Group51.org

Mutillidae SQL errors in Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking.

After attempting to perform a simple SQL injection on the Mutillidae login page I received this error:

sql_error

It appears that the table ‘metasploit.accounts’ doesn’t exist. After parsing the comments section of a video posted by noref jell the error is caused by a misconfiguration in the /var/www/mutillidae/config.inc file

The database variable in the config.inc file must be changed to ‘owasp10’ as shown below:

fix

From there simply reset the database form the web front end of mutillidae:

reset_DB

 

Happy Hacking!

 


Make Password Policies Work for You(Attacker)!

This isn’t anything new so some of you may already know the majority of what I’m going to be talking about, but for those who don’t hopefully you find this information useful.

I’ve noticed a lot of people, when attacking authentication, whether it’s with Medusa, Hydra, JtR, or whichever tool, tend to throw the biggest dictionary they can find at it and wait til something pops up. Now, it’s not that this method doesn’t work, but it takes forever and sometimes you just don’t have the time or cycles to spare. Other than using rainbow tables to speed up the process, what I’m trying to get at is that you can cut down your dictionary size and create a custom wordlist for your specific target and with this I think you’ll find much quicker success.

Ways of going about doing this are pretty straightforward. If you happen to know the password policy for your target organization, say, maybe they require numbers or capital letters or even some special characters, you can really narrow down your wordlist. Even further, if you know(and sometimes can easily guess) where specifically the number or capital letter resides in the password, you can easily use something like masks in Hashcat, which I’ll get to in a bit, to really beef up the effectiveness of your wordlist and overall attack. Just one example to find information regarding such a policy could be through using rpcclient(provided in Backtrack):

root@bt:~# rpcclient -U ""
Enter 's password:
rpcclient $> enumdomusers
...
user:[bob] rid:[0xbba]
...
rpcclient $> getusrdompwinfo 0xbba
min_password_length: 0
&info.password_properties: 0x88a05584 (2292209028)
0: DOMAIN_PASSWORD_COMPLEX
0: DOMAIN_PASSWORD_NO_ANON_CHANGE
1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
0: DOMAIN_PASSWORD_STORE_CLEARTEXT
0: DOMAIN_REFUSE_PASSWORD_CHANGE

Nothing too crazy here, but more information can’t hurt. Another tool that I’ve found plenty useful is CeWL, a custom word list generator created by Robin Wood(@digininja). Just point it at your target website, throw it whichever options you desire, such as spidering further through links and it will crawl the page(s) and feed you a potentially very useful dictionary. From its README:

Based on a discussion on PaulDotCom about creating custom word lists by spidering a targets website and collecting unique words I decided to write CeWL, the Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

This tool is great, although, it will grab some extra bits that don’t necessarily belong in your wordlist, so it can require some editing before you fire it off against your target.

When it comes to cracking hashes you’ve obtained through a vulnerable webapp, for instance, Hashcat is a fantastic tool. It allows you to create masks and custom rule sets so you can really fine-tune your attack. Also, oclHashcat takes advantage of your GPUs so, if you really want to get flying, that’d be the way to go however, the rule sets for oclHashcat are somewhat limited compared to what Hashcat is capable of. Hashcat’s arsenal is way beyond the scope of this article, but you should really check out Martin Bos(@purehate_) talk “Why Your Password Policy Sucks”. It’s more of an overall password talk, but he does touch a bit on Hashcat. One last tip, using oclHashcat will obviously tie up your GPUs as it’s supposed to, but now you could even throw JtR up to take advantage of your lonely CPU.


From $NATION_STATE, With Love

Next-Gen! APT! Cloud! Big Data! - Sorry, had to do it ;) If you haven’t already, now’s the time to come out and say it. Whether it was Russia, Nigeria, or the ever-so-popular China, everyone is crying APT.

So, about a week ago, Mandiant came out with their report for the NY Times on APT1 packed with evidence of China committing corporate espionage. Which is all well and good, except now the media has picked it up and is all “Holy $@^%#!!! The Chinese are stealing our secret sauce!” That’s right, they are. And so is the US. And Russia. And Israel. And every other country…

Again, this isn’t a bash on Mandiant, more so the media and those who’ve apparently had their head stuck in the sand for the past few decades. The real issue, which was discussed on the recent Cloak & Swagger podcast(which is a pretty good show, I recommend a listen), is that when a nation state is involved, a lot of people wait for the government to respond before they act. Why? Look at how you were popped. SQLi? Phishing? Still running critical assets on Windows 2000? You can do something about this without the government stepping in!

To keep this short, here’s the main take-away: Cover the basics before focusing on attribution. Does it really matter whether it was Russia or China or the kid down the street that popped you with default credentials? Don’t get me wrong, knowing your attacker is incredibly useful information at a certain level. However, if you’re an organization without a patch policy, knowing for certain(which is another issue itself) that the person firing exploits off your system lives in China isn’t going to do all that much for you.


What’s On Your Home Network?

Times have changed since the days of dial up modem and single hardwired internet connected computers in the home.  Tablets, phones, media devices, internet tv devices, laptop, netbooks, appliances… there’s a lot happening on the  home network.   While it’s easy to do a quick audit of ip’s or mac addresses, are you aware of all the open ports?  Even better, are you aware of all the vulnerabilities that may be lingering with each device?

Nessus vulnerability scanner is a great tool (free for home use) to really have an idea of what’s going on.  It will provide an in-depth report of not only what’s on your network but what vulnerabilities exist.  It will even rate each item it identifies so you can prioritize your efforts based on the severity.

Repurpose that old desktop in the basement collecting dust and create yourself a spiffy security box.

Download: HERE

Here’s a screen cap:

nessus vulnerability scanner

 

Run a scan on your network and tell us about any surprises you find.


Clean Up

So, yes, we’re gonna clean this place up a bit and make it more practical and useful for everyone. No more forums or shoutbox. This will hopefully cut down on clutter and help us stick to pure, quality content. We’ll be sticking to a blog, posting articles on what we find interesting whether it’s opinions or tech articles. Also, if you’d like to hang out, you can find us in #Group51 on Freenode ;)