Pentesting Firebird Databases

January 9, 2015 Leave a comment

There seems to be limited information on pentesting Firebird databases on the Internet.
Firebird database server listens on TCP port 3050.

One good resource I found is http://blog.opensecurityresearch.com/2012/07/fun-with-firebird-database-default.html.

It seems like most people do not change the default SYSDBA credentials for their Firebird database. Below are the default credentials. 
Username:
SYSDBA
Password: masterkey

I have encountered before that the access card database system was using Firebird database for its backend.
This python script requires pyfirebirdsql library from https://github.com/nakagami/pyfirebirdsql.

Firebird requires you to supply the database name on the server you are trying to.
One way to get around it is to check for active connections on the Firebird database server.

What this tools does is to
1. Connect to the Firebird database server using the default credentials
2. List the connected databases
3. Dump the records from the Firebird database server

You can also use the -wordlist argument to supply it a wordlist of database names so that it can attempt to brute-force. That is useful if there aren’t any active connections (or databases not mounted) on the Firebird database that you are trying to access.

Below is a screenshot of the tool in action.
firebirdBrute.py

The common-tables.txt file from sqlmap is useful if you need a wordlist.
https://raw.githubusercontent.com/sqlmapproject/sqlmap/master/txt/common-tables.txt

The tool can be downloaded from the below Github repo.
https://github.com/milo2012/firebirdDump

Proxy Tester Script

January 8, 2015 Leave a comment

I wrote a script to tests and sorts proxy servers (socks4, socks5, http, https).
There are readily available scripts out there on the Internet that does the same. I just want to write my own.

Sometimes, during a web application test, your IP address might get flagged and blocked by the target’s WAF.
Proxy servers might just be useful in this type of situation. However, regard all proxy servers as malicious and unsafe. You do not want to send sensitive data like credentials over the proxy servers.

If you are doing anything malicious, do not access the proxy servers directly as the ISP might be able to pinpoint the end point of the attack easily.

Below is a screenshot of the help menu for the proxyTester.py script.

proxyTester.py
By default, the script tests the proxy servers to see if it supports SSL connections.

Below is an example of the command to run

python proxyTester.py -i proxies.txt -o profile1 -n 100  -time -t https -sort

The script accepts a text file containing proxy servers in the below format
190.207.5.201:9064

The input file can contain a mixture of Socks4, Socks5, HTTPs, HTTP proxies.

In the below example, the script reads the list of proxies from the file using the -in argument, tests and sorts the proxies using 80 concurrent threads into categories (Socks4, Socks5, HTTPs) and outputs a Proxifier profile PPX file (which you can import into Proxifier if you are using this).

ProxyTester.py

You can use the -time argument in the script to test the latency of the connection.
It might be useful as you might want to avoid using a proxy that has a high latency.
Your computer -> Proxy server -> Website

proxyTester.py

You can download the script from the below Github repo.
https://github.com/milo2012/proxy_tester

Categories: Pentest Scripts

Test AS/400 for default credentials

December 7, 2014 Leave a comment

I wrote a simple script to test default credentials in AS/400. I made use of the library and sample code from http://tn5250py.cvs.sourceforge.net/.  It currently only works with IBM AS/400 telnet servers for now.

You can pull the code from https://github.com/milo2012/pentest_scripts/tree/master/as400.
You will have to supply the ip and port of the AS400 server in the command line

Help screen for AS/400 tool

Below is a screenshot of the tool in action.

Test AS/400 Default Credentials

Automating Man-in-the-Middle SSHv2 attacks

November 12, 2014 3 comments

Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.

That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.

I came across the below article about performing ARP spoofing and MITM SSH connections to steal credentials.

When performing arp spoofing and performing a mitm attack on SSH, the victim does get an alert message saying that there is a key mismatch but most people just ignore them anyway.

Below is the link to the original article.
http://woff.hu/tools/ssh2-mitm-like-attack-with-jmitm2/

In the article, the author demonstrates the use of a software called JMITM2 (http://www.david-guembel.de/index.php?id=6) which is sort of like a honey pot that proxies SSH connections between the victim and the target SSH server.

However, there are a number of steps to be done manually to execute this attack during an internal penetration test.

