May meeting recap

The May meeting was another great one. Both Ngharo and my self were late because of traffic and junk so darkwind got things started with his popular demo of sniffing pager messages from the air. I Showed up at the tail end and when he was done I started the introductions. It was good to see all the new faces. After everyone talked for about 15 minutes I gave a live demo on using actionscript “flash” to inject a XSS exploit into a other wise secure website. Then Noize took over and gave a interesting live demo of getting IP addresses from contacts on Skype. Then dw5304 showed some of the features in the untangled firewall software. Congrats to ALee for winning the dc414 free junk giveaway!! Here are some pictures I took of the meeting.

ALee and his winnings!

Cisco DDR2200 ADSL2 Residential Gateway Router Vulnerabilities

I have discovered two Vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router. The first vulnerability is that this device responds to UPNP multicast packets and UPNP SOAP requests out side of its local area network. Allowing attackers to forward ports and redirect traffic with out being authenticated, all of which can be exploited using dc414’s Upnp Exploiter.

The second vulnerability is remote command execution in the web based ping function. You can inject a pipe “|” followed by your command and it will get run on the shell and return the results as shown below.

Ping PoC: http://192.168.1.254/waitPingqry.cgi?showPingResult=1&pingAddr=127.0.0.1|ls

Screenshot from 2013-04-15 18:55:59

Upnp Exploiter

dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.

The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “239.255.255.250 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.

The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.

Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.

The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.

The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.

The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.

You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – anarchy@new.dc414.org) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).

Many thanks to Ngharo for help with the regex and list stuff.

April meeting recap

Aprils meeting was awesome! Ngharo started us off with room introductions, which was helpful considering all the new faces at this meeting. Next I gave a quick demo of my new tool Upnp Exploiter. Which lead to me disclosing two 0day vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router “expect more on all this later”! Then dw5304 gave his SNMP demo again and showed all the n00bs how to pwn Cisco routers using SNMP to upload a your own config to them. Then we all started messing around with trying to draw words on an oscilloscope with my arduino. Because of a late start that is all we had time for. Congrats to BigStarHero for winning a Emerson switch board in the free junk giveaway! Here is some pictures from the meeting.

Free junk giveaway big winner!

March meeting madness!

The March meeting was no let down, we had lots of people and as always great demos. Ngharo got it started with a make your own pringles can cantenna. 9 luck attendees got to make and take home their own cantenna!  Then he kept it going with a quick demo of radio Mobile and how to use it to make a long range wireless mesh network. Then the professor gave a demo on metasploit using a java exploit to root a windows box. dw5304 took over and gave a little demo of a hacked xbox360 and using a laptop to control everything the console does. Here are some pictures from the meeting. Congrats to uberushaximus for winning 100 free hours to AOL high speed!!

December meeting recap

Ngharo got this started with going around the room and asking everyone what they have been hacking and what they plan on hacking on next, then talking about some improvements to the dc414 server, such as how it is now fully IPv6 friendly and some improvements to the VPN. Then I gave a demo of how BeEF when used with Metasploit can pwn browsers from the inside out. dw5304 stepped in and showed us how to use the windows 7 UI on windows 8 with out having to worry about updates messing things up. Then Noize stepped up and gave us all a great introduction to Subterfuge, a MITM framework that utilizes arp attacks. Then I attempted to give another demo but failed, more on that later 😉 We spent the rest of the night drinking, eating cupcakes “thanx darkwinds wife” and loling at horror pics of server rooms and wiring closets. Congrats to Castor, Tony, and Peppergomez for winning the dc414 free junk giveaway!! Enjoy your junk guys 😛

We got $42 in donations which paid for the pizza and some of the beer with nothing left over for the server :/ which cost about $71 a month. Remember your donations are what keeps dc414 running smoothly for YOU!!!!

August meeting awesomeness

Klaiviel started us off by giving us a nice show of binary key card hotel locks popular over seas, showed us a 3d printed key for one of his locks, explained pick proof locks from the 40s that are no longer used but highly effective and how to make them today using regular locks. Then he showed us why he is the second best key impressionist in the world, and made a working key for a lock right in front of us and giving us step by step instructions on how to do it our selves.

I stepped in and gave a quick demo of how I made our new and improved donations bucket which I will be making a blog post on later. Darkwind came packing with a alfa wifi antenna hooked up to a satellite dish! This made a killer directional wifi antenna, we took it up to the roof of bucketworks and got signals from all over including the moon 😛 Ngharo hooked it up to his lappy and cracked a few networks 🙂

After the roof party was over and we got back down stairs Castor gave a DEFCON20 badge hacking demo and showed us how to turn our badges into any other badge type we wanted, then showed us how to make the LEDs on the badge flash out words and stuffs. Then we all just started bull shitting and talking about up coming projects.

Cmoney couldnt make it out so I took a few picture that you can view here. Congrats to darkwind and faraday for winning the dc414 free junk giveaway!!

Good times with snmp

At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:

#! /usr/bin/env python
import commands
from scapy.all import *

base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"

Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:

69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006

Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304

ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest sysName.0 <-device name 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer. 1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces. 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl. 1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp. 1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress. 1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout. 1.3.6.1.2.1.1.1.0 = System Description 1.3.6.1.2.1.1.3.0 = Modem up time 1.3.6.1.2.1.4 = Some useful information (walk) 1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext) 1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext) 1.3.6.1.2.1.2.2.1.6.2= Mac 1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth 1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth 1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk) 1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem 1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP 1.3.6.1.2.1.69.1.4.5.0 = Configuration file name 1.3.6.1.2.1.69.1.3.5.0 = Current firmware 1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP 1.3.6.1.2.1.69.1.4.3.0 = Time Server IP 1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk) 1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency 1.3.6.1.2.1.69.1.4.5.0 = Image File 1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now) 1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP 1.3.6.1.2.1.69.1.3.2.0 = Firmware filename 1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port 1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port 1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 1.3.6.1.2.1.1.5.0 = modem type 1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number 1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File 1.3.6.1.3.83.1.4.3.0 = Provisional Server 1.3.6.1.2.1.1.6.0 = Area String 1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC 1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC 1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address 1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up 1.3.6.1.2.1.2.2.1.6.5 = CPE MAC 1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif 1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =”reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server. 1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session

You can find a lot more online. Enjoy and happy hacking 🙂

July meeting sweetness

July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit 😛

ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app 🙂 Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!

Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!

Here is Faraday with his raffle winnings!

Here is Castor and his free junk from dc414

Arduino Windows Attack Tool

A few meetings back I demoed my Arduino Windows attack tool. The Arduino and shield emulate a keyboard when plugged into a PC. Once triggered it opens the DOS edit program, writes some vbscript to a file called go.vbs, then runs it using wscript. The script downloads a payload from a web server. In the case of the demo it was a reverse shell that connects back to a nc listener from msf. I got the idea from the Social-Engineering Toolkit Teensy USB HID Attack but I dont have/want a teensy so I looked and looked for an Arduino version but all I could find was a USB keyboard lib, so my value add was porting it to the Arduino.

Here is the USB lib I used.

Here is the schematic for the shield: *I added a button on pin 12

Here is the code for the Arduino:

And there you have it, my Arduino Windows attack tool. Its a little messy and hacked together, but it works. Enjoy 🙂

Many thanx to SilkyPantsDan, Rancid Bacon, and Practical Arduino