0xCF_SEC

Friday, 13 March 2015

Infosec's CTF writeups [Level 3 - QRception]

Level 3

QRception

We need to scan deeper..

The best thing about the puzzle in
level 3 is that it's a puzzle within a puzzle!
So it's almost like you've got a hidden bonus level (yay!)

When you enter level 3 you'll be greeted with a page that contains a picture in the middle of it that doesn't really look like ... anything.
Reason why this picture looks the way it is is because this is no
ordinary picture, it's a QR code!
Simply put, QR code is a little nifty representation of arbitrary data through a picture which can then be printed on anything from business cards to toilet stall doors.

While QR code might look complex, the way it works is really simple actually,

Let's assume that we have a piece of software that converts anything to feed it to a QR code.
The first thing this software would do is first convert all the data you gave it to binary number (0's and 1's) after which it'll start generating the picture, the way the picture is constructed is by placing a black square for the 1's from the previous conversion process and white squares for 0's.
But that doesn't mean that you now have a fully operational QR code yet! What the software will do next is create multiple copies of the picture it created above and place them all in one relatively bigger picture, it does that to account for any damage that may happen to any part of the picture or rather the medium the picture's been printed on (ie: paper, soda can, cardboard etc..)
So for example if it was printed on a piece of paper and somebody spilled some water on the right part of it it'd still be scan-able since there're multiple little copies on the other side that are still intact.
There are also these squares within squares at the corners to give the scanner a sense of perspective as for the size of the qr code it's currently scanning and to compassionate for any skewing in the angle you're scanning from (ideally you should be facing the image while scanning it but sometimes you don't get this luxury)

So now that we know what kind of picture that was in level 3's page let's scan it!
for this writeup i'll be using an online service that scans QR code images for you without a camera, it simply directly decodes it and gives you the output in plain text.
So let's fire up our browsers, go to zxing.org's QR decoder and feed it the url or our mystery picture (Right click, Copy image url just in case)
If all went well you should have an input exactly like that:

it gave out some data but what we care about the most is the "raw text" field because there lies our precious output .... which still looks like nothing ....

And now we start the second part of our puzzle!
From the undeniable rules of life is that if you ever saw dots and dashes next to each other, know for a fact that you're reading Morse code.
Without delving into boring history, Morse code in essence is just another way of representing data through dots and dashes, or on and off signals, or beeps, or light flashes or anything that can represent that binary system.
For example here's "Hello world" in Morse code:

Cool isn't it?
as you saw in the video, every letter in English corresponds to a set of dashes and dots in Morse code, All you have to do is just represent these dashes and dots through sound, light or any other medium and you can convey secret messages in an obsolete language in no time!
Here's a picture in case you're interested in knowing how to convert English to Morse code:

So now that we know what that was about as well let's feed that to it's own translator as well, For this we'll head over to this Morse code decoder and feed it our message.
Again if all went well you it should return something like this.

And finally that translated to our flag text which says (after adding spaces): "INFOSEC FLAG IS MORSING".

Definitely it's been one of the most fun levels to play as it gives you a break from the technical stuff and doesn't take a huge knowledge base to solve.

if ("you made it this far"):

 print("Thank you for reading, See you again in another write-up.")

Monday, 22 September 2014

Episode 9: Maltego

Kali Linux Tools Tutorials

Episode 8

Maltego

First of all i would like to apologize for the incredible delay between this post and that last one, A lot's been going on here and it was all too distracting, Also add to that a little laziness.

So without further ado i present to you the king of enumeration ! The most feel-like-an-nsa-agent tool in backtrack, the Jennifer lawrence of enumeration tools (you guessed it !) Maltego.

That tool is so powerful it gives you warnings sometimes before using some of its features and its payed version has even more 007-y features.

The cool graphic interface

Jokes aside though maltego is a pretty awesome enumeration tool, It's not just about enumeration DNS records for a target but it can get you information about ANYTHING you feed it! including email addresses, names, and even phone numbers ! In addition of course to the multitude of pentesting related features it offers.

Unlike the tools we've discussed previously in this series Maltego has a graphical interface (GUI) which makes things much easier since it used visual representation to show you the data it collected and any correlations between them in a CSI like form.

When you first start maltego you'll need to sign up on Paterva's website (The folks who made it) The whole process takes no time and is absolutely free.

