Group51.org

Mutillidae SQL errors in Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. The Mutillidae web application (NOWASP (Mutillidae)) contains all of the vulnerabilities from the OWASP Top Ten plus a number of other vulnerabilities such as HTML-5 web storage, forms caching, and click-jacking.

After attempting to perform a simple SQL injection on the Mutillidae login page I received this error:

sql_error

It appears that the table ‘metasploit.accounts’ doesn’t exist. After parsing the comments section of a video posted by noref jell the error is caused by a misconfiguration in the /var/www/mutillidae/config.inc file

The database variable in the config.inc file must be changed to ‘owasp10’ as shown below:

fix

From there simply reset the database form the web front end of mutillidae:

reset_DB

 

Happy Hacking!

 


Make Password Policies Work for You(Attacker)!

This isn’t anything new so some of you may already know the majority of what I’m going to be talking about, but for those who don’t hopefully you find this information useful.

I’ve noticed a lot of people, when attacking authentication, whether it’s with Medusa, Hydra, JtR, or whichever tool, tend to throw the biggest dictionary they can find at it and wait til something pops up. Now, it’s not that this method doesn’t work, but it takes forever and sometimes you just don’t have the time or cycles to spare. Other than using rainbow tables to speed up the process, what I’m trying to get at is that you can cut down your dictionary size and create a custom wordlist for your specific target and with this I think you’ll find much quicker success.

Ways of going about doing this are pretty straightforward. If you happen to know the password policy for your target organization, say, maybe they require numbers or capital letters or even some special characters, you can really narrow down your wordlist. Even further, if you know(and sometimes can easily guess) where specifically the number or capital letter resides in the password, you can easily use something like masks in Hashcat, which I’ll get to in a bit, to really beef up the effectiveness of your wordlist and overall attack. Just one example to find information regarding such a policy could be through using rpcclient(provided in Backtrack):

root@bt:~# rpcclient -U ""
Enter 's password:
rpcclient $> enumdomusers
...
user:[bob] rid:[0xbba]
...
rpcclient $> getusrdompwinfo 0xbba
min_password_length: 0
&info.password_properties: 0x88a05584 (2292209028)
0: DOMAIN_PASSWORD_COMPLEX
0: DOMAIN_PASSWORD_NO_ANON_CHANGE
1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE
0: DOMAIN_PASSWORD_LOCKOUT_ADMINS
0: DOMAIN_PASSWORD_STORE_CLEARTEXT
0: DOMAIN_REFUSE_PASSWORD_CHANGE

Nothing too crazy here, but more information can’t hurt. Another tool that I’ve found plenty useful is CeWL, a custom word list generator created by Robin Wood(@digininja). Just point it at your target website, throw it whichever options you desire, such as spidering further through links and it will crawl the page(s) and feed you a potentially very useful dictionary. From its README:

Based on a discussion on PaulDotCom about creating custom word lists by spidering a targets website and collecting unique words I decided to write CeWL, the Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

This tool is great, although, it will grab some extra bits that don’t necessarily belong in your wordlist, so it can require some editing before you fire it off against your target.

When it comes to cracking hashes you’ve obtained through a vulnerable webapp, for instance, Hashcat is a fantastic tool. It allows you to create masks and custom rule sets so you can really fine-tune your attack. Also, oclHashcat takes advantage of your GPUs so, if you really want to get flying, that’d be the way to go however, the rule sets for oclHashcat are somewhat limited compared to what Hashcat is capable of. Hashcat’s arsenal is way beyond the scope of this article, but you should really check out Martin Bos(@purehate_) talk “Why Your Password Policy Sucks”. It’s more of an overall password talk, but he does touch a bit on Hashcat. One last tip, using oclHashcat will obviously tie up your GPUs as it’s supposed to, but now you could even throw JtR up to take advantage of your lonely CPU.


Fierce: Domain Scan

The first step in a successful penetration test, after receiving all of the proper authorizations, is gathering information about the corporation/organization. This step is also known as Reconnaissance. “Reconnaissance is the military term for exploring beyond the area occupied by friendly forces to gain vital information about enemy forces or feature of the environment for later analysis and/or dissemination.” Penetration Distributions, such as Backtrack and Backbox, offer tools that make this process a breeze. These tools include: TheHarvester, MetaGooFil, Maltego, and Fierce.

