Follow:

Latest articles in ‘Offsec’


  1. wwwolf’s PHP webshell user’s guide

    Published: Sat 02 December 2017 in Projects.
    wwwolf’s PHP webshell is a PHP web shell striving to abide by the KISS principle. Discover its features and how to use webshells in general.

    Web shells are backdoors relying on server-side scripting languages to be executed by the targeted server and usually accessed through a browser. While focused on wwwolf’s PHP webshell features, some part of this post are general and can be applied to other other webshells as well.

    While some web shells attempt to provide the most complete post-exploitation frameworkas possible, and are therefore heavy and prone to bugs and incompatibilities, wwwolf’s PHP webshell considers the web shell as a transitional step in taking over a server.

    wwwolf’s PHP webshell focuses on the functionalities necessary to do:

    • Local enumeration to discover the target’s environment and choose your next step.
    • Payloads and toolkits files transfer and execution, to proceed with your next step.

    It tries its best to:

    • Be unobtrusive, with a simple yet efficient interface.
    • Be reliable, being as tolerant as possible regarding the target’s environment and …

  2. Mr. Robot (TV show by Sam Esmail, 2015)

    Published: Wed 22 November 2017 in Library.
    A review on 'Mr. Robot' TV series, which started with a very engaging first season but sadly seems to wither away.

    Mr. Robot is an interesting project trying to create a television series featuring accurate “hacking” techniques and real-life events, as opposed to most “hacker” movies and series which just project the general public phantasms on the screen.

    I used to redirect people asking me for some “hacking trick” to this series, and several websites and blogs use it as a illustration to provide fundamental knowledge in IT security and help people take conscience of various risks.

    As I write this post, we have now reached the middle of the third season, and while I was and still am very enthusiastic regarding the first season my feeling are now more than mitigated about its sequel.

    Note

    For those who haven’t seen this series yet, I won’t get into any storyline details here, except a bit when listing some season 3 issues. Most of this post should be spoiler-free, however …


  3. Drupageddon revisited: a new path from SQL injection to remote command execution (CVE-2014-3704)

    Published: Thu 16 November 2017 in Cookbook.
    Background explanations and a more efficient way to exploit Drupageddon, aka. CVE-2014-3704, Drupal SA-CORE-2014-005.

    Usually Drupal teams do a great job into ensuring a reasonable security level to their users. Most of the Drupal critical vulnerabilities come from community modules, modules which are hosted on a central place where the ones not conforming with Drupal security requirement get a specific red banner (“This module is unsupported due to a security issue the maintainer didn’t fix.”) and are tagged as abandoned.

    However, mistakes still happen, as Stefan Horst discovered in 2014 when he found out the Drupageddon vulnerability, also known as CVE-2014-3704 and Drupal SA-CORE-2014-005.

    I find this vulnerability quite interesting as it is an SQL injection vulnerability affecting Drupal core which relies on PDO for its database accesses which, in theory, should make it immune to such vulnerability.

    Moreover, we will see that Drupal’s features allow to extend this vulnerability way further than a simple SQL injection. We will …


  4. DHCP exploitation guide

    Published: Mon 30 October 2017 in Cookbook.
    A step-by-step guide to practical DHCP exploitation and protection.

    DHCP allows devices to automatically get their network configuration when bringing up a network interface (typically when booting).

    This configuration usually includes, among other thing, the IP address attributed to the device, the DNS domain name and the IP address of the default router, of the DNS server and of the NetBIOS name server.

    This configuration, is allocated to the device only for a given time: the lease time. Lease time may vary largely depending on the environment requirements. It is typical to find values ranging from a few dozen of minutes to a few weeks. When half of the lease time expired, the device starts to try get in touch with the DHCP server to renew the lease.

    Clients initially asking for the attribution of an IP address start by broadcasting a DHCP DISCOVER message.

    A typical DHCP exchange is as follow:

    Typical DHCP exchange

    1. DISCOVER: The client without IP address configured …


  5. MAC address table overflow

    Published: Wed 25 October 2017 in Cookbook.
    A step-by-step guide to practical MAC address table overflow exploitation and protection.

    The main practical difference between a legacy hub and a switch is that the switch will do its best to forward ethernet frames only on the port allowing to reach the recipient, it won’t blindly forward everything everywhere as as a dumb hub would do.

    To achieve this, upon reception of a frame the switch stores the senders MAC address associated to its input port in an internal memory, usually implemented as a CAM table. Thanks to this information, would a packet have the same address as recipient, the switch will now forward this packet only to this port and not the other ones.

    I already wrote a more focused article on MAC table overflow within the context of GNS3 simulated environments, which resulted in patch being submitted upstream and initiated the development of the macof.py tool. The original article is available here.

