Hakin9 Exploiting Software July 2012 Issue is out!

Pentesting with Android – new Exploiting Software Hakin9 issue is out!

Are you curious how to turn your Wi-Fi smart phone or tablet into a pentesting tool? Check out the new issue of Exploiting Software Hakin9!

WHAT’S IN THIS ISSUE?

•    Searching For Exploits, SCAPY Fuzzing
•    Weak Wi-Fi Security, Evil Hotspots & Pentesting with Android
•    An In-Depth Analysis on Targeted Attacks
•    Automated security audit of a web application
•    Reverse Engineer Obfuscated
•    Cross Site Scripting(XSS)
•    Implementing Rsylog to forward log messages
•    They Are Offline But I Exploited Them

 

Weak Wi-Fi Security, Evil Hotspots and Pentesting with Android
By Dan Dieterle

Wireless networks and mobile Wi-Fi devices have saturated both the home front and business arena. The threats against Wi-Fi networks have been known for years, and though some effort has been made to lock down wireless networks, many are still wide open. In this article we will look at a few common Wi-Fi security misconceptions. We will also see how a penetration tester (or unfortunately, hackers) could set up a fake Access Point (AP) using a simple wireless card and redirect network users, capture authentication credentials and possibly gain full remote access to the client.

Finally we will look at the latest app for Android that allows you to turn your Wi-Fi smart phone or tablet into a pentesting tool. With it you can scan your network for open ports, check for vulnerabilities, perform exploits, Man-in-the-Middle (MitM) attacks and even sniff network traffic on both your Wi-Fi network and wired LAN.

Searching For Exploits, SCAPY Fuzzing
By Craig Wright

SCAPY is a series of python based scripts that are designed for network level packet manipulation. With it, we can sniff network traffic, interactively manipulate it, and fuzz services. More, SCAPY decodes the packets that it receives without interpreting them. The article is going into some of the fundamentals that you will need in order to understand the shellcode and exploit creation process, how to use Python as a launch platform for your shellcode and what the various system components are.

And much more…

For additional article information click here or…

Metasploitable 2 Tutorial Part 1: Checking for open Ports with Nmap

I mentioned a week or two ago that we would take a closer look at Metasploitable 2.0, the purposefully vulnerable Linux virtual machine used for learning security tactics and techniques. In this intro, we will quickly cover obtaining Metasploitable and scanning it for open ports and services. (No you do not want Metasploitable running on a open or production machine, it’s vulnerable for Pete’s sake!  🙂  )

For this series of tutorials you will need:

You can setup a test network using VMware or Virualbox. I will not cover this in the article, there are many tutorials out there for setting this up

The Rapid7 website references a great Metasploitable setup tutorial on webpwnized’s YouTube Channel. This covers installing Metasploitable 2 on Virtual Box and how to get to Mutillidae, a great learning tool for web app security:

Okay, let’s take a look at Metasploitable from our Backtrack box. Let’s run an nmap scan and see what services are installed.

Open a Terminal window on your Backtrack system and type:

nmap -v -A 192.168.12.20 (metasploitable’s IP address)

This will show us the open ports and try to enumerate what services are running. Here is a look at the ports:

Holy open ports Batman!

Nmap will churn for a while while it tries to detect the actual services running on these ports. In a few minutes you will see a screen that looks like this:

For each port, we see the port number, service type and even an attempt at the service software version.

From here, we can grab the software version, in this case “Unreal IRC 3.2.8.1”, and do a search for vulnerabilities for that software release. Just searching “unreal3.2.8.1 exploits” in Google should do the trick. With a little searching, you can find an Unreal exploit usable through Backtrack 5’s Metasploit program that will give you a root shell. See if you can find it and give it a shot. If you strike out, no worries, we will take a closer look at this in a later tutorial.