During this process an attacker can receive mountains of information using these tools. The more information gathered during recon will greatly assist in a pen test. Today I would like to share with you all my favorite recon tool, Fierce Domain Scan. Fierce Domain Scan is written by RSnake with input from id, Vacuum, and Robert E Lee and multithreading from IceShaman.

Fierce is a PERL script that quickly scans domains, usually in just a few minutes assuming there is no network lag. First it queries your DNS for the DNS servers of the target. It will then switch to using the target’s DNS server. Fierce then attempts to dump the Start of Authority records for the domain if that DNS server is misconfigured. Start of Authority records are a type of resource that indicates basic properties of the domain and the zone that the domain is in. The dump of the SOA record will more than likely fail so Fierce will then attempt to “guess” names that are common amongst different companies. The “guessing” process uses a list of names that the creators of Fierce have seen in the field of action and just in the wild. Next, if it finds anything on any IP address it will scan up and down a set amount (default 5) looking for anything else with the same domain names using reverse lookups. If it finds anything on any of those IPs it will recursively scan until it doesn’t find any more. This forms a looping process and the bigger domain ultimately grants a bigger return.

fierce

Fierce Domain Scan is simple to use. The most generic command you can supply is:

perl fierce.pl –dns google.com

This command will then connect to Google’s DNS servers and begin enumeration. For those who like to generate a report the command:

perl fierce.pl –dns google.com –file google.txt

google

Will pipe all of the output into a text file. Try this tool out and tell us what you think!

 

Source: http://ha.ckers.org/fierce/


From $NATION_STATE, With Love

Next-Gen! APT! Cloud! Big Data! - Sorry, had to do it ;) If you haven’t already, now’s the time to come out and say it. Whether it was Russia, Nigeria, or the ever-so-popular China, everyone is crying APT.

So, about a week ago, Mandiant came out with their report for the NY Times on APT1 packed with evidence of China committing corporate espionage. Which is all well and good, except now the media has picked it up and is all “Holy $@^%#!!! The Chinese are stealing our secret sauce!” That’s right, they are. And so is the US. And Russia. And Israel. And every other country…

Again, this isn’t a bash on Mandiant, more so the media and those who’ve apparently had their head stuck in the sand for the past few decades. The real issue, which was discussed on the recent Cloak & Swagger podcast(which is a pretty good show, I recommend a listen), is that when a nation state is involved, a lot of people wait for the government to respond before they act. Why? Look at how you were popped. SQLi? Phishing? Still running critical assets on Windows 2000? You can do something about this without the government stepping in!

To keep this short, here’s the main take-away: Cover the basics before focusing on attribution. Does it really matter whether it was Russia or China or the kid down the street that popped you with default credentials? Don’t get me wrong, knowing your attacker is incredibly useful information at a certain level. However, if you’re an organization without a patch policy, knowing for certain(which is another issue itself) that the person firing exploits off your system lives in China isn’t going to do all that much for you.


What’s On Your Home Network?

Times have changed since the days of dial up modem and single hardwired internet connected computers in the home.  Tablets, phones, media devices, internet tv devices, laptop, netbooks, appliances… there’s a lot happening on the  home network.   While it’s easy to do a quick audit of ip’s or mac addresses, are you aware of all the open ports?  Even better, are you aware of all the vulnerabilities that may be lingering with each device?

Nessus vulnerability scanner is a great tool (free for home use) to really have an idea of what’s going on.  It will provide an in-depth report of not only what’s on your network but what vulnerabilities exist.  It will even rate each item it identifies so you can prioritize your efforts based on the severity.

Repurpose that old desktop in the basement collecting dust and create yourself a spiffy security box.

Download: HERE

Here’s a screen cap:

nessus vulnerability scanner

 

Run a scan on your network and tell us about any surprises you find.


Clean Up

So, yes, we’re gonna clean this place up a bit and make it more practical and useful for everyone. No more forums or shoutbox. This will hopefully cut down on clutter and help us stick to pure, quality content. We’ll be sticking to a blog, posting articles on what we find interesting whether it’s opinions or tech articles. Also, if you’d like to hang out, you can find us in #Group51 on Freenode ;)