After starting maltego and signing up you'll be presented with this screen:
This is the starting screen for maltego, It contains some info about the tool, latest updates where to contact them etc..

in order to start working with it you'll need to create a "New Graph" By clicking first little icon next to that thing in th- Let me just show you..

so after you click that you'll get your own brand new graph (woo !)
A maltego graph is like the blank canvas on which you will draw your enumeration masterpiece if that makes any sense..

in order to get things started you need to drag an "entity" from the palette on the right, An entity is the object which you would like to enumerate for example a domain, an Email address, a phone number etc..
So let's try to drag a domain entity from the palette on the right to the middle of the screen (Please don't tell me that i have to take a picture for that..)
In order to change the default domain to scan double click the entity and change the "domain name" field, For this demonstration ill be using scanme.org.

After setting the domain name successfully its then time to start the enumeration process.
To start a lookup in maltego you need to right click your domain icon and click "Run Transform", I really don't know why they called them "transformations" but you can think of them as the type of lookup you want to perform on that target.
If you've updated your Maltego you should get tons of transformation to choose from. For this demonstration i will use a complete set of DNS lookup transformations which you can get to by choosing Run Transform --> DNS from domain --> All in this set. Which will result in the following:

As you can see the tool has performed a DNS lookup of the target domain and has found 5 Nameservers, a Web server and a mail server which it then sorted in this linked view so you can easily figure out who's linked to who and where does what come from.

we can also gain information about the owner of the domain by choosing "Domain owner detail" from the transformations menu, I chose the whole set there and this was the result:

Bear in mind that the tool CAN return some false positives like in the last picture when it returned -.Domain as a location

For every entity that you click (Or right click to be precise) in Maltego it'll have it's own set of useful transformations to offer, Using which you can construct a full comprehensive graph of a target's structure and you may even include some info about the owners of the targets like their phone numbers and emails if you're lucky.

This was a very brief and concise tutorial of maltego and by no means does this do the tool any justice, If you're interested in the tool you can read the user manual provided by paterva on the tool which covers most of its functions comprehensively.

________________________________________________________

Next Episode: URLCRAZY

Wednesday, 10 September 2014

Episode 8: Fierce

Kali Linux Tools Tutorials

Episode 8

Fierce

Fierce is a powerful perl script written by a guy that i personally like in a non-homosexual way: Rsnake Hansen.

Fierce is used for DNS enumerations along with some other nice features along the way, which include zone transfers and subdomain bruteforcing.

The not so helpful page

By starting the tool without any arguments you will be supplied with a not-so-helpful help page.

To get to a more useful one you need to provide the switch -h to get the help page with all the options.

The flood of text unleashed by the -h
switch

Aaaaand as always a quick review of the options and their functions:

-connect: Connects to a host on port 80 (HTTP) and execute the HTTP statements (requests) written in a file that you specify as an argument for the -connect.
-delay: Specifies the period of time between each query.
-dns : Specifies The target you'd want to scan.
-dnsfile: Use dns servers listed in a file that you specify.
-dnsserver: specifies a single dns server to use in querying.
-file: specifies a file to output results to
-fileoutput: specifies a file to output results from the connect switch to, which will be everything the webserver sends back
-range: Specifies a range of IPv4 addresses to scan, Must be used with the -dnsserver switch.
-wide: Scans the whole Class C network for more info.
-wordlist: Specifies a wordlist of your own for bruteforcing subdomains, Can be useful in case you have a few subdomains in mind that you want to scan for.

The rest of the options cannot be explained better than the help page, Now let's play around with it and see it in action.

For this tutorial im going to use fierce with the -dns obligatory switch to specify my target,

-dnsserver switch to specify my DNS server to use and ill be using Google's public dns server for that (8.8.8.8), And finally im going to specify some subdomains to look for in the file (words.txt).

Results:

As you can see from the picture there it first identified the Nameservers for the target ns1 and ns2, Then it attempted a zone transfer which wasn't successful so it tried to Bruteforce its way into knowing some subdomains using a word list of my humble creation which made it find 11 subdomains (one had a duplicate A record).

After that it showed the subnets it discovered during its journey and even gave you a hint on the programs to use to enumerate these ! Which concluded Fierce's job.

