Saturday, March 31, 2012
MIR-ROR 2.0 released
MIR-ROR 2.0 has been released as the project has benefited from Jon Mark Allen's (ubahmapk) many contributions, giving MIR-ROR some much needed attention.
MIR-ROR, or Motile Incident Response - Respond Objectively, Remediate, is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful utilities, to provide live capture data for investigation.
You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
For incident response resource, we’ve found it indispensable.
Windows Systinternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them for yourself. You can download the complete Sysinternals Suite, along with the other utilities needed, and unpack in a preferred directory on your system (C:\tools\MIR-ROR). Check fetch.txt for everything you need to download.
Please feel free to submit suggestions or fixes via Issue Tracker and we'll review potential updates for future releases.
You can read the complete ISSA Journal article, MIR-ROR: Motile Incident Response - Respond Objectively, Remediate, here.
Sunday, March 11, 2012
More Mayhem with Pwn Plug
In my last post regarding Pwn Plug I discussed the features available to those of you who build your own with a Sheevaplug and Pwn Plug Community Edition.
Here I'll give you an overview of some of the additional pwntastic upside you'll benefit from should you choose to buy Pwn Plug Wireless, 3G, or Elite. Wireless will get you an external 1000mW USB ALFA, 3G offers am O2 E160, and an Elite includes 16GB SDHC card for extra storage (along with all the goodies you get with Wireless & 3G). All commercial versions include support and the Plug UI which makes setup insanely simple. I configured the Pwn Plug I tested for 802.11 evil with the ALFA as seen in Figure 1.
In the Pwn Plug UI (HTTPS over port 8443 by default) I clicked Basic Setup, then Evil AP Config. Figure 2 shows the AMIEVIL SSID coming to life.
This is a GUI configuration method for airbase-ng, specifically airbase-ng -P -C 30 -c 3 -e AMIEVIL -v mon0.
Then all you need to do is follow with Karmetasploit via ./msfconsole -r karma.rc and you're off. "Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients."
In addition to all the MSF3 functionality you'd expect you can also utilize David Kennedy's Fast Track. I ran ./fast-track.py -i, selected 6. Exploits, then 7. mIRC 6.34 Remote Buffer Overflow Exploit. Figure 3 show my Windows XP SP 3 victim coming aboard for pwnzor.
With you Pwn Plug firmly established on your target network your recon options are also endless with an 802.11 interface enabled. Figure 4 shows Kismet happily enumerating from the Pwn Plug.
So much fun, so little time. For those of you with penetration testing duties that include social engineering and red teaming tactics, I strongly suggest you explore the Pwnie Express site for yourself and the Pwn Plug options and features. You will not be disappointed.
Here I'll give you an overview of some of the additional pwntastic upside you'll benefit from should you choose to buy Pwn Plug Wireless, 3G, or Elite. Wireless will get you an external 1000mW USB ALFA, 3G offers am O2 E160, and an Elite includes 16GB SDHC card for extra storage (along with all the goodies you get with Wireless & 3G). All commercial versions include support and the Plug UI which makes setup insanely simple. I configured the Pwn Plug I tested for 802.11 evil with the ALFA as seen in Figure 1.
Figure 1: Pwn Plug Wireless |
Figure 2: Am I evil? |
Then all you need to do is follow with Karmetasploit via ./msfconsole -r karma.rc and you're off. "Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients."
In addition to all the MSF3 functionality you'd expect you can also utilize David Kennedy's Fast Track. I ran ./fast-track.py -i, selected 6. Exploits, then 7. mIRC 6.34 Remote Buffer Overflow Exploit. Figure 3 show my Windows XP SP 3 victim coming aboard for pwnzor.
Figure 3: mIRC pwn |
Figure 4: Kismet |
Thursday, March 01, 2012
toolsmith: Pen Testing with Pwn Plug
Prerequisites
4GB SD card (needed for installation)
Is just the way that we are tied in
But there's no one home
I grieve for you –Peter Gabriel
Introduction
As you likely know by now given toolsmith’s position at
the back of the ISSA Journal, March’s theme is Advanced Threat Concepts and
Cyberwarfare. Well, dear reader, for your pwntastic reading pleasure I have
just the topic for you. The Pwn Plug can be considered an advanced threat and
useful in tactics that certainly resemble cyberwarfare methodology. Of course,
those of us in the penetration testing discipline would only ever use such a
device to the benefit of our legally engaged targets.
