People often overlook printers when it comes to information security. Truth is that a ton of useful information can be found in printers. Employees will often scan sensitive documents such as social security cards, loan information, birth certificates, etc. I’ve also seen important organizational information on printers such as internal memos between higher up executives. The documents I’ve seen in the past were never meant to be shared but a default printer will more than happily share your sensitive information. Almost any new commercial printer will come with a ton of features to store and retrieve any documentation that flows through the printer (copy, scan, and print jobs). Almost all of these new printers also give you a web interface to retrieve that documentation, an example of a printer’s web interface can be seen here. When I’m performing a penetration test I always go for the web interface of a printer, the web interface is where I can grab all the sensitive information. These printers usually get unboxed and plugged into the network without much configuration from the default state, this means that the web interface is wide open with default usernames and passwords. Usually admin access to these printers will give you more access and it’s this admin access that I check for.

When you’ve only got a limited amount of time during a penetration test you want to get the best bang for your buck so I created a python script that will go and check for default usernames and passwords on certain models of printers. Below is the python script.

Usage:  at the command line type the following

So this script takes two arguments, 1) A list of IP’s you’ll want to test against, 2) Name of an output file where successful attempts are logged. If you’re having troubles running the script read my other post about running a python script. The output.txt will contain a list of IP’s that the script was able to log into. There are three variables that you’ll have to modify for your particular printer model that you are trying to scan for on your network, they are listed below.

Username and password variables should be obvious, simply put in the default username and password of the printer on your network. The only thing you’ll have to change in ‘theurl’ variable is the last quoted string. In my case it was ‘/index.html’, in your case it could be ‘/auth/login.html’. Variable ‘theurl’ builds the http request used to log into your printer’s web interface. A full example is below.

This script is doing nothing more than trying to log into the web interface of a printer, that’s it. So the script is not limited to printers, it can be used against any web application that takes a username and password. Although this script can be used against any web application there is a limitation.  This script authenticates to the printer using Basic Access Authentication. There are three main ways to authenticate to a web application.

1. HTTP Basic Access Authentication
2. HTTP Digest Access Authentication
3. HTML Form-based Authentication

So this script will not work if your web application (printer in this case) is using the second or third option. How would you know which one your printer or web application is using? Turns out OWASP has a nice write up on how to test which type of authentication your web application is using. Turns out that no one really uses one and two because they are not as secure as HTML Form-based Authentication wrapped inside SSL. Of course some printers use Basic Authentication because they are poorly built. Basic Authentication actually passes your username and password essentially in plaintext, the only way it tries to hide your username and password is by base64 encoding them which is easily transformed back into plaintext. I don’t want to get lost in the weeds to much but just knowing that your printer is using Basic Authentication is bad enough. Even if you set a strong username and password anyone sniffing network traffic would be able to determine your credentials.

I kicked this script over to Dave Huggins who has tons of experience developing Python applications and he quickly improved upon it by adding the functionality of IP ranges instead of a file. His enhancements can be seen below.

Happy printer hunting.

The main purpose of this write up is to create a tutorial for running, installing, and analyzing results of Capture-Bat. I didn’t really want to name this article “Capture-Bat tutorial” because not everyone is familiar with the tool and what its used for. When it comes to analyzing malware there are a handful of tools that every analyst should have, Capture-Bat is one of those tools. Capture-Bat will monitor changes malware makes to your system so that you can effectively determine what the malware is attempting to do. Capture-Bat does a great job of eliminating noise and ignoring “regular” windows events. It is a behavioral analysis tool which means that it does not analyze the malware itself, it only monitors changes the malware makes to the windows system. In this article I hope to highlight the best way to use the tool and what options I always use when running the tool. Capture-Bat is a free tool which can be grabbed here. I’ll get into all the details later but whenever I run this tool I execute the following command right before I execute the malware.

Below are what the options mean.

Let’s walk through an example using the zipped up malware located here (password is “malware”). For the inexperienced keep in mind you’ll need to run this malware in a virtual machine environment that is not connected to a network. Now that you’ve downloaded the malware open up two command prompts in windows (Start > Programs > Accessories > Command prompt). In the first command prompt you’ll need to start up Capture-Bat with the command above. Once you run this command you should see the following.

My output is going to c:\temp, you may have to create this directory before running the command. It looks like Capture-Bat is just sitting there but it’s actually monitoring changes to your system. It’s important to only run the malware while Capture-Bat is monitoring your system, if you launch another application it will muddy your output and you may not be able to tell it’s the malware making changes to your system or a benign application. Now that Capture-Bat is monitoring let’s go ahead run our malware. I’m a fan of running exe’s from the command line because you may get a more verbose output, so execute the command below to launch the malware.

