Regularly pentesters need to redirect their network traffic through various proxy hosts to access private network subnets, bypass firewall restrictions or hide their traces. Identifying those needs, professionals have armored their tool arsenal with various tunneling and forwarding tools in order to work efficiently under various network architectures and testing cases. Each working case strongly depends on the proxy host’s running services and obtained access level to those services.
One of my favorite cases (and I believe to many others too) is the OpenSSH Socks Proxy scenario. Remote SSH access to the proxy host is available offering flexible ways to redirect network traffic via the SSH channel. However, there exist a main drawback in the Socks Proxy case, you “can’t” use the available reverse TCP payloads delivered with the Metasploit framework (and any other similar tools). Actually, this is not 100% true. There exist some OpenSSH forward features that can be used/combined to bypass this restriction.
Read the rest of this entry »
Recently I conducted a few keynote talks on the WeBaCoo tool and some web backdoor shell implementation techniques. As a great supporter of practical learning, I designed a relative web hacking challenge that was given to the events attendees after the end of the talk part. The challenge focuses on techniques and methodologies discussed during the talks and implements a slightly restricted web server setup serving a vulnerable image hosting service.
Read the rest of this entry »
April 2nd, 2012 in
Challenges | tags:
hacking challenge,
web,
webacoo |
Comments Off
Recently I received a call from a friend to inspect a web server attack incident. It was nothing more than a trivial web hacking case with an uploaded web shell and some proxy tools running under apache user. The disappointing part was that the entry point for the attacker was a WordPress setup hosted in the server which was vulnerable to the famous TimThumb Remote File Inclusion vulnerability. I considered it unthinkable (till that case) that there still exist hosts vulnerable to the Timthumb exploit after all this fame the last months. So I decided to conduct a further investigation to see if there still exist active bots seeking for vulnerable Timthumb versions in WordPress installations.
Read the rest of this entry »
Web application LFI (Local File Inclusion) vulnerabilities are regularly underestimated both by penetration testers and developers. Despite the main threat of exposing critical system information contained at core files (such as “/etc/passwd“, “/boot.ini” and “/etc/issue“)
, LFI vulnerabilities may cause bigger problems to the victim server. Based on the source code that introduces a LFI vulnerability and under certain server configuration scenarios, the attacker may be able to run server side code and establish a reverse connection or a pseudo-shell over HTTP with the victim server. During the rest of the article an LFI vulnerability on a known E-Commerce CMS will be examined in a try to execute server side code and spawn a reverse shell.
Read the rest of this entry »
After two months from the initial release, WeBaCoo core communication functions are stable enough to provide a strong base for building some expansion modules. These modules are nothing more than regular actions that pentesters and sysadmins execute while interacting with the system, including database interactions, data file manipulation and more. The concept behind extension modules development, is to provide stealth, stable and highly customizable functionalities within the main terminal mode to assist users. All modules operate under the main WeBaCoo communication function and customize some settings in the target system if it is necessary for the module’s operations.
Read the rest of this entry »
January 30th, 2012 in
Projects | tags:
webacoo |
Comments Off
Lately I’m working on an SNMP reflection toolkit to study the effects and impact ratio of SNMP Reflection DoS Attacks. During the development phase I spotted some interesting features at the Request-Reply SNMP working model. More specifically, I noticed that if you send an invalid SNMP OID at a GetRequest message the agent replies with a Response message including an error code and the same invalid OID, as specified in the relevant RFCs. SNMP-BCC (Backdoor Communication Channel) takes advantage of the above SNMP feature combined with IP source spoofing techniques, in order to create a stealth communication channel using the SNMP agent as a relay.
Read the rest of this entry »
Recently I got a bunch of emails asking how to run WeBaCoo against HTTPS websites. Current 0.2 version does not support SSL/TLS protocols, although you can use the built-in proxy support combined with tools that offer proxy features (ZAP, Burp etc.) instead. WeBaCoo can use a web proxy with HTTPS support to establish the secure connection with the web server, and then send the request and get the relevant responses through it. The rest of the article will provide a relevant case study using ZAP‘s proxy support.
Read the rest of this entry »
December 20th, 2011 in
Tutorials | tags:
HTTPS,
proxy,
webacoo,
ZAP |
Comments Off
Trying to enhance WeBaCoo’s stealth behavior I continuously examine various tools and methods used to detect hidden web backdoor shell code at infected hosts. The latest tool that came into my sight is NeoPI, a python script that uses various statistical methods to discover potential obfuscated and encrypted content within text/script files. NeoPI follows a very interesting approach by ranking potential malicious files based on Entropy, Longest Word and Index of Coincidence tests. Unfortunately, WeBaCoo’s base64 obfuscated backdoor code hasn’t passed undetected from NeoPI, ranked within the top 10 in a regular web server setup. Consequently, I proceeded to a further analysis of the tool in a try to find ways to effectively bypass its tests.
Read the rest of this entry »
Almost two weeks after WeBaCoo’s release, I started to organize the results from various tests under different protection/detection tools for a comprehensive writeup. Something that draw my attention is how easily some malware scanning tools mark as “threat” WeBaCoo’s generated backdoor code. A simple use of the base64 decoder function is enough to trigger scanner’s content matching rulesets no matter what the processing data are. Additionally to this strict approach, I came forward recently in the Internet with some official web backdoor detection tutorials including content matching checks for the decoder function. These two things led me to a small research for finding tricks to bypass such content matching mechanisms.
Read the rest of this entry »
Recently I was messing around with some PHP backdoors capable to provide a “pseudo”-terminal connection with a remote web server injected with a chunk of malicious PHP code. All the existing script and tools (such as weevely, hookworm) send the shell commands hidden in HTTP header fields, although the server’s output is printed out as part of the HTML code. Inspired from the above implementations, I thought why not sending the server’s command output using the HTTP response headers. And under these dark thoughts WeBaCoo (Web Backdoor Cookie) script-kit has been released.
Read the rest of this entry »