While not the best out there, Fierce is a nice "semi-lightweight" tool to enumerate domains for dns info, Perhaps its functionality could be expanded if you're a webapp pentester and used the -connect option "wisely".

_____________________________________

Next Episode: Maltego

Monday, 8 September 2014

Episode 7: DNSWALK

Kali Linux Tools Tutorial Episode 7

DNSWALK

While Kali is a penetration testing distro. it also has quite a handful of debugging tools in case you wanted to troubleshoot some error that keeps facing you during your DNS enumeration process.

DNSWALK is a DNS debugger which works by performing a zone transfer on the target's name servers and then starts checking if everything is configured properly on the targets DNS database and that the configuration complies with the DNS standards and regulations.

It might not be of much use to us as penetration testers but as i said, If you ever want to have a quick check on the DNS db (Database) configuration or\and faced any DNS related errors, you'll know which tool to whip out.

The not so helpful help page

when executing the perl tool you'll be presented with the help page which is strangely not very helpful.

However you can get a more helpful version of the help page by looking at the tool's manual. So go ahead and type man dnswalk

DNSWALK manual page

the man command stands for manual and it provides you with a comprehensive manual on a command or even a tool that you would like to know more about, This tool will be your new best friend throughout this series.

That's Better ! now we have the complete list of options you can use

Note: This can be more annoying than Rebecca Black's friday on loop but you ALWAYS need to as a dot at the end of the domain you want to enumerate for this tool to function, apparently the tool doesn't have a feature to add it automatically so the developer left you this tiring task, it might now seem like much but trust me if you used this tool a lot it would annoy the hell outta you.

So let's have a review of the options and their functions.

-r : Go through the domain's subdomains displaying the DNS info it can get on them. Use with care as some domains might have a huge list of subdomains.
-a : Display a warning in case of a duplicate A records.
-d : Display verbose debugging data for troubleshooting.
-m : Perform AXFR and configuration checks only if the zone's records or the zone itself had undergone changes.
-F : Performs a DNS "Fascist" check which compares A records to PTR records to check for any errors or "Surprises" as the author of the manual says
-i : Ignore any illegal characters (such as _ or § etc..) in domain names.
-l : performs "Lame delegation" check where it checks if nameservers are are giving authoritative answers for their domain.

There's also the Errors part in the manual but i won't be explaining that since it's pretty straight forward in the manual, It basically just tells you the errors that you might encounter and what they mean.

The picture's quality was reduced to protect the identity of the
domain.

Now its time to try it on a lucky domain to see it in action, Im going to be using the tool with the -r option to show the subdomains and info about them and the -a option to check for duplicate A records.

As you can see the tool did what it does best and performed a successful zone transfer attack after which it listed the target's subdomains and all the info it found on them, a PTR record here an A record there etc..

as i said up there i don't see the tool as being of great importance to a pentester, maybe someone with a wider imagination than me can come up with another use for it other than troubleshooting and debugging.

_______________________________________

Next Episode: Fierce

Friday, 5 September 2014

Episode 6: DNSTRACER

Kali Linux Tools Tutorial

Episode 6

DNSTRACER

we're not done with the DNS enumeration and querying tools just yet ladies and gentlemen and now that i have kali linux i'll start to review more recent up-to-date versions of the tools you have in Backtrack, So some people who're still on BackTrack might not find some of the options implemented in their versions of the tools, Seriously though, Move to kali its insanely better.

DNSTRACER_

DNSTRACER is a tool that tracks the DNS delegation process in order to find servers from which it can obtain authoritative answers about your target. DNS Delegation is the process by which your computer obtains an answer to its DNS query, the process starts by consulting the root server which is denoted by a '.' (a dot) in the end of the website you're requesting, for example if you're requesting www.cnn.com what you're actually sending is that "I want the ip address for www.cnn.com." Notice the dot at the end ?

It actually happens always whenever you request a a website but you don't see it in your address bar, but if you looked closer, way closer, you'd still find nothing because now browsers automatically put a dot there at the end for you to save you the trouble of looking down your keyboard, finding the dot key and actually pressing it.
The reason this dot exists is that the DNS lookup process actually works in reverse order, here's an example of what happens when you request www.cnn.com(.)