    In this article I detailed …


  6. macof.py is now available

    Published: Wed 25 October 2017 in Projects.

    macof.py is a MAC address table overflow utility.

    The traditional tool for MAC table overflow attacks is macof from the dsniff project. However I was not satisfied with this tool.

    In particular:

    • macof has no rate limit mechanism, it sends the packets as fast as the local CPU and the network adapter can support it.

      This leaves no room for a proper interception of users data.

    • Half of the packets generated by macof violates the Ethernet protocol by having the multicast bit set on the sender’s MAC address.

      As a result, these packets are considered corrupted and silently dropped by the first encountered switch.

      In other words, half of the packets generated by macof are generated for nothing.

    • macof constantly uses random MAC addresses for generated packets, meaning that a given source MAC address is rarely used more than once.

      This means that switches’ MAC table aging system …


  7. Spanning Tree Protocol exploitation

    Published: Mon 16 October 2017 in Cookbook.
    How an attacker can take advantage of STP, and how to prevent this.

    As we saw in the previous post, Wireshark revealed us the presence of STP messages.

    The Spanning Tree Protocol is used to detect topology loops and build the most efficient forwarding path between interconnected switches. Topology loops are not a mistake but a way to add redundancy to a topology. Would a link break, the STP protocol detects it and recalculate a new most efficient tree.

    In sane networks, access ports should not deliver STP messages to end-devices, but this is not the default and, as Wireshark told us, not the case in our lab. This lets the attacker the possibility to simulate a topology change by sending maliciously crafted STP messages.

    For this lab we will need at least the User_1 and Server_1 devices to be available:

    STP lab topology

    Warning

    The support of STP in the IOU images I tested was very buggy, STP port state was ignored and frames systematically …


  8. Practical network layer 2 exploitation: passive reconnaissance

    Published: Thu 12 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: listen and learn from network's white noise.

    This post is part of a series about practical network layer 2 exploitation.

    Now is the time to change your network administrator hat for the attacker one. Your own, known network now becomes an unfamiliar target.

    Before rushing and banging against the nearest devices, it may wiser to just stand back and listen.

    On switched networks, users are somewhat isolated from each other thanks to the separation of collision domains. All that remain is some kind white noise… but this white noise in itself can bring invaluable information to an attacker!

    In particular we will see how, simply by passively listening to this white noise, an attacker will be able to detect several weaknesses affecting the network and plan his next steps.

    In this lab no interaction will occur with either the Admins or the Servers VLANs, the User_1 workstation will be required only for the DHCP Discover messages part …


  9. Practical network layer 2 exploitation: introduction

    Published: Tue 10 October 2017 in Cookbook.
    Network layer 2 practical offensive and defensive security: setting-up the lab.

    This post initiates a series demonstrating network layer 2 exploitation and protection techniques from practical point-of-view.

    This series will rely on the following topology (click to enlarge):

    Layer 2 exploitation lab topology

    This topology is composed of three VLANs:

    • Users (VLAN 1) and Admins (VLAN 2) both contain end-user workstations, they are isolated from each other.
    • Both can access machines located in Servers (VLAN 3).

    The attacker is connected to the Users VLAN.

    In this series we will see how the attacker can leverage various layer 2 configuration weaknesses to disrupt the network, hop from one VLAN to another, and intercept users communication, independently of their location in the topology.

    We will limit ourselves to basic techniques as an attempt to demonstrate that pwning a insufficiently secured network doesn’t involve any high technology or knowledge. When appropriate we will also see how the attacks can be generalized to other real-life scenarios.

    Creating the topology …


  10. EC-Council CEH certification review

    Published: Wed 04 October 2017 in Opinions.
    Updated: Fri 06 October 2017 (Added a note about Metasploit)
    Facts, advices and personal impressions on the EC-Council CEH certification.

    The five Ws

    • What: The EC-Council Certified Ethical Hacker (CEH) is a technical certification on penetration testing.

      While being oriented toward technical people, the certification itself goes lightly on the practical side but insists instead on having a broad general culture. This certification covers definitions, concepts, tools, as well as a strong focus on ethic.

      This certification never go really deep in any subject, but instead attempts to cover the widest possible range of topics related to pentesting. Example of covered topics include cryptography, regulation and compliance, operating systems (client, server and mobile systems are all covered), networking (including wireless networking), procedures, code review, physical security, social engineering and, last but not least, ethic.

    • When: This certification has no prerequisite (a two years experience in IT security allows to avoid the training requirement, but subscribing to an approved training removes any experience prerequisite).

      It is suitable for anyone interested …


Pages: 1 2

Popular tags see all

Website

Author

Follow