Unix-privesc-checker

Unix-privesc-checker é um script que roda em sistemas Unix (testado no Solaris 9, HPUX 11, vários linuxes, FreeBSD 6.2). Ele tenta encontrar erros de configuração que podem permitir que usuários sem privilégios devidos escalem privilégios para acessar aplicações locais (ex: databases).

Ele é um simples shell script, sendo assim, pode ser facilmente baixado e executado. Ele pode ser executado tanto como normal user quanto como root (óbviamente ele vai dar um resultado melhor quando executado como root porque pode ler mais arquivos). 

 

Download

unix-privesc-check v1.0 pode ser baixado aqui.

Uso

O Download é gzipado, sendo assim basta dar um gunzip. Faça upload para o server que você deseja fazer o audit / pentest e depois execute:

$ ./unix-privesc-checker > output.txt 

Ele exibe na tela muita tranqueira, sendo assim provavelmente a melhor saida é jogar para um arquivo de saída e procurar pela palavra “WARNING”.  Se você não ver “WARNING” é pq o script não encontrou nada suspeito.

$ ./unix-privesc-check

Starting unix-privesc-check v1.0 ( http://pentestmonkey.net/tools/unix-privesc-check )

This script checks file permissions and other settings that could allow
local users to escalate privileges.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of.  Apart from this
condition the GPL v2 applies.

Search the output below for the word ‘WARNING’.  If you don’t see it then
this script didn’t find any problems.

Assuming the OS is: linux

############################################
Checking if external authentication is allowed in /etc/passwd
############################################
No +:… line found in /etc/passwd

############################################
Checking nsswitch.conf for addition authentication methods
############################################
Neither LDAP nor NIS are used for authentication

… lots more output … 

 

Este script é muito util para administradores que querem manter um nível melhor de segurança assim como para

pentesters que desejam auditar um server unix.

Advertisements

Defcon Groups: DC55111 (Chapter Brazil-SP)

Pessoal, o RootSecurity foi adicionado à lista oficial de grupos reconhecidos pela Defcon como um DefconGroup. RootSecurity ficará identificado como DC55111 no site do DCG e receberemos em primeira mão notícias e informações interessantes referentes ao que irá acontecer na Defcon.

Estaremos cadastrados como http://dg.rootsecurity.com.br

Com isso só temos a crescer.

Book of Month: February/2008

Windows Hacking Exposed

Hacking Exposed Windows: Microsoft Windows Security Secrets and Solutions
Author: Joel Scambray
Publisher: McGraw-Hill Osborne Media
Year: 2007
Pages: 480
Descrição: Meet the challenges of Windows security with the exclusive Hacking Exposed “attack-countermeasure” approach. Learn how real-world malicious hackers conduct reconnaissance of targets and then exploit common misconfigurations and software flaws on both clients and servers. See leading-edge exploitation techniques demonstrated, and learn how the latest countermeasures in Windows XP, Vista, and Server 2003/2008 can mitigate these attacks. Get practical advice based on the authors’ and contributors’ many years as security professionals hired to break into the world’s largest IT infrastructures.

phpSHOP 0.8.1 SQL Injection: Packet Storm Security

http://packetstormsecurity.org/filedesc/phpshop081-sql.txt.html

/// File Name: phpshop081-sql.txt
Description: phpSHOP version 0.8.1 suffers from a SQL injection vulnerability in login.php.
Author: y2h4ck
Homepage: https://y2h4ck.wordpress.com/
File Size: 1579
Last Modified: Feb 15 15:32:16 2008
MD5 Checksum: adeea1ca876a3e67f781406f38e9a6ba

phpSHOP 0.8.1 SQL Injection Vulnerability

[+]———————————————-[+]

phpSHOP 0.8.1 SQL Injection
[+]———————————————-[+]
author: y2h4ck
e-mail: y2h4ck[ at ] gmail.com
page: https://y2h4ck.wordpress.com
[+]———————————————-[+]
Vuln script: http://shop/0.8.1/?login=1&&
String: /?login=‘1==1’ select —
In the login/password input box you can pass some SQL Injection strings to manipulate
the behavior of the mysql Queries to the phpSHOP
Result:
[+]———————————————-[+]
Database error: Invalid SQL: SELECT * from auth_user_md5,user_info WHERE auth_user_md5.username =”1==1′ select –‘ AND auth_user_md5.password =’d41d8cd98f00b204e9800998ecf8427e’AND auth_user_md5.password =’d41d8cd98f00b204e9800998ecf8427e’AND auth_user_md5.user_id = user_info.user_id AND user_info.address_type = ‘BT’

