sshdroid

sshdroidOnce sshdroid (https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en) is installed on a rooted device, start zipping around, like in /data/user/0/<packagename>/shared_prefs

But to log on, first might need to turn off “Enable root” in sshdroid. But after logging in to: ssh root@<ip> -p 2222 then simply su.

196 total views, 1 views today

Drozer and ADB

ADB, the Android Debugging Bridge. If you want it to connect to Android > 4.2.2, or in other words, anything from this century, you can’t use anything less than ADB 1.0.31. By default, mobisec comes with 1.0.29, so even if the device is rooted, the device appears to be offline.

To upgrade adb: First download android-sdk-linux, from here: https://developer.android.com/studio/index.html near the bottom where is says “Just the tools” Once you download, unzip and all that, cd into android-sdk-linux and run: tools/android update sdk –no-ui

To get 32-bit adb: http://askubuntu.com/questions/710426/android-sdk-on-ubuntu-32bit, as of this writing, it resulted in version 1.0.32 of adb.

Installing Drozer: (Drozer site) Need the .apk for the device, and the platform. Both are available at the Drozer page. Start up the agent on the device, and it should be running on tcp:31415, then do the port forwarding in the platform. If the device and the platform connect, all good, and fire away!

Extra Drozer Modules: https://github.com/mwrlabs/drozer-modules

Drozer User’s Guide:
https://labs.mwrinfosecurity.com/system/assets/502/original/mwri_drozer-users-guide_2013-07-25.pdf

If we get:
mobisec@mobisec:~$ adb devices
List of devices attached
8753afe5 no permissions

Then stop and start the server with sudo.

Another good resource: https://securitycafe.ro/2015/07/08/mobile-penetration-testing-using-drozer/

Video overview by the developer: https://www.concise-courses.com/infosec/drozer/

172 total views, 1 views today

Mobile App Testing

As others have done with their blog, I plan to use this as a repository of things I learn, not a “I’m a ninja on this topic, read this to learn everything!”, quite the opposite actually.

Testing android app, get the .apk file, simply download it onto the device and double click the file to install it. Once the file installs, it will be runnable.

To open an .apk file, change the extension to .zip and unzip it. That will include manifests, xml files of information and dex file(s), which is the actual java code that can be decompiled with something like dex2jar (included in Mobisec). Then simply use JD-GUI to read the class files!

120 total views, 1 views today

Username Enumeration Timing Attack

This is kinda cool. One way of enumerating usernames is to try a username against a login screen and have the error message tell you “That username doesn’t exist.” Or try to create a new account and have the system tell you “That username already exists.” But if a site is coded properly, it won’t give you that kind of info, making username enumeration (ie. figuring out valid and existing usernames) harder. So how about figuring them out with a timing attack?

When a username and password are submitted to a site for checking, they’re sent to a database and the dbms needs to find the username, and when it finds the row with the username, it checks the password hash against what exists in the database. However if the username doesn’t exist, the dbms doesn’t need to bother checking the password hash. It can just return the generic fail message. This small difference can be seen in the response time. In a recent test, I created a list of 50 usernames and 5 were known good. I interspersed the valid usernames in with all the invalid ones. I used the same password for every attempt, and ran them through Burp Intruder. The result was that the five good returned the slowest response times. There was one invalid password mixed in, but out of the six slowest responses, my five valid usernames were right there. Knowing this, I could do some open source searches for potential usernames and test them against a login screen. I did also test usernames of varying length and it didn’t change the results. Just in case of having a list with mostly valid usernames, I could also pad it with likely garbage usernames, things like “aaaaaaaaa” or “nekdhspfacshabdfks”. This one will be fun to try again in future assessments.

109 total views, 1 views today

Web App Test

In my first test, I worked with my manager. It was a web test and one that was pretty solid. However one fun thing was something I saw in a presentation at BSides Baltimore last week. A bad password policy may be a low finding. A lack of bad auth attempt lockout feature may be a low finding. A username enumeration may be a low finding. However, if a site has all three? That is a critical finding. If you can enumerate a list of valid usernames (just check LinkedIn for names and figure out the username format) and then throw the top 1000 passwords against a list of usernames, you’ll get in.