After you execute the malware let Capture-Bat sit there and monitor events for about 30 seconds to one minute, after that time period simply go into the command prompt running Capture-Bat and type “control + c” to kill the Capture-Bat process. Next step is to open up our output.txt to see what the malware has done to the system, my output is below.

The first line is simply us executing the malware. Lines 2 – 4 is where the malware creates a file, an exe in this case, named spoolsvc.exe. Spoolsvc.exe doesn’t already exist on windows systems but spoolsv.exe does so the malware author is trying to be tricky in creating an exe that is very similar to what already exists on the system. It’s very important to note that spoolsvc.exe is not executed here but simply created, had it been executed you would have seen “process”,”created” as is seen in line one. Spoolsvc.exe is eventually executed on line 15. Line five is where a “.bat” file is created, for those that don’t know “.bat” files are windows batch scripts which contain a series of commands to be executed. Capture-Bat ends of saving this batch script which we will take a look at later. Lines 6 – 13 is where the malware is setting registry values. It appears that lines 6 – 11 are ensuring the “Local Intranet” has certain settings (see IE setting screen shot below) in internet explorer, this will allow internal connections to have a lower security setting than external connections.

My virtual machine is setup in a default and vulnerable setup, my registry values for lines 6 – 11 didn’t change after the malware was executed. Also I intentionally changed these settings before the malware executed but the malware failed to modify the registry so go figure. McAfee states that these settings are used to bypass firewalls? More information about internet explorer security settings and registry values can be found here. Also good information here about IE security zones. Lines 12 and 13 are modifying where temporary internet files and cookies are stored, in my case I didn’t notice a difference between before and after. Also I modified the default location where temporary internet files are located, the malware failed to change this location after execution so go figure once again. I haven’t contacted the developers of Capture-Bat but “SetValueKey” could also be used to query the registry? Either way the values stayed the same for me, it could have been that the malware authors wanted the registry settings for cache and cookies in a default state? Lines 14 – 15 are having cmd.exe execute the malware spoolsvc.exe. Lines 16 – 18 are setting a value in the registry. Once again these values did not change for me after the malware was executed and it appears that the value for BaseClass the value of “Driver” is default? I haven’t yet figured out why this piece of malware sets the value of BaseClass to driver but I have seen other malware perform these same actions. In lines 19 – 30 the malware and Capture-Bat delete and create certain files and processes so hopefully that output is clear to you. It gets interesting again on line 31. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ is the location of exe’s set to run when a user logs into the system. It is very common to see malware modify these registry values to have itself execute once the user logs into the system. In this case it only modified the Spooler SubSystem App value but it’s common to see it modify other values in that location. The last two lines of the output are Capture-Bat saving deleted files. So that’s a basic analysis of this malware. I only let the malware run for about 30 seconds so it may actually perform more actions than my output.

You may be wondering why the funny name for this particular piece of malware, 40033d8063564d1b3e4b41f1d5c9a31f.exe. The experienced will recognize the name as a MD5 hash, MD5 hashing is commonly used to uniquely identify malware or any exe for that matter. I will also google search the MD5 hash of the malware to see if anyone else has run across it. Turns out others have and Anubis has a good analysis of this malware as well. Anubis reports some of the same activities as we see in our output. You can also perform a hash search over at virus total, looks like other anti-virus vendors have signatures for this malware. For the uninformed virus total will query about 40 anti-virus vendors to see which ones have seen it before. I love malware analysis sites like Anubis and Virus Total but nothing beats performing analysis on a local system. For example we were able to capture the deleted batch script that the malware executed, below is the output of that batch script.

Granted the batch script is lame, it’s a very basic script that deletes the malware and deletes itself but the batch script could have contained a lot of useful information. All deleted or modified files that Capture-Bat sees are located in the following directory.

Below is a screen shot of my deleted files for this malware.

Don’t forget that Capture-Bat collects pcap’s during the analysis under the same directory as the deleted malware, see screen shot below.

From a quick google search it doesn’t look like that memehehz.info has a great reputation. It could be that memehehz.info is a malware site or it could be that memehehz.info got infected with malware itself. The malware analyzed here isn’t the most recent malware I simply wanted to walk you through an example and how Capture-Bat can help you in the analysis of what the malware is trying to do. When it comes to analyzing malware I wouldn’t say only the tip of the iceberg has been analyzed but there is definitely more to cover. My main goal was to get others familiar with good malware analysis tools such as Capture-Bat so that they may be better able to react and respond to malicious activity on their own networks. Hopefully this helped and as always if you have any feedback I’d love to hear it.