A half year ago I read about the Pwn Plug when it was
offered in partnership with SANS for students taking vLive versions of SEC560: Network
Penetration Testing and Ethical Hacking or SEC660: Advanced Penetration
Testing, Exploits, and Ethical Hacking. It seemed very intriguing, but I’d
already taken the 560 track, and was immersed in other course work. Then a
couple of months ago I read that Pwnie Express had released the Pwn Plug
Community Edition and was even more intrigued but I had a few things I planned
to purchase for the lab before adding a Sheevaplug to the collection.
But alas, the small world clause kicked in, and Dave
Porcello (grep) and Mark Hughes from Pwnie Express, along
with Peter LaPlante emailed to ask if I’d like to review a Pwn Plug.
The answer to that which you, dear readers, know to be a
rhetorical question goes without saying.
Here’s the caveat. For toolsmith I’ll only discuss
offering that are free and/or open source. Pwn Plug Community Edition meets
that standard, but the Pwnie Express team provided me with a Pwn Plug Elite for
testing. As such, for this article, I will discuss only the features freely
available in the CE to anyone who owns a Sheevaplug: “Pwn Plug Community
Edition does not include the web-based Plug UI, 3G/GSM support, NAC/802.1x
bypass.”
For those of you interested in a review of the remaining
features exclusive to commercial versions, I’ll post it to my blog on the heels
of this column’s publishing.
Dave provided me with a few insights including the Pwn
Plug's most common use cases:
·
Remote, low-cost pen testing: penetration test
customers save on travel expenses, service providers save on travel time
·
Penetration tests with a focus on physical security
and social engineering
·
Data leakage/exfiltration testing: using a
variety of covert channels, the Pwn Plug is able to tunnel through many IDS/IPS
solutions and application-aware firewalls undetected
·
Information security training: the Pwn Plug
touches on many facets of information security (physical, social & employee
awareness, data leakage, etc.), thus making it a comprehensive (and fun!)
learning tool
One of Pwnie Express’ favorite success stories comes from
Jayson Street (The Forbidden Network) who was hired by a large bank to conduct
a physical/social penetration test on ten bank branch offices. Armed with a Pwn
Plug and a bit of social engineering finesse, Jayson was able to deploy a Pwn
Plug to four out of four branch offices attempted against before the client decided
to cut their losses and end the test early. In one instance, a branch manager
actually directed Jayson to connect the Pwn Plug underneath his desk. Pwnie
Express hopes the Pwn Plug helps illustrate how critical physical security and
employee awareness are and Jayson’s efforts delivered exactly that to his
enterprise client.
Adrian Crenshaw (Irongeek) has Jayson’s Derbycon 2011
presentation video posted on his site. It’s well worth your time to watch it.
In addition to the Pwn Plug there is also the Pwn Phone which
is also capable of full-scale wireless penetration testing. Penetration testers
and service providers often utilize the Pwn Phone for proposal meetings and
demonstrations as the "wow factor" is high. As with Pwn Plug, if you
already own or can acquire a Nokia N900 you can download the community edition
of Pwn Phone and get after it right away.
PwnPlug compatibility is currently limited to Sheevaplug
devices. There has been little demand so far for the Guruplug/Dreamplug form
factors and the Guruplug hardware has a history of overheating while the Dreamplug
is quite bulky and flashy. Bulky and flashy do not equate to good resources for
physical & social testing. The development team is working on a trimmed down of Pwn Plug for the $25 Pogoplug. Even
though it only offers about half the performance and capacity of the Sheeva,
with a larger board, it is only $25.
Figure 1 is a picture taken of the Pwn Plug I was sent
for testing. You can see what we mean by the importance of form factor. It’s
barely bigger that a common wall wart and you can use the included cord or plug
it in straight to the wall. Pwnie Express included a couple of sticker options
for the Sheeva. I chose what looks to be a very typical bar code and
manufacturer sticker that even has a PX part number. I chuckle every time I
look at it.
