The IKat - Interactive Kiosk Attack Tool - excellent online resource. Head your Kiosk in its direction and use their online tools for escaping your sandbox!
http://ikat.ha.cked.net/
And tips retrieved from Paul Craig’s Defcon presentation “Hacking Internet Kiosk’s” available at:
http://defcon.org/images/defcon-16/dc16-presentations/defcon-16-craig.pdf
1- Accesing the filesystem through a Browser’s Url bar, or whatever control which may provide us with a way of browsing the filesystem. Different representations for a sample c:\windows string:
File:/C:/windows File:/C:\windows\ File:/C:\windows/ File:/C:/windows
File://C:/windows File://C:\windows/ file://C:\windows C:/windows
C:\windows\ C:\windows C:/windows/ C:/windows\
%WINDIR% %TMP% %TEMP% %SYSTEMDRIVE% %SYSTEMROOT% %APPDATA% %HOMEDRIVE% %HOMESHARE%
2- if We find a View Dialog, or Open File dialog, navigate the filesystem look for cmd.exe - try to execute it, drag and drop a file to cmd.exe to spawn it.
3- Internet Explorer’s ‘image toolbar’ which pops up when you click on a large image. File/Save, Print, Mailto, or even “Open My Pictures”
4- Keyboard shortcuts - besides the obvious, well.. some more obvious probably: CTRL-B, CTRL-I, CTRL-H, CTRL-L, CTRL-O, CTRL-P, CTRL-S
5- Hidden Kiosk menu! Try to guess the combo (CTRL-ALT-F8, F9?)
6- The about: protocol handler. about:<a href=c:\windows\”>Click-Here</a> may work
7- The Shell protocol handler: Shell:Profile,Shell:ProgramFiles,Shell:System,Shell:ControlPanelFolder,Shell:Windows
8- Shell with classid, i.e.: shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}
additionally, by self experience, the kiosk may come with a full multimedia keyboard. Make use of every single multimedia button! It will probably make things easier/faster. Not to mention you should press the buttons 100 times in a row - you will be amazed at how many race conditions there are.
Peeeeace
Posted in Methodology, Tools on 05/03/2009 02:00 pm by Consultant
While updating a Magento (http://www.magentocommerce.com/) deployment, the updater failed after having successfully downloaded each new file, leaving hundreds of files in the form of:
.tmpWhateverFile.php <– looks like the new version of the file
WhateverFile.php.bak <– looks like the renamed version of the file queued for deletion
The following python script should help, it renames the .tmp version of the files to the original filename, and removes the .bak files.
import re, os
tmpfiles = “^\.tmp.*”
bakfiles = “^.+\.bak$”
def listFiles(dir):
basedir = dir
subdirlist = []
for fname in os.listdir(dir):
if os.path.isfile(os.path.join(basedir, fname)):
# search for tmp files and rename to good files
allowed_name = re.compile(tmpfiles).match
if allowed_name(fname):
newname = fname[4:]
os.rename(os.path.join(basedir, fname), os.path.join(basedir, newname))
print fname, “renamed to: “, newname
allowed_name = re.compile(bakfiles).match
if allowed_name(fname):
print “removing file: “, fname
os.remove(os.path.join(basedir, fname))
else:
subdirlist.append(os.path.join(basedir, fname))
for subdir in subdirlist:
listFiles(subdir)
listFiles(”d:\\test-dir\\code”)
Enjoy,
-AV
Posted in Code, Tools on 12/03/2008 12:07 pm by Consultant
I have mentioned the tool in my previous post but the tool deserves an entire dedicated post! If you were looking for a tool to count source code lines, here’s a nice one.
Take a look at CLOC (http://cloc.sourceforge.net/), an excerpt from its website:
“cloc counts blank lines, comment lines, and physical lines of source code in many programming languages. It is written entirely in Perl with no dependencies outside the standard distribution of Perl v5.6 and higher (code from some external modules is embedded within cloc) and so is quite portable. cloc is known to run on many flavors of Linux, AIX, Solaris, IRIX, z/OS, and Windows. (To run the Perl source version of cloc on Windows one needs ActiveState Perl 5.6.1 or higher, or Cygwin installed. Alternatively one can use the Windows binary of cloc generated with perl2exe to run on Windows computers that have neither Perl nor Cygwin.)
cloc contains code from David Wheeler’s SLOCCount, Damian Conway and Abigail’s Perl module Regexp::Common, and Sean M. Burke’s Perl module Win32::Autoglob, … ”
Hope you find it useful
Posted in Code, Tools on 07/14/2008 02:28 pm by Consultant
I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.
If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com
I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.
Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.
Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)
The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.
If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.
Check it out, it’s worth it!
Good luck.
Posted in Hardening, Tools on 05/29/2008 07:15 am by Consultant
This is meant for replacing your own watermarks, not for the purpose of stealing someone else’s content!
But using imagemagick (http://www.imagemagick.org) you can easily replace a portion of the image (*.jpg in this case) with the portion that goes on top, your new logo for instance (litte.gif in this case):
@echo off
for %%X in (*.jpg) do composite -geometry +0+178 little.gif “%%X” output/”%%X”
The -geometry option is for providing a specific horizontal and vertical position within the original image.
What does it have to do with penetration testing you may ask - well it could come useful during a client-side attack where you need to reuse several images quickly, or simply related in the fact that during a period of time where you run out of work, you can work as a designer? oh well.
Hope it helps, it sure helps me remember.