After you press the enter key the operating system embarks on a journey to translate the name you gave him into an IP address, It starts at the dot at the end of the address (Yes that invisible dot) which denoted the ROOT name server, The ROOT is the server that has the IP addresses of the TLD servers (Top level domain) like .com, .net, .org etc..
Your OS then says to the Root server "Sup root ! can you hook me up with the address of www.cnn.com ?" But the root replies "Sorry bro don't have that, I DO however know where you can find the TLD server that might have the address to that site of yours ! and gives your OS the address to the .com TLD server (since its www.cnn.com).
Your OS will then go the .com TLD server and asks him the same thing, it says "Well i don't have www.cnn.com but i do have the address of CNN servers ! maybe you can find the www part there !
The courageous OS will continue on its journey to the CNN namesevers, Now this is called the Authoritative Server take note of that term as its very important ! the OS goes to CNN name servers and asks them the same question, the CNN Nameserver will say "Yeah sure thing but the address is 157.166.249.10, Having finally reached what it wants the OS goes back, Gives the Browser the Address, The browser connects to it and everybody sleeps happily.

And that's how the DNS delegation process works.

Coming back to our main subject here, If you were to follow that aforementioned chain of queries and know when the query has reached an authoritative server, You can then ask this server a bunch of other questions about other records and since its the Authoritative server which is directly responsible for the DNS records of your targets it'll give you some very interesting answers.

As you already saw up there running the tool without arguments presents you with the help page which contains the options you can use with the tool, And as always i'll leave you to a quick review of the options and their function.

-c : Disable Local caching of the results of the queries.
-C: Disable Negative caching (Negative caching is when the cache caches the failed queries\operations, Don't know why would anyone want to enable that (Disabled by default)
-o : Gives you an overview of the process when the tool has done its work, Pretty useful !
-q : Specifies the type of the query you want to pass to the servers (MX, SRV, SOA, PTR etc..)
Default is A (Name to IP address)
-r : Specifies how many times the tool should retry to obtain an answer before giving up.
-s : specifies the DNS server to use in the querying process, If you specified . (a dot) it'll use the ROOT server mentioned above.
-t : Specifies a period of time the tool should wait to get a response before giving up.
-v : Output Verbose output
-S : Specifies an address to use as an originating address for the querying process.
-4 : Query servers that use IPv4 only.

Now for the good part let's play around with it a little.

Let's try to see the query chain to www.ubuntu.com with timeout of 10 second and using the router to query the DNS server and also give us an overview on how it went at the end, So the Command will be:

dnstracer -o -t 10 -s 192.168.1.1 www.ubuntu.com

As you can see it first asked my Router (192.168.1.1) then it found the Authoritative nameservers for ubuntu.com, ns1.canonical.com, ns2.canonical.com and ns3.canonical.com which all pointed it at the address of www.ubuntu.com which is 91.189.89.118.

Now to realize the significance of this little tool we've got to conduct a little experiment.

Let's send a query of type any (means any info you can find on that target) with and without asking the authoritative servers, Then we'll see if there's a difference in the answers we obtain.
I'll be using the Linux "host" which is the linux equivalent of nslookup in windows, It's a tool that enables you to issue DNS queries by hand.

In the first case ill just make a query of type any without specifying any server which will make the process go normally, So the command will be:

host -t any ubuntu.com

The results we got weren't really that satisfying, I mean all we got was a bunch of nameservers who can go home with that ?!

BUTT ! If we were to use the authoritative nameservers to gain authoritative answers on the target (the word authoritative is starting to sound weird.. have you ever like said this word many times like bubble bubble bubble bub-... irrelevant..) let's see what happens

While using hosts you can specify the server to use by adding it's address at the end of the command so the command will become:
host -t any ubuntu.com 91.189.94.156

Interestingly we get a much better answer with a much more records, First you can see at the top saying that it's using the server we specified in the command as the domain server, Then it started the enumeration process. It started by Giving us the A record which is the IP Address of the target, Then it gave us the SOA (Start of authority) Record saying that it's at ns1.canonical.com and hostmaster.canonical.com. Then it gave us the NS records which state the name servers for the target when were the ns1, ns2 and ns3. and finally it concluded by giving us the MX record for the target which states the server that the target uses for Email exchange which is mx.canonical.com.

It can be argued that there are tons of other tools that can figure out the DNS delegation process and the authority servers which is true, But dnstracer is a specialized tool for this purpose and it does it's job perfectly.

