncover hidden files and folder names

There are two ways in which this can be achieved based on the version of SVN in use.

for <1.6 we had .svn/entries files which contained list of files / folders as well as usernames used for commiting those files.

for >1.6 we have .svn/wc.db which contains simmilar data but in a sqlite3 format.

Those files could be directly accessible through url.

2) Access the source code / download files even if htaccess blocks its access.

SVN keeps a backup copy of all files in two seperate locations.

1) .svn/text-base/“filename”.svn-base

2) .svn/pristine/“XX”/“CHECKSUM”.svn-base

where

filename is actual name of file.

CHECKSUM is Sha1 sum of the file

XX is first two character of CHECKSUM.

first type of entries has one limitations suppose file name is testme.php so path becomes.

.svn/text-base/testme.php.svn-base

a large number of servers will execute the file using php engine and serve the output.

that’s where option 2 shines however this information is available only in case of wc.db (>1.6 SVN version) and this requires that .sv/pristine directory should be web accessible.

However after searching a lot i was not able to find a single code which can do both these things in one go.

so here is a tool which can perform both the operations in one script.

Usage

svn-extractor.py –url “url with .svn available”

Source Link : https://github.com/anantshri/svn-extractor

So far only tested on localhost environments however hoping to get some response on the same.

References

It would be unfair to say that i did all the research myself so here are the links to various resources i used to get the info out.

1) http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us (manual technique for wc.db)

2) http://www.adamgotterer.com/post/28125474053/hacking-the-svn-directory-archive (manual technique for .svn/entries)

3) http://www.cirt.net/svnpristine (only automated tool i can find online doing 1/2 of what is in the tool)

IronWasp on Linux

Those looking for how to download and install IRONWASP on linux.

One Line copy paste code.

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

Those looking for some read can continue from here.

This post will talk about running IronWasp on Linux. So a little background.

IRONWASP : (from ironwasp.org)

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Where does Linux comes into picture?

IronWASP is based on fiddlercore and uses .net for UI Designing. Hence running on linux was a bit hard. Mono is out of question here as fiddler core doesn’t play well with mono. Me and Lava did worked on checking if mono can support but the efforts didn’t work out. Then Came the crossoveroffice Give away Sale and a surprise tweet from R3dsm0k3 about being able to run ironwasp successfully through crossover office on MAC

ironwasp

From that time i was wondering why only crossover office we should be able to do it directly in wine. Finally today i got some time to sit and see how crossover do it and what could be done with Wine. and here is the output.

Disclaimer : this is in no ways a fully baked script, its bits and pieces joined overnight to get things working. I can’t promise that a new release will be done but would surely help anyone who wants to work on it.

Once you run this script all you need to do is click on next next finish for .net 20 installations and soon you will find an icon on your Linux desktop named IWASP which will launch Ironwasp for you. in the Background script will be automatically downloading and installing various dependencies required and configuring the system

Prerequsites : wine version >= 1.4 and internet connectivity.

Will try to see if i can make a video for the same setup till them this texual output should be enough.

Note: During setup if there is a prompt to restart now or later please select restart now. your system won’t reboot just wine restarts.

Download Link : ironwasp_installer.sh

One Liner

wget http://blog.anantshri.info/content/uploads/2013/01/ironwasp_installer.sh.txt -O ~/ironwasp_installer.sh && sh ~/ironwasp_installer.sh

 

Feel free to suggest changes or comment.

KNOWN ISSUES

1) UI-Designer doesn’t work for drag and drop UI building, for 32 bit Linux(working on 64 bit linux). (Mac working is confirmed by r3dsm0k3)

CHANGELOG

22-01-2013 :
1) r3dsm0k3 confirmed that script works on Mac too.
2) Code added modified to add reference.
3) Shortcut details updated to correct few issues when the api tree was not visible on right side.
4) dos2unix converted web edit’s caused script to go dos.
5) wineprefix specifically marked as 32bit.

23-01-2013:

1) Customization to make script work on 64bit linux instances.

NOTE

In case you observe that after running the script here is an error from wine suggesting to install mono for linux / windows i would suggest rerunning the script but this time comment out the wget url for cnet and uncomment the wget url for microsoft downloads. both url are used to download .net sp2 but someone one goes down and i had better sucess ratio with cnet link. However YMMV. Feel free to add a comment here in case of any issue but make sure to include the entire output of the about listed command. This helps in quickly solving the issue.

In case you don’t want to add a lot of junk in comment i would suggest email me with the details at [email protected]

LSB new twist : text based Stegnograph

Today i am going to discuss about a simple twist in existing Stegnography and text base data hiding techniques. While creating challenges for Preconference hacking challenge “HACKIM” for nullcon conference. we cameup with text based LSB hiding challenge as crypto challenge part 5. today i am releasing tools i used to encoding and decoding such values.

The basic prremise behind the tool is the simplest Image based Stegnographic technique where data is hidden in the least significant bit of the Pixel. Here we implemented the same principle on a normal text. The difference in both is in case of the image there is very less distortion and original image is looks pretty much the same however in text implementation the text looks a lot different.