I had the need to generate a password dictionary that would cover every possible combination for a defined character set.  I first learned to program in Python so I was going to start there first.  Before writing the program I decided to Google and see if anyone else had tackled this problem via Python, turned out they had.  Siph0n posted his Python code to create a password dictionary over at the BackTrack forums.  I wanted to post it here as a mirror and to discuss the implications of creating a password dictionary with every possible combination.  Below is the Python code.

If you’re familiar with programming and Python in particular then you could just grab the code and roll but I really wanted to discuss the usefulness of an application like this.  First I will discuss the basics of how to get this program up and running but will eventually jump into other implications such as time, storage, and usefulness of a password dictionary.

How to install and use the program

1. You must have Python installed.  If you’re running Linux (you should be) then it’s probably already installed.  If you’re running then Windows then you will have to download Python.
2. Now that you have Python installed simply copy and paste the code above into a text file and name it passwordDictionaryGenerator.py.  The .py extension is needed because that’s how Python recognizes code that it’s suppose to execute.
3. Modify appropriate variables within the program.  The only variables you may want to modify are numb, cap, and low.  These variables contain the ASCII equivalent ranges for the letters and numbers you will be using to generate your dictionary.  You may want to modify these variables so that your dictionary does not contain a-z but only a-k, I’ll leave that up to you.
4. Now to run the program simply type
   python passwordDictionaryGenerator.py

   You will have to answer the questions about which character set you want to use and how long / short your password dictionary is going to be.  Once you answer the questions it may seem like the program isn’t doing anything but it is, it will spit you back to the command line once the program has completed.  The output will be a file called wordlist.

So now you have this cool program that can generate a password dictionary for you, how big (size MB, GB, TB, etc) will this dictionary be?  How long will it take to generate this dictionary?  Let’s tackle the size question first as it will help us calculate the time as well.  The key to calculating the size is a math term called permutations.  Permutations is a simple equation to determine the number of words for that particular character set and length of word.  The basic equation is below.

n^r

n = total character set (e.g.  a-z + A-Z + 0-9 = 62)

r = length of the word

Now you’ll have to calculate n^r for each length to get every possible combination.  So for a 6 digit long password your equation will look like the following.

n⁶ + n⁵ + n⁴ + n³ + n² + n¹ = every possible combination

Let’s try an example where our character set is a-z (n = 26) and our password is no longer than 6 (r = 1-6) digits, how many words will be in our dictionary?

26⁶ + 26⁵ + 26⁴ + 26³ + 26² + 26¹ = 321,272,406 = total # of words

So now we understand how to calculate the total number of words in our dictionary.  How does that relate to the size?  Well for the most part if the length of the password is x then the size in bytes will be x + 1 for that particular line.  Then all we have to do is multiply each n^r times the size of that particular line to get the size for that particular length.  That may have just sound really confusing so hopefully the following graph clears that up some.

I went ahead and generated this dictionary, it took about 30 minutes.  Turns out the size matched my calculations.

So now you have the basic formula for calculating the size of your desired dictionary.  Let’s take a look at a larger example just to cure our curiosity.  Let’s assume the following parameters.

• character set = a-z, A-Z, & 0-9
• password length = 1-8
• n = 62
• r = 1 – 8

With these parameters the size of our dictionary jumps to 1,800 terabytes or 1.8 petabytes. Take a look at the chart below.

You can see how quickly the size jumps up. I don’t know about you but I don’t have a two petabyte drive lying around. Generating this dictionary is just infeasible. I did calculate the time it would probably take to generate this dictionary, it came out to be about 11 days. So the time to create such a dictionary is nothing compared to the storage required to house it. Not only that I don’t know to many applications that can handle a large dictionary as input, so that’s another factor you’ll have to keep in mind when generating your dictionary.

Calculating the time it takes to generate these dictionaries I’ll leave up to you.  The basic idea is that you can run the python program for a particular length password for a set amount of time and then extrapolate form there.  For the most part time isn’t really a factor but storage is. The concepts I’ve talked about here are nothing new. The idea of generating a password came to me and my coworkers as we were thinking of ways to test a WPA wireless infrastructure. Attacking WPA can be done offline so we were thinking of generating a dictionary to accomplish this. Hours later we soon realized the difficulty with generating such a large dictionary. This was actually good news because it meant that an attacker would have an extremely difficult time attacking a WPA access point with a complex password. Renderman and the Church of Wifi have thought about this problem way before I did and came up with some rainbow tables to help test the strength of your WPA access point. You can’t really create a dictionary with every single combination for a lengthy password, your best bet is to create a dictionary with the most “common” passwords, which is no easy task either.