_______________________________________________




Next Episode: DNSWALK

Thursday, 4 September 2014

Episode 5: DNSMAP & DNSRECON

Back|Track OS Tools Tutorials

Episode 5

DNSMAP & DNSRECON

I thought it would be tedious and a bit counterproductive if i made a post for every single tool here in this section so i made two separate post for the biggest ones and if i encountered a bigger tool in this post i'll make sure ill cover it all.

Now let's get down to business.

DNSMAP_

dnsmap is a small tool used in finding out the subdomains associated with the domain you're enumerating by trying to "Guess" (and by guess i mean bruteforcing) their names, its small and simple and doesn't have many options.

Running the tool without arguments will give you the help page which contains info about the options and what they do.

Let's do a quick review of the options and their functions and try a couple.

-w <wordlist> : Specifies a path to a custom wordlist of your choice (Would be a great time saver in case you have some prospect subdomain names in mind that you want to check).
-r <resultsfile> : Exports the results to a normal .txt file which you put it's path in the <resultsfile> part.
-c <csvresults> : Exports the results to a .csv file (Comma Separated values) which can be later passed to other programs.
-d <milliseconds> : Specifies the delay between requests in milliseconds (1000ms = 1 second)
-i : Specifies a one or more IP addresses to ignore during the process.

Now let's try to make it discover some of Marvel's subdomains (Hope its not illegal)* with a delay value of 20ms and outputting the results to a CSV file called Stark.csv

As you can see it did quite a good job there disclosing some subdomains and even some internal private IP addresses (RFC1918).

It's a small tool for quick use or when you have a couple of subdomains in mind that you want to test for, But further than that you'd have to use a bigger, more capable tool.

DNSRECON_

Another tool for DNS enumeration is DNSRECON, DNSRECON is a python script made for getting DNS data about a domain name plus some other tricks like AXFR (Zone Transfers) and NS cache snooping which is basically probing the DNS server to to see if it has any DNS entries in its cache to see where the DNS server user has been going and the sites they've been visiting etc..

it's sorta like running the windows command ipconfig /flushdns except it's on somebody else's computer, Which in my opinion is a pretty cool trick that i haven't seen in any other tool till now.

Running the tool without arguments will (you guessed it !) give us the help page.
And here's a quick review of the most used options and their uses:

-d / --domain : The domain that you want to enumerate.
-c / --cidr : Uses an IP address in CIDR format* which will be reversed and the process will continue normally
-r / --range : Uses a range of IP addresses to perform reverse resolving and enumeration on.
-n / --nameserver : Sets the nameserver (NS) to use in the enumeration process, Better be left alone because this tool has a feature of referring to the domain's SOA* if no value was given, Unless of course if it couldn't find any SOA records for the target.
-f / --output-file: Used to specify a file to which the tool will output its findings.
-t / --type: Now let's just stop here for a second because this option is (in my opinion) what makes this tool stand out.
the --type option makes you specify which type of enumeration you want the tool to do for you, it's an option that has options.

mdns: Start enumeration of the local network addresses using MDNS*

std: Start a Standard enumeration process which involves enumerating the general DNS record types (A, AAAA, MX, NS, SOA etc..)

rvl: Does a reverse lookup (IP to Domain name) on a given IP addresses range in CIDR format

brt: Bruteforce the target for domain names and host names using a given word list (Sorta like what dnsmap does)

srv: Enumerate the target for and SRV records* and check if they're available.

axfr: Scans the Nameservers for a AFXR (Zone Transfer) vulnerability.

goo: Uses Google in the enumeration process by searching on it for any of the subdomain names and hosts in the target's network.

tld: Strips the domain name of any TLD ( .com, .net, .org etc..) and tests it against against all the TLD's registered in the IANA organization.

snoop: Perform the Cache snooping attack mentioned above on a the selected domain(s), Note that the domains must be supplied with the -D option.
-x / --afxr: Perform a Zone transfer attack along with the normal enumeration
-s / --do_spf: Does a reverse look up on the IP addresses specified in the domain's SPF record, which is another nice trick. The SPF record allows Domain owners to specify a bunch IP addresses on it which will be the ONLY ones authorized by the owner to send Emails on the organization's behalf, This is done in an attempt to minimize fraud in the name of the company\organization so you can imagine what someone can do by having even the addresses of these authorized hosts.
-g / --google: incorporates Google in the Enumeration process.
-w / --do_whois: Does a "Deep" WHOIS query on the target (And when that tool's developer said "Deep" he meant real deep, Trust me i tried it.)