If nothing comes up, you may not have the exact software version. Nmap tries its best, but it is not always correct. Backtrack 5’s Metasploit console has several service scanners that we can use to get exact version levels. We will take a closer look at these in the next tutorial. Then we will dive into exploiting the open services.

zAnti – Fast & Simple Android Based Security Testing Platform

zImperium’s zAnti is a quick and simple Android based app that you can use to  test your network security. Want network scanning, Man-in-the-Middle (MITM) attacks, exploit capability and reporting features all from your Droid table or phone? Then look no further.

If you liked the previous version (called Anti) then you will love this update. zAnti seems to be smoother and easier to use than its predecessor. zAnti still comes with a token type credit system that allows you to access the more advanced features, but like the first one, you can still see the power of zAnti with the free version.

So how does it work?

Once you start the App, you will be asked to login. Then zAnti does a quick scan of available Wi-Fi networks and asks which one you want to test. Just select the network and zAnti does a quick scan and shows all the available hosts on the network.

Found a target that looks interesting? Just select it and with a quick swipe of the finger and you reach the Action menu. From here you can perform several different attacks including sniffing and exploit attempts. Swipe again and you come to the Nmap menu where you have the option to run several levels of nmap based scanning to attempt to detect OS version and service identification. Swipe once more and you will come to a comment page where you can write notes about the target.

In a test, I ran zAnti on my 7″ Polaroid Android Tablet. Within a few seconds I had a complete list of all the machines on my network. Selecting one of my Windows 7 systems from the menu I performed a deeper nmap scan. The scan found no open ports, and it could not provide much information about the client. But by switching to the Action menu I choose the sniffer option:

Within seconds I was viewing a list of all the webpages that my Windows 7 wired client was visiting, remotely on my droid tablet! Obviously some type of ARP (Address Resolution Protocol) cache poisoning was going on here.

A quick look at the Windows 7 client’s ARP Table showed that zAnti successfully performed a man-in-the-middle attack on the client. And sure enough, switched its MAC address for the client gateway. This effectively put the wireless Droid in between my router and the wired Windows 7 Client so it could sniff all the network traffic!

Even though you need to buy credits to do the more advanced attacks and Pentest reporting features, Free zAnti is a fun, sleek, uber-cool tool to add to the security toolbox. And if you need the advanced features, the support will help the company create even more feature rich programs in the future (zImperium is also working on some interesting looking mobile defense projects).

Did I mention they have a beta program from an iOS based version?  🙂

Check it out!

Anti – Android Network Toolkit and 7″ Tablet make a $99 Pentesting Platform

Every once in a while you run into a product that just makes you sit back and say – “Wow!”

I just picked up a 7″ Polaroid tablet for $99 and was stunned at how good it works. The screen quality, how smooth it ran and how responsive it was. In some functions it works better than my trusty iPad that cost a whole lot more.

Well, I wanted to see how well the Android Tablet could work as a pentesting platform and found “Anti” the Android Network Toolkit by zImperium. I was stunned.

I just used the “Free” version, and within seconds I was looking at a network map of all the machines on my network. Anti runs nmap scans, including an intrusive scan to detect device Operating Systems and vulnerabilities. Once the scan is done, it can take a while, you can click on individual systems and are presented with a tool option menu. These options include:

Attack, DoS, Cracker, Replace Image, Spy, Man in the Middle

Some of the more advanced tools require you to purchase “Anti credits” to run them. But with the free version, you can view available networks, and run scans against them.

I ran it on my wireless network and was able to view a wired system. For a short period of time, I could see a text list of what websites the computer was visiting, and even images from the visited websites. The options even included “View Passwords”, but this did not seem to be enabled in the free version. Obviously it was working in some sort of Man-in-the-Middle mode to be able grab the information off of a wired lan system connected to a switch. Very interesting.

And this was just the free version, the paid versions reportedly includes remote exploit capability.

Anti also includes a reporting feature so you can keep a track of vulnerable systems found during your pentest. Using Anti on a cheap $99 Android tablet really opens up a lot of possibilities for pentesters.