Figure 1: Who, me? |
With Sheevaplugs typically sporting a 1.2Ghz ARM
processor, 512M SDRAM, and 512M NAND Flash configuration it’s recommended that
you don’t treat the device like a work horse (no Fastttack, Autopwn, or
password cracking) but it’s crazy good for maintaining access in stealth mode,
reconnaissance, sniffing, exploitation, and pivoting off to other victim hosts.
Figure you’ll find the 512M storage at about 70% of capacity after installation
but adding SD storage means you can add software within reason. Pwn Plug is
Ubuntu underneath so apt-get is
still your friend.
The tool list for a device this small is impressive.
Expect to find MSF3, dsniff, fasttrack, kismet, nikto, ptunnel, scapy and many
others at you command, most of which can be called right from the prompt
without changing directories.
Installation
To install Pwn Plug CE to a stock Sheevaplug download the
JFFS2 and
follow the instructions. No
need to reinvent the wheel here.
Pwning with
PwnPlug
To ensure full understanding for
those who may not think in evil mode or conduct penetration testing activity,
here’s a quick executive summary followed by the longer play:
Sneak a Pwn Plug into a physical
location, plug it in, and properly configured it phones home allowing you
reverse shell access via a number of possible stealth modes. You can then set
up a variety of exploit activities and/or run scanners or do specific social
engineering activity I am about to demonstrate. The results are collected on
the device and you can then collect them over the established shell access.
First, imagine the Pwn Plug hidden at the target site,
lurking amongst all the other items usually plugged in to a power strip, hiding
behind a desk in so innocuous a fashion so as to go easily undetected. Figure 2
will send you scurrying about your workplace to ensure there are none in hiding
as we speak.
Figure 2: The Pwn Plug looking so innocent |
I’ll walk through an extremely fun example with Pwn Plug
but first you’ll need to ensure access. Commercial Pwn Plug users benefit from
the Plug UI but those rolling their own with Pwn Plug CE can still phone home.
Have a favorite flavor of reverse shell pwnzorship? Plain old reverse SSH is
available or shell over DNS, HTTP, ICMP, SSL, or via 3G if you have the likes
of an O2 E160.
The supporting scripts for reverse shell on the Pwn Plug
are found in /var/pwnplug/scripts.
On your SSH receiver (Backtrack 5 recommended) I suggest
checking out the PwnieScripts for Pwnie Express from Security Generation. @securitygen
even has a method for setting up reverse SSH over Tor. I
configured the Pwn Plug for HTTP because who doesn’t allow HTTP traffic outbound?
J
Figure 3: Have shell, will pwn |
Access established, time to
pwn. One of my all-time favorite collections of mayhem is the Social Engineer
Toolkit (SET).
You will find SET at /var/pwnplug/set.
Change directories appropriately via your established shell and run ./set.
You will be presented with the SET menu. I chose 2. Website Attack Vectors, then 3. Credential Harvester Attack Method followed by 2. Site Cloner (SET supports both HTTP
and HTTPS). In an entirely intentional twist of irony I
submitted http://mail.ccnt.com/igenus/login.php to SET as the URL to clone. Mind
you, this is not a hack of the actual site being cloned so much as it is
harvesting credentials via an extremely accurate replica wherein usernames and
passwords are posted back to the Pwn Plug.
The test Pwn Plug was set up
in the HolisticInfoSec Lab with an IP address of 192.168.248.23.
Imagine I’ve sent the victim
a URL with http://192.168.248.23 hyperlinked
as opposed to http://mail.ccnt.com/igenus/login.php and enticed them into
clicking. Now don’t blink or you’ll miss it; I froze it for you in Figure 4.
Figure 4: SET harvesting from Pwn Plug |
All
the while, because you have shell access, you can gather results at your
discretion. SET has a nice report generator and writes out to XML or HTML.
This is the tip of the
iceberg for SET, and a mere fraction of the chaos you can unleash in whisper
quiet mode via Pwn Plug. There are simply too many options to do it much
justice in such short word space so as mentioned earlier I’ll continue the
conversation on the HolisticInfoSec blog.
In Conclusion
I had a blast testing Pwn Plug, this is me after spending
days doing so.
Ping me via email if you have questions (russ at
holisticinfosec dot org).
Cheers…until next month.
Acknowledgements
Subscribe to:
Posts (Atom)
Moving blog to HolisticInfoSec.io
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ...
-
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, cons...
-
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ...