Operation n

Targeted Web Attacks
Part 2 of Social Networks the New Fingerd
Author david.kierznowski_at_gmail.com
http://michaeldaw.org

1. Introduction

I recently released an article titled, “Social networks the New FingerD”. This article gave an example of using LinkedIn in passive username enumeration attacks. This article will discuss using Search engines and OpenPGP key servers as additional enumeration resources. None of these ideas are new, but in my opinion require a bit more light, especially when looking at RSnake’s recent XSS Top Vulnerability post

2. Purpose
At the moment XSS attack scenarios are very broad. XSS to create a botnet or propogate a worm etc etc. There is no real direction toward actual focused XSS exploitation. In theory one could own the continent(s) and then filter out specific targets, but lets face it, this is probably not the smartest thing to do.

3. The How?
My initial thoughts on targeted Web attacks “from the Internet” include some of the following ideas:

Backdooring the Company Homepage
Many users have their browser’s default (or startup) page set to the company website. However, this may not work in some cases as internal users often connect to an Intranet website rather then an Internet website. Another solution to this problem may be to backdoor another website associated with the company (i.e. company webmail, or Citrix Gateway).

Information Gathering Attacks
In most cases, specific exploitation requires fore-knowledge of our target. For example, Jane Daw works at company X as a legal secretary. Once this information is known any number of “specific” attacks can be launched. These attacks can occur via HTTP, Email, social engineering and password brute forcing to name a few.

Over the last month, pdp (architect) and I (was that the right way round, can never remember) have been working on backdooring a number of web technologoies. So far our list includes:
* Web Pages
* Flash
* Quicktime
* PDF
* MP3 (Although this uses Quicktime)

So the question still remains, what web resources do we have available to us to passively enumerate users within an organisation?

We have already discussed using Social Networks such as LinkedIn. Two other possibilities are as follows:
* Public Key Servers
* Search Engines

3.1 Public Key Servers

Public key servers allows a single repository for users to store their public keys on the Internet. This allows users to encrypt email between two parties easily without having to hastle the recipient for their public keys.

This service is an excellent resource to enumerate employee details within an organisation.

Example search for google.com using “http://keyserver.veridis.com:11371“:

--snip--
 Results 1 - 30 of about 41 for google.com. (0.019 seconds)
	Key(s) 	Key ID 	Size 	Creation 	Expiration

*hidden* *hidden*@google.com 	0x4F79C91B 	4096/1024 	2006/06/13 	2011/06/12
*hidden* *hidden*@google.com 	0x8475A4CF 	2048/1024 	2001/05/07 	Never
*hidden* *hidden*@google.com 	0x9038F60E 	2048/1024 	2001/02/20 	Never
*hidden* *hidden*@google.com 	0xE617F27A 	1024 	2005/07/13 	2006/07/13
*hidden* *hidden*@inodes.org 	0xD02F8773 	1024/1024 	2000/03/08 	Never
*hidden* *hidden*@google.com	0x20C9885A 	2048/1024 	2005/10/12 	Never
*hidden* *hidden*@red-bean.com 	0xEC6B5156 	1024/1024 	1998/11/09 	Never
*hidden* *hidden*@google.com 	0x4E844EF3 	1024 	2005/07/27 	2006/07/26
*hidden* *hidden*@google.com 	0x2349D344 	2048/1024 	2005/12/06 	2007/12/06
*hidden* *hidden*@google.com 	0x438046E4 	2048/1024 	2005/12/12 	Never
--snip--

3.2 Search Engine

Search engines when used correctly can yield very sensitive information. For more information on this see: http://johnny.ihackstuff.com/.

4. Tools

I was thinking about writing a tool to automate these checks, however, when bouncing it off pdp (architect), I found he had already done the work.

His tool is a little outdated but provides support for both Google and OpenPGP checks. It can be found at the following URL:
http://www.gnucitizen.org/projects/met/

ASP auditor v2 BETA
Author david.kierznowski_at_gmail.com
http://michaeldaw.org

purpose: Look for common misconfigurations and information leaks in
ASP.NET applications.

# Changelog:
# --v2.2-- 20/Apr/07
# * Added additional support for Anti-XSS Validation detection.
# * Added ASP Source Directory Leak Check
# * Added Apr/07 ASP.NET Validation Bypass Check
#
# --v2.1-- 25/Sep/06
# * GET /Trace.axd often leaks ASP.NET version when other methods fail.
# * Fixed "?" bug in JavaScript Validate test
# * Added Version into usage()
#
# --v2.0-- 16/Sep/06
# * Version plugin allowing specific ASP.NET versioning.
# * Version brute force capabilities using JavaScript validate
# directories.
# * Check if global ASP.NET validate is being used.
# * Added brute force function and option in usage()

This tool is based on H D Moore’s Dot Net Application Scanner
Author: H D Moore <hdm_at_digitaloffense.net>
URL: http://www.digitaloffense.net/index.html?section=TOOLS

Credits:
HDM thanks for the feedback.

--usage
$ ./asp-audit-latest.pl

Usage:   ./asp-audit-latest.pl [http://target/app/file.aspx] (opts)

        (opts)
            -bf brute force ASP.NET version using JS Validate
            directories.

--example 1
$ ./asp-audit.pl http://www.*hidden*/index.aspx
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending ASP.NET validate discovery request...
[*] Sending application trace request...
[*] Sending null remoter service request...

[ .NET Configuration Analysis ]

  Server   -> Microsoft-IIS/6.0
  Application   -> /
  FilePath   -> D:\VirtualServers\*hidden*
  ADNVersion   -> 1.1.4322.2300

  matches -> 1.1.4322.2300 Version 1.1 Post-SP1 (Windows Server 2003 SP1)  Mar 2005

--example 2
$ ./asp-audit.pl http://www.*hidden*/index.aspx -bf
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending ASP.NET validate discovery request...
[*] Sending application trace request...
[*] Sending null remoter service request...

[ .NET Configuration Analysis ]

    Server  -> Microsoft-IIS/6.0
    AppTrace  -> LocalOnly
    Application  -> /
    FilePath  -> D:\inetpub\*hidden*
    ADNVersion  -> 1.1.4322.2300

    matches -> 1.1.4322.2300 Version 1.1 Post-SP1 (Windows Server 2003 SP1)  Mar 2005

[*] Sending brute force discovery requests...
        Found -> /aspnet_client/system_web/1_1_4322

The tool can be downloaded here:
http://michaeldaw.org/projects/asp-audit-latest.tar.gz

ASP Auditor v1.0 BETA
Author: David Kierznowski (david.kierznowski_at_gmail.com)
http://michaeldaw.org/projects/

PLEASE NOTE THIS V1.0 IS DEPRECATED.
Please see the following link for the latest information regarding this tool: http://michaeldaw.org/projects/asp-auditor-v2/

The purpose of ASP Auditor is to identify vulnerable and weakly configured ASP.NET servers.

Usage:
$ ./asp-audit.pl
ASP Audit v1.0 (BETA) [ david.kierznowski@gmail.com ]
        Usage:   ./asp-audit.pl (opts) [host] [port]

        (opts)
            -h these usage instructions
            -b brute force ASP.NET version using JS Validate
            directories.
            -m match against fingerprints
            -v verbose messaging

Some examples can be seen below:

$ ./asp-audit.pl labs.microsoft.com
Target: labs.microsoft.com
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: 2.0.50727
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: No

$ ./asp-audit.pl -m labs.microsoft.com
Target: labs.microsoft.com
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: 2.0.50727
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: No

Fingerprint matches:
2.0.50727.07    Version 2.0 (Visual Studio.NET 2005 CTP)        Aug 2005
2.0.50727.26    Version 2.0 (Visual Studio.NET 2005 RC / SQL Server 2005 CTP)  Sep 2005
2.0.50727.42    Version 2.0 RTM (Visual Studio.NET 2005 RTM / SQL Server 2005 RTM)      Nov 2005

$ ./asp-audit.pl *hidden*
Target: *hidden*
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: Unknown
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: YES

$ ./asp-audit.pl -b *hidden*
Target: *hidden*
Server Software: Microsoft-IIS/6.0
ASP Framework: YES
ASP Simple Version: Unknown
ASP Specific Version: Unknown
ASP verbose messages: No
ASP Validate: No
Default Error Messages: YES

Found: aspnet_client/system_web/1_1_4322
Found: aspnet_client/system_web/2_0_50727

The tool can be downloaded here:
http://michaeldaw.org/projects/asp-audit-v1BETA.tar.gz

Awaking the Sleeping Giant v1.0
Demystifying Cross Site Scripting Attacks
Author: David Kierznowski (david.kierznowski_at_gmail.com)
http://michaeldaw.org/projects/

Table of contents:
1.0 Introduction
2.0 Summary of paper
3.0 Entry nodes (Where)
4.0 Capabilities (Why)
5.0 Exploits (How)
6.0 Tools

1.0 Introduction:

I assume the person reading this paper will know what XSS is.This paper attempts to demystify and categorise current XSS entry nodes, attack capabilities and trends.

This paper was put together fairly quickly on a Saturday afternoon. I do not attempt to give an in-depth analysis of anything that is what Google is for. This paper is an initial attempt to categorise and track XSS in general.

XSS attacks are gaining popularity quickly. There are loads of vulnerabilities waiting to be found. It can be simple and difficult to prevent. it can propogate around the Internet in hours, exploit internal or private networks and offers the ability to manipulate web services for fun and profit without compromising a single system.

Feedback and corrections (if any) are most certainly welcome and encouraged. I doubt I covered everything in an hour and I doubt I would in 100.

2.0 Summary of paper

2.1 Entry Nodes
* CSS - Cascading Style Sheets
* RSS readers - RSS XSS (Sounds good)
* Flash (possibly AFLAX), ActiveX etc.
* Files - Image or other
* Phishing Attacks and other human related weaknesses
* Dynamic HTML in general including HTML tags and the DOM

2.2 Capabilities
* Internal IP address leakage
* Network Sweeping
* Port Scanning
* Browser plug in detection
* Retrieving browser history
* Cross domain forgery
* XSS for fun and profit

2.3 Exploits
* Information theft
* Operating system exploitation
* URL based exploits
* Browser Plugin Exploitation
* Worms and Trojans
* Brute force attacks
* Botnets

2.4 Tools
* http://www.gnucitizen.org/projects/attackapi

–END of Summary

3.0 Entry nodes
3.1 Applications with insufficient input validation

3.1.1 CSS - Cascading Style Sheets
Eg: MySpace worm http://namb.la/popular/tech.html

3.1.2 RSS readers - RSS XSS (Sounds good)
http://www.spidynamics.com/assets/documents/HackingFeeds.pdf#search=%22rss%20injection%22

3.1.3 Flash (possibly AFLAX), ActiveX etc.
http://www.cgisecurity.com/lib/flash-xss.htm

3.1.4 Files - Image or other
Its definitely a possibility but haven’t seen it used?

3.1.5 Phishing Attacks and other human related weaknesses
http://www.antiphishing.org/Evolution%20of%20Phishing%20Attacks.pdf#search=%22phishing%20attacks%20and%20xss%22

3.1.6 Dynamic HTML in general including HTML tags and exploiting the DOM
eg: <script>alert(document.cookie)</script>
http://ha.ckers.org/xss.html

4.0 Capabilities (Information Available via XSS):
Internal IP address leakage
Network Sweeping
Port Scanning
Browser plug in detection
Retrieving browser history
Cross domain forgery
XSS for fun and profit

5.0 Exploits:

5.1 Information theft
Stealing Cookies, login credentials, banking information etc.
http://jehiah.com/archive/xss-stealing-cookies-101

5.2 Operating system exploitation:
eg: http://p.ulh.as/xploitsdb/NT/6078.html

5.3 URL based exploits:
Attacking routers, firewalls etc
eg: /cisco/level/99/show/running/config

5.4 Browser Exploits
http://bcheck.scanit.be/bcheck/index.php

5.5 Browser Plugin Exploitation
http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/

5.6 Worms
Manipulating web services
eg: MySpace worm

5.7 Brute force attacks
5.8 Cross Site forgery
http://en.wikipedia.org/wiki/Cross-site_request_forgery

5.9 Botnets

6.0 Tools
http://www.gnucitizen.org/projects/attackapi