Whew ! That's one hell of an options list ! It's a big tool but to be honest it's worth every second i spent to learn all about it !

Now for the fun part, Let's go try it on something.

Let's run it on some random website which i hope isn't an illegal act with the options set:
--type std --do_whois --axfr

This is by far the best DNS reconnaissance tool i've ever used until now, the tool is very smart and interactive and we'll get you what you want to know, Nothing more nothing less.

As you can see it first checked for AXFR on all the Nameservers and it Succeeded and gave out the data it found. Then it tried to look for SRV records but it couldn't find any so it took it like a man and moved on. Then it ran the WHOIS query against the found records but it encountered 3 Ranges of IP's so it actually stops in the middle of it, gives you a numbered list of the ranges it found and the organizations they belong to and asks you which range would you like to run the WHOIS on. I chose the 2nd one

and it starts its journey -which resulted in these records at the bottom- after giving you the estimated time till the end of the querying.

Again until now i haven't seen such a powerful tool when it comes to DNS enumeration, DNSRECON is one of the tools that are worthy of the title "The DNS Swiss army knife".

___________________________________

*if it's illegal you'll know by me not posting anymore, unless my cellmate was kind enough to lend me his laptop every once in a while.

*CIDR Format: A format of representing IP addresses + their network mask ie. 192.168.0.1/24 corresponds to 192.168.0.1 with a netmask of 255.255.255.0. Read more here.

*SOA (start of authority) records are given to the servers that can provide an authoritative answer to DNS queries, Unlike non-authoritative ones or cached ones which in some cases can't be trusted.

*MDNS: A variant of the original DNS protocol that is used to resolve IP addresses to host names in small and local networks.

*SRV record: A DNS record which contains the services running on your servers and the servers running them, I'll leave how useful this can be if it's compromised to your imagination.

Next Episode: DNSTRACER

Wednesday, 3 September 2014

Episode 4: DNSENUM

Back|Track OS Tools Tutorials

Episode 4

DNSENUM

Once again BackTrack presents us with yet another Powerful tool for DNS Querying and getting heaps of information on your target.
dnsenum is a perl script designed to get a comprehensive view on the topology of your target's network by giving you all the information it can find on the host by automating the process of querying DNS servers and even attempting Zone Transfers if possible.

Click on the picture to enlarge

Zone transfer attacks are quite simply a technique where your computer pretends to be a DNS server (Called Slave) and ask a "fellow" DNS server (Called master) for a copy of the data it has on www.target.com

So let's see how it looks like:

When ran with no arguments dnsenum will give you its help page and as you can see there's a wide variety of options to choose from which will all be discussed later.

Here's what happens when it's ran without one argument which is the address to probe:

When i ran it on that address it successfully retrieved A records*, NS records*, MX Records* plus it successfully performed a a zone transfer attack even and retrieved more subdomains than my pictures can handle (Seriously you had to scroll WAY down)

Such a tool would be immensely useful in determining the topology of your target, it'll help you build a logical map of the nodes on the network, what they do and the addresses of each and every one of them.

Now let's have a quick review of the options it provides and the functions of each and every one of them:

--dnsserver : The DNS server to use in the querying process
--enum : start enumeration mode which sets threads to 5, scrap to 20 and will perform a WHOIS query as well
-noreverse : skip the reverse lookup process
--private : Save a list of private (RFC1918) IP addresses in a file called domain_ips.txt
--subfile <filename.txt> : write all subdomains found in filename.txt that you specify
-w : Perform a whois query
-o / --output : Outputs result as an XML file

That was a review of the most important switches/options dnsenum has, So play around with it a little bit and see if you can discover anything else !

___________________________________

MX Record: a DNS record which shows the servers the host uses for mail exchange

NS Record: a DNS record which converts domain names into ip addresses

A Record: The opposite of NS record.

Note: If you wish to know more about DNS records to work better with these tools, check this link which lists the most important DNS record types you should know and their function.

Next Episode: DNSMAP & DNSRECON