Example

text to hide = a

binary of text to hide = 01000001

So for this we need a cover of size = 8char

lets assume the cover is abcdefgh

We will replace the LSB of each character with one bit of the text which we need to hide. starting from HSB to LSB of text.

S.No Text binary converted Binary Final Text
1 a 01100001 01100000 `
2 b 01100010 01100011 c
3 c 01100011 01100011 c
4 d 01100100 01100100 d
5 e 01100101 01100100 d
6 f 01100110 01100110 f
7 g 01100111 01100110 f
8 h 01101000 01101001 i

now this new text could be send across

final text becomes `ccddffi

Now as we can see the text is changed a lot however the important thing to remember is first and formost the cover is extracted and is most easily available.

by just random variation of 1 and 0 you can get the actual value.

Here is an funny tip

Make your envelop text something interesting so that focus shifts on the envelope rather then the variation in data.

For the above task to be simplified i wrote simple encode and decode scripts as listed below. (Scripts are at there crude level’s right now may improve on them if the need arises.)

Encode

#License : GPL2
#License File : http://www.gnu.org/licenses/gpl-2.0.html
import sys
Key="CoDe"
Cover="Secret is hidden at /home/anant/"
km=""
if (len(Key) * 8) == len(Cover):
	print "Original : " + Cover
	for k in Key:
		km += bin(ord(k))[2:].zfill(8)
	sys.stdout.write("Conceled : ")
	i=0
	for c in Cover:
		y=bin(ord(c))[2:].zfill(8)
		s = list(y)
		s[7]=km[i]
		i+=1
		sys.stdout.write(chr(int('0b' + "".join(s),2)))
	print ""
else:
	print "Invalid Cover Size : " + str(len(Cover)) + " : " + str((len(Key) * 8))

Decoding

#License : GPLv2
#License URL : http://www.gnu.org/licenses/gpl-2.0.html
import sys
crypt="Rebrdt!ir!iheeeo at .inld/an`ot/"
cnt=0
decode=list()
#print len(crypt)
if (len(crypt) % 8) == 0:
	for c in crypt:
		y=bin(ord(c))
		decode.append(y[len(y)-1])
		cnt = cnt + 1
		if (cnt % 8 == 0):
			sys.stdout.write(chr(int('0b' + "".join(decode),2)))
			decode = []
else:
	print "Invalid Input"
print " "

Hope people might find some use of this somewhere..

Whitepaper : Security Issues in Android Custom ROM’s

Today i am releasing the paper which i presented recently at C0C0N conference at ernakulam. this paper outlines where security misconfiguration that can lead to device compromise, data theft and so on.
Hope this helps in secure development and deployment of custom ROM’s.

http://anantshri.info/articles/android_cust_rom_security.html

The link contains download for both my slidepack as well as the complete whitepaper.

also a crude application is created and uploaded on android market which can help in identifying the issue.

https://market.android.com/details?id=anant.hax.aui

White Paper : Web Application Finger Printing : Methods/Techniques and Prevention

Today I am presenting my work for past some days in form of a white paper.

This white paper basically outlines the automated finger printing methods, techniques and ideas for prevention automated methods to work on your site.

BTW those who are having wappalyzer on there browsers just enjoy visiting my Joomla Powered Website. :D

Here is the link for HTML version of the paper which also includes the PDF version for download.
Web Application finger printing : Methods/Techniques and Prevention
Waiting to hear from the fellows (I am expecting rebuke, criticism, and a bit of appreciation if its worth it)

Chrome Extensions for Security Professionals

Google Chrome Extensions

During Recent days we have seen a phenomenal increase in usage of Google Chrome Browser, however Security Professionals are still looking at Firefox for there day to day life usage, the basic reason behind it is large set of firefox extensions backing it up, we have also custom builds like OWASP Mantra doing the round.

So for those who love using Google Chrome and still miss the large plugin base here is a list of must have plugin set for the Security professional’s.

Note : Usage could be offensive and defensive both, its upto the user to decide. the content here is for informational purpose only

CAUTION : LONG POST …. continue below only if you can give time coz this post is large.

Continue reading

Database protection Techniques : a different prespective

Tips for Db Security

Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.

  2. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  3. Default accounts to be removed / blocked.

  4. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  5. Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.

  6. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

Please share your opinion is this a good approach, is it going to help you. What do you thing should be added to this.

Tips for Db Security

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname

  2. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

  1. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  2. Default accounts to be removed / blocked.

  3. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  4. DBA_USERS_WITH_DEFPWD : contains list of users with default it.

    1. 11 g : all accounts will be locked and expiered byt default.

Nullcon CTF BattleUnderground 2011 Walkthrough

Finally after nearly 3 months i have been able to compile the complete walkthrough.

So presenting the walkthrough for Battle underground.

Please keep some notes in mind
1) Most of the stuff is done after servers were shutdown so i have to manage with directions only and not screenshots.
2) Feel free to ask questions or suggest alternative approach if you have any.

As usual PDF uploaded @ Slideshare
Embedded Version here.

Direct download link

View the slides @ slideshare