1. Check if network is vulnerable to ARP spoofing
2. Check if there are any active SSH connections in the network
2. Identify the victim computer and SSH server
3. Modify the configuration files of JMITM2
4. Modifying iptables
5. ARP spoofing
6. Checking JMITM2 console for credentials
7. Re-arp the router and victim host with the correct MAC addresses of each.

It would save a great amount of time to automate these steps. I wrote a script that does just that.

Running the command below checks the network for active SSH connections (via ARP spoofing) and then automates the whole attack to outputs any credentials captured to the console.

python2.7 mitmSSH.py -analyze

If you know the victim host IP and SSH server, you can use the below command

python2.7 mitmSSH.py -host victims -ssh sshServerIP

IMG_2025.PNG
This script has only been tested on Kali Linux.

There are a couple of things that are still in the works to improve the script.
1. Switching from intercepter-ng for ARP spoofing to scapy.

The script can be grabbed from the below link
https://github.com/milo2012/pentest_automation/blob/master/mitmSSH.py

Categories: Uncategorized Tags: , ,

Web Application Testing – Parsing Directory and File Listing

September 9, 2014 Leave a comment

During web application testing, it is useful to get the directory and file listing of the root of the web application that you are testing so as to ensure complete coverage of the application.

You can use the below command to get a files and directories listing of the web application root

ls –laR /var/www > cd–filelist.txt

I wrote a simple script to parse and convert the output so that I can pipe the URLs directly to Burpsuite.

 

The script can be found at https://github.com/milo2012/pentest_scripts/blob/master/web/parseFileList.py

 

Below is an example of how you can use the script.

python parseFileList.py -f cd-filelist.txt > filelist_out.txt

After running the command, you must modify the filelist_out.txt to search/replace each lines with the FQDN of the website.

E.g. replace /var/www/html/www.domain.com with https://www.domain.com

Next, start Burpsuite and point the proxy listener to 127.0.0.1 port 8080.

The next line will use send each URLs in teh filelist_out.txt to Burpsuite using Curl and Xargs.

cat filelist_out.txt | xargs curl –user-agent “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.152 Safari/537.36″ -k -x http://localhost:8080 >/dev/null 2>&1

 

Sit back and enjoy some coffee as this process could take some time.

Corelabs Impacket Scripts (Modded)

September 9, 2014 Leave a comment

I made some changes to wmiexec.py script due to some anonyances I encountered during peneration tests.

The use case scenario for these modded scripts is that if the password contains special characters like @ or : and you can’t use it with the default wmiexec.py/psexec.py/smbexec.py scripts (maybe its just me who can’t figure out how to know how to use them :P)

These 3 scripts (wmiexec.py/psexec.py/smbexec.py) are the common tools that you can use if you want to get the remote host to execute a meterpreter exe file generated via Veil-Evasion.

Using the modded scripts, you can get a list of hosts to run a single command (eg ipconfig) using one line of command.

The source code for the modded scriptscan be found here
https://github.com/milo2012/pentest_scripts/tree/master/impacket.

Special thanks for Corelabs for making these scripts. Impacket scripts can be found here https://code.google.com/p/impacket/.

Screenshot of psexec.py

Examples of how you can use the modded psexec.py
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python wmiexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -f ips.txt -command ipconfig

psexec

Screenshot of smbexec.py

Examples of how you can use the modded smbexec.py
python smbexec.py -d testdomain -u user -p pass -ip 192.168.2.1
python smbexec.py -d testdomain -u user -p pass -f ips.txt

smbexec

Screenshot of wmiexec.py
Examples of how you can use the modded wmiexec.py
python psexec.py -d testdomain -u user -p pass -ip 192.168.2.1 -command ipconfig
python psexec.py -d testdomain -u user -p pass -f ips.txt -command ipconfig

wmiexec

winboxHunter

August 27, 2014 Leave a comment

Prerequisites:

– Python2.7
– Impacket (svn checkout http://impacket.googlecode.com/svn/trunk/ impacket-read-only)
– Ruby
– Veil Evasion (git clone https://github.com/Veil-Framework/Veil-Evasion.git)

Description:

If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts (psexec.py and wmiexec.py) to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password

Instructions:

Meterpreter executable

You only need to use one of the below 2 options

– You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

– You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at https://github.com/milo2012/winboxHunter

Follow

Get every new post delivered to your Inbox.