The moral of the story is to use lengthy complex passwords with a high character set, but you knew that already. So I just suggested that this program is somewhat useless, well it is but it isn’t. You can use this program to generate a small dictionary but a large dictionary (greater than a couple of terabytes) is probably out of the question. So use this program and let me know what your results are, I’m always interested in your feedback. Happy cracking.

Determine version locally / with access

or

Determine version remotely

or

With netcat you may see weird output, example is below

In this case the version is 4.1.20, so you’ll have to read through the mess that is netcat output.

Sometimes when you want to grab the bleeding edge version of software you’ll need to utilize subversion (SVN). You can go and read Wikipedia’s take on SVN but basically SVN can be used to grab the latest snapshot of software. Grabbing Metasploit through SVN is the best way to get the latest exploits, payload, scanners, and auxiliary components. If you were to grab Metasploit from it’s main page you would be missing a lot of that functionality, this is where SVN comes into play. Unfortunately I’m not able to grab the latest version of Metasploit because my organization has restrictive firewalls and proxies preventing me from using the SVN protocol. So the best way around this problem is to wrap the application, SVN in this case, inside of a tunneled proxy for transporting. The best implementation I’ve found for doing that is using SOCKS proxies.

The basic goal of this article is to explain to others how to tunnel an application in a SOCKS proxy that doesn’t support SOCKS proxies. A SOCKS proxy is another network protocol but what’s special about SOCKS is that it doesn’t rely on the underlying packet to do it’s routing. SOCKS handles the routing and basically just creates an envelope for whatever it’s “wrapping up”. SOCKS can work with lots of protocols (HTTP, FTP, SMTP, etc) and lots of applications (Firefox, Internet Explorer, OpenSSH, etc). One useful example of using a SOCKS proxy is tunneling HTTP traffic through an SSH tunnel. This can be accomplished because both Firefox and SSH have support for SOCKS proxies. Refer to my earlier article concerning tunneling HTTP over SSH. One application / protocol that SOCKS does not work with is SVN, so then how can you tunnel SVN. Proxychains to the rescue.

Proxychains is the coolest thing since sliced bread. If an application doesn’t support SOCKS then Proxychains will make it support SOCKS. Proxychains basically SOCKSifies applications. The main reason to SOCKSify an application is so that you can tunnel it through SSH because SSH supports SOCKS. So how do you download Metasploit through restrictive firewalls? The answer is ProxyChains + SVN + SSH = latest Metasploit. So enough with the yip yapping how does all this work, below are instructions.

Requirements

1. Internet facing listening SSH server
2. Linux client (client being your laptop or desktop) with SSH
3. Proxychains on client
4. SVN on client

You may could perform all of these steps in Windoze but why would you? Besides all of my instructions will be Linux based. Once you’ve got Proxychains installed (see proxychains INSTALL file) the next thing to do is edit it’s config file proxychains.conf. In my situation all I had to modify were two lines. I first commented out the line that says dynamic_chain as seen below.

Next we’ll tell proxychains to use our localhost as the proxy and which port to connect to. At the very bottom of your conf file you’ll need to add the following.

I randomly chose port 4545. I usually choose a port higher than 1024 because you don’t need root privileges to use higher ports. Now your proxychains config file is set. Now let’s create the ssh tunnel.

In my case it would be

The -D flag tells ssh to listen on your localhost (127.0.0.1) and forward that connection to your remote host, in my case 74.208.13.81. Now that you’ve got proxychains configured and your ssh tunnel is up and running you’re ready to go. We don’t need to configure SVN we just need to have the client installed. So now that you’ve got everything up and running simply issue the command below to download the latest Metasploit.

What this final command will do is use proxychains to wrap the SVN protocol into your ssh tunnel thus allowing you to download the latest version of Metasploit behind a restrictive firewall, pretty nifty huh.

Keep in mind this will download metasploit into whatever directory you happen to be in. If for example you wanted to download metasploit into your home directory (e.g /home/travis) then issue the following command.

Also keep in mind that in the above examples proxychains is assumed to be a recognized command and is set in your path. I installed proxychains in my /opt directory so I had to issue the proxychains command below.

Happy sploiting and downloading, hope this explanation helps.