Some other stuff too, but also wrote the report and sent it in. Looking forward to the next one!

93 total views, 1 views today

Privilege Escalation in Windows

Welp, I get to start in an area that I probably know least about, Windows. I’m sure someday I’ll look back and think this was silly easy, because of the fact that I have access through one set of credentials. However, the goal is to get administrator, or even better, system access. So I’m learning about how Windows keeps track of that sort of thing.

Starting with Security Accounts Manager (SAM), the database of where password hashes are stored. At this point, I’m guessing it’s akin to the /etc/shadow file. Now to figure out where it is and how to access it, because it appears that only the system level user actually has access.

Continue reading

139 total views, no views today

New Pentester

I got a job as a penetration tester, which I think is really exciting. It is a job that I get excited about. One that causes frustration and a feeling of accomplishment. I’ll officially start on April 11th. My plan is to track my progress here, and document things that I learn, in general.

I contacted some other friends who are pentesters and asked for their advice, ideas on things they wish they knew when they got started. I was given two great pieces of advice on things to read or study up on. One was to read the publications on GitHub from Cure53. Today I read their whitepaper on X-Frame-Options and various ways to still bypass the clickjacking protection it provides. I’m looking forward to reading the others, once I finish the other recommendation…The Tangled Web! Continue reading

126 total views, 1 views today

About DD4BC

This is an FAQ about DD4BC that I wrote for Akamai, and it appeared here and here.

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai’s PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That’s up from the high of 15-20 Gbps observed in early May. (A full history of the group’s exploits and firepower can be found in this advisory from April.)

Below are the most commonly asked questions we’ve received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company’s reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack.

Continue reading

319 total views, no views today

Value of a Good Manager

This in no way reflects my current management, it’s more thoughts of managers past and managers of other friends.

I’m surprised that more businesses and employers don’t always understand the true value of a good manager. I think often the thought is on how well the manager can do their own tasks and don’t see the true value of management and leadership. A management position is sometimes seen as just a logical career progression, and not thought of as a true skill, like many others. I have seen where a bad manager can be put in charge of a number of good employees, and the good employees end up either leaving the job or becoming stale, and then sometimes the manager also leaves the job. Then I think of the good employees who have left and would have still been an asset to the company if not for that bad manager.

A good manager can fix bad employees and make good ones better. A bad manager cannot fix bad employees and will likely make good ones bad, or make them leave.

Just my thought for the day.

94 total views, no views today

Drupal

Pentesting Drupal

One thing that Drupal started doing well is masking the version of the core code. Early on, you could simply view the source of each page and right in a meta tag was the Drupal core version. Well, that makes it a little too easy for the bad guys (and pentesters) to get the known vulnerabilities for the site. It takes a little more digging. But when the site had it, it looked a little like:

<meta name=”Generator” content=”Drupal 7 (http://drupal.org)” />

I’m working on one that does not have the version in the meta tag, however the site has not merged, or consolidated the modules’ css files. That means right in the source, it lists all the modules that the site is using. It looks a little like:

<link type=”text/css” rel=”stylesheet” media=”all” href=”/sites/all/modules/cck/theme/content-module.css?Q” />
<link type=”text/css” rel=”stylesheet” media=”all” href=”/sites/all/modules/ckeditor/ckeditor.css?Q” />
<link type=”text/css” rel=”stylesheet” media=”all” href=”/sites/all/modules/ctools/css/ctools.css?Q” />

My thought on that was that the css probably changed a little when the Drupal core code changed and the module needed to be updated. So I downloaded the Drupal 6 and Drupal 7 versions of one of those css files for a module and did a comparison to what is on the site. What I found for one was that the site and Drupal 6 had the following line in the css file:

/** For IE we add the class via js; for other browsers we rely on :hover **/

The Drupal 7 version of this module’s css file does not have that line in it. So maybe the site is running Drupal 6, or maybe it’s just running an outdated version of that plugin. Not that that’s a bad thing either. But if you look a little further, we also see that each of those modules has its own README. Checking those and versions also gives a better idea of the versions.

Still, nothing rock solid, short of checking for SA-CORE-2014-005, which I will be doing too.

174 total views, no views today