Posted in Tools on 05/25/2008 10:13 am by Consultant
I just retrieved this from Ed Skoudis’s presentation that I just mentioned in my previous post (look it up!)
Windows’ shell scripting is really in the dark, at least for me. I’m constantly looking for new ways of creating smart batch scripts and it really gets to be a pain in the ass to find something useful.
It is therefore a must to store the following one. It will open a file, the delimiter character is fictional, the idea is that you wont really use it - which forces windows not to parse the command using spaces as the default delimiter, the run the command and finally dump the output to a file!
c:\> for /L %i in (1,0,2) do (for /f “delims=^” %j in (commands.txt) do cmd.exe /C %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1
Goodbye!
Posted in Methodology, Tools on 05/25/2008 09:44 am by Consultant
I’m watching the following Webcast by Ed Skoudis which was hosted by Core Security Technologies:
Penetration Testing Ninjitsu Part II: Crouching Netcat, Hidden Vulnerabilities with Ed Skoudis at CORE Security
Ed talks about the importance of being aware of your ISP filtering policies at the time of conducting a pentest, which sounds obvious but then again it’s easy to forget.
He also discusses some techniques for replacing the netcat client in Linux and Windows, and provides examples for creating reverse shells using /dev/tcp and creating port scanners both in linux/windows, among other things.
In my personal opinion, the windows port scanning options are not worth it  he sure works around the limitations imposed by Windows’ telnet and ftp clients, and I believe he mentions them for a specific case in which you may have no other ways of performing an automated portscan.
You can leave it on and hear him speak while you do something else, won’t be a waste of time.
Posted in Methodology, Tools on 05/25/2008 09:37 am by Consultant
The tool has a free version and takes care of wiping a significant amount of information anytime it runs. You can configure it to run everytime Windows starts (it would be nice if the action triggered everytime Windows shut down as well)
It currently cleans the following:
| |
Internet Explorer
Temporary files, URL history, cookies, Autocomplete form history, index.dat. |
| |
Firefox
Temporary files, URL history, cookies, download history. |
|
|
Opera
Temporary files, URL history, cookies. |
| |
Windows
Recycle Bin, Recent Documents, Temporary files and Log files. |
|
|
Registry cleaner
Advanced features to remove unused and old entries, including File Extensions, ActiveX Controls, ClassIDs, ProgIDs, Uninstallers, Shared DLLs, Fonts, Help Files, Application Paths, Icons, Invalid Shortcuts and more… also comes with a comprehensive backup feature. |
|
|
Third-party applications
Removes temp files and recent file lists (MRUs) from many apps including Media Player, eMule, Kazaa, Google Toolbar, Netscape, MS Office, Nero, Adobe Acrobat, WinRAR, WinAce, WinZip and many more… |
You can find it here, it won’t bug you and you can configure the wiping to be better than a simple round of zeros - so far it’s been so good.
http://www.ccleaner.com/
Looking for more useful tools to have handy!
Hope that helps
Posted in Tools on 05/14/2008 08:22 am by Consultant
This is a quick post but I don’t want to forget this! The guys over at voipsec.eu mention these 2 useful links:
http://getfiregpg.org/
“FireGPG is a Firefox extension under MPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.”
http://www.gpg4win.org/
“Gpg4win is a installer package for Windows (2000/XP/2003/Vista) with computer programs and handbooks for EMail and file encryption. Both relevant cryptography standards are supported, OpenPGP and S/MIME (the latter is in progress and currently works with GnuPG2 and Claws Mail).”
I’ll try these out sometime soon.
Posted in Tools on 05/07/2008 07:36 am by Consultant
I just found this somewhat excellent article on Winzip encryption by Dave Whitelegg who took the job of analyzing the different types of encryption provided by Winzip and proceeded to test them out to see how efficient they really are in real-world usage.
The url of the article is the following:
http://blog.itsecurityexpert.co.uk/2008/01/winzip-encryption-password-security.html
I fully recommend going through the entire article. The question on whether using Winzip encryption is fair or not tends to come up when talking about deliverables. If you have to send a series of deliverables that carry sensitive information (a draft or final report, slides, anything) to a client who doesn’t really use pgp/gpg nor any kind of secure communication channel, then you’re looking at either crafting a self-decrypting archive through PGP Desktop, some other option, or using Winzip encryption.
The article discusses what you need to be aware of, if you are planning on going for Winzip encryption.
Basically the main points are:
- Don’t use Winzip encryption prior to Winzip version 9. Earlier versions carried a home-grown implementation that was broken several times.
- Use AES, and go for the key-size of your will (the bigger the better you could say)
- Your password NEEDS TO BE (and don’t break any of these rules, cause that’s what makes the protection strong):
- At least 12 characters in length
- Be random not contain any dictionary, common words or names
- At least one Upper Case Character
- Have at least one Lower Case Character
- Have at least one Numeric Character
- Have at least one Special Character e.g. $,£,*,%,&,!
- Even if a file is protected/encrypted, Winzip permits you to browse around the directory structure, having access to the names of the encrypted files. Therefore it wouldn’t make sense to protect your super-secret client in bananas.zip if inside you’re going to find Report - Super Secret Client Name here - 2008.pdf
And that’s it. I guess one final comment would be that Winzip is not free. Have that in mind, we’re talking about a commercial application here.
Enjoy your day!
Posted in Hardening, Tools on 01/24/2008 05:15 am by Consultant
|
