Vulnerable by Design



Pentest lab. "Hacker" training. Deliberately insecure applications challenge thingys.

Call it what you will, but what happens when you want to try out your new set of skills? Do you want to be compare results from a tool when it's used in different environments? What if you want to explore a system (that is legal to do so!) that you have no knowledge about (because you didn't set it up!)...

If any of that sounds helpful, below is a small collection of different environments, so if you want to go from "boot to root", "capture the flag" or just to dig around as much as you want to try out the odd thing here and there. These will allow you to do so and without getting in trouble for doing it!

Owning Windows (XP SP3 vs. Squid)

This screencast demonstrates hijacking applications when they are being downloaded from the Internet and replacing the program with a meterpreter agent instead. The files can be downloaded either via the target or another program (For example, self-updating programs).

The attacker takes control of the traffic by doing a "Man In The Middle" (MITM) attack, to analyse the traffic, in-which if the requested file ends in ".exe", it is redirected to the attacker's web server that will always reply with the same filename as the agent creating the illusion that it was the requested file.

Please note: Unlike the other two previous videos, where the attacker was targeting programs/services that comes with the Operating System, the attacker pursuits 3rd party applications - or the process of trying to install them. The result of this is, there is more user interaction needed than before, whereas before it was either very little (visit any web page) or nothing. Therefore the attacker needs the target to perform a certain action(s) (either willing or unaware). The chosen method of attack can be performed by a simpler method, however this method was chosen for reasons of future posts.

Sickfuzz v0.2

This video is a brief introduction into "fuzzing". The author, sickn3ss requested a video to demonstrate his latest project called sickfuzz. You can read what he has got to say about it here.

Fuzzing is sending invalid, unexpected or random data to the inputs and watching what happens to the program in question. An example; Lets say there is a question "Have you got milk?", which has the answers as either "Yes" or "No". What happens when you try "Maybe","-1" or "[email protected]" instead? The results of the programming miss-handling the input may crash the program leading it to security issues such as (un)exploitable buffer overflows, Denial Of Service (DoS) etc.

"A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs."~ owasp

Kioptrix - Level 2 (Injection)

Time for level 2! =) [See here for level 1]. Like before, kioptrix is another "Vulnerable-By-Design OS" (De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible.

This video demonstrates how code being injected into a web page results in the machine becoming compromised. The attacker afterwards then starts exploring the system for further pieces of information.

Kioptrix Logo

Kioptrix - Level 1 (Mod_ssl)

Kioptrix is another “Vulnerable-By-Design OS” (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any mean possible. This video demonstrates a well-known out-of-date issue in "mod_ssl". Because it wasn't too complex, I extended the video by removing the attacker from some log files.

Owning Windows (XP SP2 vs. Metasploit's Browser_autopwn)

This screencast starts off by carrying out a "Man In The Middle" (MITM) attack, to inject traffic making the target vulnerable to "Cross Site Scripting" (XSS) which is linked to Metasploit's "Browser_AutoPWN" feature.

Upon being compromised, the attacker chooses to explore and exploit other devices which are attached to the internal network (Pivoting). To finalise, the attacker gains access to view the internal server via "Port Forwarding".

The attacker also installs backdoors into the network, allowing them to connect back at any stage.

Owning Windows (XP SP1 vs. Metasploit's Db_autopwn)

This guide shows how to setup PostgreSQL as the database to power metasploit, which then leads onto using metasploit's db_autopwn features to carry out a collection of remote exploits in an attempt to gain access to the target system(s). When/If access has been gained; it shows a few basic things afterwards, such as:

  • Gathering information – OS, interfaces, privilege level, running processes, idle time, screen shoots and keylogging
  • Cracking user's passwords – Finding passwords to access the system
  • Gaining shell access – Then transferring meterpreter agent via TFTP
  • Handling multiple sessions – Which vulnerability to interact with.
  • Process migration – Move code into another process
  • Privilege escalation - Attempt to gain SYSTEM level privileges.
  • File management – Navigation, Down/Up-load, editing, viewing files/folders
  • Program control – Execution and Killing programs
  • Misc – Covering tracks and Power management

January 2011 - FAQ

Hi fellow reader! *I'm still not used to writing 2011 yet!*

I know I haven't posted anything for a while until now. Life was/is busy, and what free time I had, was limited to other things. Anyway. I'm back (for now at least!).

During my "silent" period, I have still been active script wise as I've been working on "wiffy" and recently started work on "evilGrade" so expect an update soon! Afterwards I plan to complete "SITM" (Script In The Middle), and "wordlists" (After which I'll push out some new dictionaries/wordlists).

Video wise, I've had a few ideas and some people have given me suggestions – so over the next couple of weeks I'll be working on recording/editing them!

Anyway, to kick start this year I'm going to share:

  • Script: "wiffy v0.2" – this is what has been done so far... (Any feedback would be welcomed!)
  • Video: First of a series about using metasploit and attacking different OSs
  • Update: Fixed De-ICE (Level 1 - Disk 1 & Level 1 - Disk 2) as I got confused with the numbering when creating them.

Over the last year I keep getting asked a "few" common questions, so I'm going to answer most of them, here and now...

September 2010 - Scripts

Over the last month or so, I've been working on various scripts (new and old). Here is a quick update:

  • New: wiffy - Auto Wireless Key Cracker
  • New: SITM (Script In The Middle) - Replacement for "metasploit-FakeUpdate". Not 100% complete
  • New: Wordlist - Replacement for "dictionary". Not 100% complete
  • Updated: chap2asleap
  • Updated: fakeAP_pwn
  • Updated: evilDEB
  • Updated: evilGrade

Wiffy (v0.1)

A bash script to automate cracking WiFi networks! Supports WEP (Client & Client-less), WPA/WPA2, MAC filtering and hidden SSID with the option of connecting afterwards.