MySQL Error: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘1==1’ select –‘ AND auth_user_md5.password =’d41d8cd98f00b204e9800998ecf8427e’A’ at line 1)

[+]———————————————-[+]

Version: 0.8.1
Vendor : www.phpshop.org

Date: 14/02/2008

[+]———————————————-[+]

Tactical Exploitations – The other Way to Pentest

Encontrei isto e estou lendo, é bem interessante e tem muitos tópicos bacanas, acredito que seja um Must Have para todos os que trabalham com Pentest/Security

Autores : H D Moore (hdm[at]metasploit.com) ; Valsmith valsmith[at]metasploit.com)
Último Update: 08/09/2007

Título : Tactical Exploitation OR “The Other Way to Pen-Test” OR “Random Pwning Fun Bag”

1.1 Abstract
Penetration testing often focuses on individual vulnerabilities and services. This
paper introduces a tactical approach that does not rely on exploiting known
flaws. The first section of this paper covers information gathering and discovery
techniques, with a concentration on third-party services and new tools. The
second section of this paper combines the information discovery techniques in
the first section with various protocol and implementation weaknesses, in order
to provide clear steps for gaining access to a target network.

Contents
1 Introduction 3
1.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Author Bio – HD Moore . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Author Bio – Valsmith . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 The Tactical Approach 5
2.1 Vulnerabilties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Information Discovery 6
3.1 Personnel Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Search Engines . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 Paterva’s Evolution . . . . . . . . . . . . . . . . . . . . . 7
3.2 Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 Discovery Services . . . . . . . . . . . . . . . . . . . . . . 8
3.2.2 Bounce Messages . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.4 Outbound DNS . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.5 Direct Contact . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Firewalls and IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3.1 Firewall Identification . . . . . . . . . . . . . . . . . . . . 12
3.3.2 IPS Identification . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Application Discovery . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.1 Slow and Steady wins the Deface . . . . . . . . . . . . . . 12
3.4.2 Finding Web Apps with W3AF . . . . . . . . . . . . . . . 13
3.4.3 Metasploit 3 Discovery Modules . . . . . . . . . . . . . . 13
3.5 Client Application Discovery . . . . . . . . . . . . . . . . . . . . 14
3.5.1 Browser Fingerprinting . . . . . . . . . . . . . . . . . . . 14
3.5.2 Mail Client Fingerprinting . . . . . . . . . . . . . . . . . . 15
3.5.3 SMB Client Fingerprinting . . . . . . . . . . . . . . . . . 15
3.6 Process Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.6.1 Traffic Monitoring with IP IDs . . . . . . . . . . . . . . . 16
3.6.2 Web Site Monitoring with HTTP . . . . . . . . . . . . . . 17
3.6.3 Usage Monitoring with MS FTP . . . . . . . . . . . . . . 17
4 Information Exploitation 19
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 External Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.1 Attacking File Transfers . . . . . . . . . . . . . . . . . . . 19
4.2.2 Attacking Mail Services . . . . . . . . . . . . . . . . . . . 21
4.2.3 Attacking Web Servers . . . . . . . . . . . . . . . . . . . . 21
4.2.4 Attacking DNS Servers . . . . . . . . . . . . . . . . . . . 21
4.2.5 Attacking Database Servers . . . . . . . . . . . . . . . . . 22
4.2.6 Attacking NTLM Authentication . . . . . . . . . . . . . . 22
4.2.7 Free Hardware . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Internal Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3.1 Web Proxy Auto-Discovery Protocol . . . . . . . . . . . . 24
4.3.2 Microsoft DNS Servers . . . . . . . . . . . . . . . . . . . . 24
4.3.3 Microsoft WINS Servers . . . . . . . . . . . . . . . . . . . 25
4.3.4 Exploiting NTLM Relays . . . . . . . . . . . . . . . . . . 25
4.3.5 SMB and Samba . . . . . . . . . . . . . . . . . . . . . . . 26
4.4 Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4.1 NFS Home Directories . . . . . . . . . . . . . . . . . . . . 29
4.4.2 Hijacking SSH . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Hijacking Kerberos . . . . . . . . . . . . . . . . . . . . . . 31
5 Conclusion 34

Aproveitem este livro maravilhoso escrito por quem realmente entende da coisa =]
http://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf