Posts Tagged ‘Ethical Hacking’

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Installation

# pip install colorama pysnmp
# pip install win_unicode_console
# apt-get install imagemagick ghostscript
git clone https://github.com/RUB-NDS/PRET.git

Usage

usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target                printer device or hostname
{ps,pjl,pcl}          printing language to abuse
optional arguments:
-h, --help            show this help message and exit
-s, --safe            verify if language is supported
-q, --quiet           suppress warnings and chit-chat
-d, --debug           enter debug mode (show traffic)
-i file, --load file  load and run commands from file
-o file, --log file   log raw data sent to the target

 Source

https://github.com/RUB-NDS/PRET

Advertisements

PowerMemory is a PowerShell based tool to exploit Windows credentials present in files and memory, it levers Microsoft signed binaries to hack Windows.

PowerMemory - Exploit Windows Credentials In Memory

The method is totally new. It proves that it can be extremely easy to get credentials or any other information from Windows memory without needing to code in C-type languages. In addition, with this method, we can modify the user-land and kernel land behaviour without being caught by antivirus or new defending techniques.

It can actually be done with 4GL language-type or with a scripting language like PowerShell which is installed everywhere.

With that being said, this technique implies that the detection is made hard due to the fact that we can do pretty much what we want by sending and receiving bytes.

Features

  • It’s fully written in PowerShell
  • It can work locally as well as remotely
  • It can get the passwords of virtual machines without having any access to them (works for Hyper-V and VMware)
  • It does not use the operating system .dll to locate credentials address in memory but a Microsoft Signed Debugger
  • PowerMemory maps the keys in the memory and cracks everything by itself (AES, TripleDES, DES-X)
  • It breaks undocumented Microsoft DES-X
  • It works even if you are on a different architecture than the target architecture
  • It leaves no trace in memory
  • It can manipulate memory to fool software and operating system
  • It can write the memory to execute shellcode without making any API call, it only sends bytes to write at specific addresses

You can use the module waiting to be integrated to leave Wonder Land and launch a crafted advanced attack with PowerShell Empire serving as the vector.

You can download PowerMemory here:

PowerMemory-master.zip

Or read more here.

Ghost in the Machine

Posted: 29/01/2015 in Uncategorized
Tags: , , , ,

tv crime2A newly disclosed flaw opens up most Linux-based Web and mail servers to attack, researchers from Redwood Shores, California-based security firm Qualys disclosed today (Jan. 27).

The flaw, dubbed “GHOST” by its discoverers, “allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials,” (i.e. administrative passwords), Qualys staffer Amol Sarwate said in a company blog posting.

“As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines,” Qualys researchers posted on the Openwall security mailing list earlier today.

MORE: 5 Worst Security Fails of 2014

GHOST is of immediate and urgent concern to any IT professional administering a Linux-based server, but users of desktop Linux should also install patches, which have already been pushed out by Red Hat and Ubuntu, among others. (Red Hat Fedora 20 and later, and Ubuntu 13.10 and later, were already immune.)

Various flavors of Linux power at least a third of the world’s Web servers and mail servers, but it’s likely that administrators at top Web-based companies were tipped off ahead of today’s disclosure.

GHOST, designated CVE-2015-0235 per security-industry convention, is the fourth major vulnerability in open-source software found in the past 10 months. The stampede began with the discovery of the Heartbleed flaw in OpenSSL in April, then continued with the Shellshock hole in the Bash command-line shell in September, followed by the POODLE weakness in Web encryption in October.

Such technical talk may be gobbledygook to most computer users, but arcane open-source software runs the Internet and the Web that rides on top of it. Any major open-source flaw threatens not only the massive global Internet economy, but your ability to check your own Facebook page.

“To be clear, this is NOT the end of the Internet,” wrote Jen Ellis of Boston information-security firm Rapid7 in an official blog posting. “It’s also not another Heartbleed. But it is potentially nasty, and you should patch and reboot your affected systems immediately.”

GHOST vulnerability explained

The flaw exists in older versions of the GNU C library, or glibc, a repository of open-source software written in the C and C++ coding languages. Newer versions of glibc, beginning with glibc 2.18, released in August 2013, are not affected. But many builds of Linux may still be using older versions.

In addition to Exim, server software vulnerable to GHOST includes Apache, Sendmail, Nginx, MySQL, CUPS, Samba and many others, according to a post by Qualys researchers on the Full Disclosure mailing list. CORRECTION: The applications listed on the Full Disclosure page are NOT vulnerable to GHOST.

The risk to users of massively subscribed services such as Twitter, Facebook and all of Google’s online services should be low, presuming that administrators of those company’s servers have already implemented or are currently implementing patches. (It’s possible that last night’s 40-minute Facebook outage was the result of this.)

But implementation of the patches will have to be manual, which means that millions of websites and mail servers that don’t get the same degree of administrative attention will continue to be vulnerable for an extended period of time.

Thanks to Qualys and Tom’s Guide