After hearing me crying for help, my friend Sirdarckcat went hunting and entrapped a poltergeist which haunts IE only.
Is it this the one Manuel Caballero was talking about?
Or was that a different cross-browser evilness?
However, I ain’t afraid of no ghosts :)
So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it. However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint.
In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. In this case, I needed to perform a portscan of the backend database server and make sure that only required ports are visible (a customized mssql port in this case). For reasons that are irrelevant to this post, the customer could only give me restricted access (NOT root) to the web server via SSH.
I really didn’t want to download a tool such as nmap and then compile it. In theory, I wouldn’t be able to cause serious damage to the system since I was using a restricted user account. Even then, I always try to be as polite as possible with customers’ environments during security assessments, especially when it’s a production system.
Anyway, my solution to this problem was to write a simple TCP portscanner in bash which glues around the telnet command which is present on most Unix/Linux distributions. Literally, all I’m doing is looking for Connected to responses generated by telnet which tells us that a successful TCP connection was established (open port). Very vanilla and trivial stuff as you can see! Nevertheless, I accomplished what I wanted, which is to perform a portscan without having to download any tools and without requiring root privileges.
The following is the short version of our agile hacking TCP portscanner which you can literally copy and paste on your shell (just change the value of the HOST variable to the IP address of the system you want to scan):
HOST=127.0.0.1;for((port=1;portThe following is a more elaborate version of our portscanner which supports scanning for either common or all ports. The list of common ports is read from the ‘/etc/services’ file which is present on most Unix/Linux systems:
#!/bin/bash
# telnet-based TCP portscanner
# By Adrian 'pagvac' Pastor | www.gnucitizen.org
# delay in seconds
DELAY=0.001
if [[ $# -ne 2 ]]
then
echo "usage: $0 <mode> <host>"
echo -e "modes:\t1 - common TCP ports only"
echo -e "\t2 - all TCP ports"
exit
fi
if [[ $1 -eq 1 ]]
then
echo "scanning for the following common TCP ports on $2 ..."
for port in `grep '/tcp' /etc/services | cut -d '/' -f 1 | cut -d ' ' -f 2 | grep -v '#' | awk '{print $2}' | sort | uniq`
do
echo -en "$port "
if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
then
echo -en "\n\nport $port/tcp is open\n\n"
fi
sleep $DELAY
done
echo -en "\n"
elif [[ $1 -eq 2 ]]
then
echo "scanning for all TCP ports on $2 ..."
for((port=1;port<=65535;++port))
do
echo -en "$port "
if echo -en "open $2 $port\nlogout\quit" | telnet 2>/dev/null | grep 'Connected to' > /dev/null
then
echo -en "\n\nport $port/tcp is open\n\n"
fi
sleep $DELAY
done
echo -en "\n"
fiSyntax follows:
gnucitizen $ ./telnetps.sh
usage: ./telnetps.sh <mode> <host>
modes:
1 - common TCP ports only
2 - all TCP ports
I found a nice variation which allows multiple types of encoding without performing eval twice on the string. The code works using the Script function and because of this the code is rewritten by the javascript engine and converts the unicode into standard text.
First a base of unicode is used first “\u0061\u006c\u0065\u0072\u0074\u0028\u0031\u0029″ then each section of the is encoded with hex or octal. The final result can be viewed below:-
The code can be executed like this:-
1) In the Security Bites podcast with Rob Vamosi (transcript) of C-Net I describe what’s new and interesting about the recent malicious mass scale SQL Injection attack. This is where website DBs are loaded up with malicious JavaScript exploiting browser based vulnerabilities, the so-called drive-by-downloads. Reports are saying 600,000 or so pages are infected with several high provide targets (UN, DHS, USAToday, etc.) on the hit list.
2) During RSA I spent some time with Help Net Security guys answering question about my favorite infosec conferences and what they have to offer. Of course each has a different focus for the content and the audience, so it just depends on what you are into.
Cisco has jumped into the WAF game with their recently announced Cisco ACE Web Application Firewall. A full proxy device with HTTP(s) and XML policy enforcement, web-based/shell management interfaces, solid performance metrics, and support for both black and white list rules. Apparently Cisco sees a sizable market for WAFs and PCI 6.6 as a driver by reading their overview literature (video). So now most big players have a stake in webappsec. This should make things interesting. With Cisco’s brand reputation and reach, people might be willing to get over their initial trust issues with WAFs and do quite well. Should customers demand, perhaps another device we can integrate Sentinel with for virtual patching purposes. The interest has been quite impressive.
I would be very interested in learning some technical details of Manuel Caballero’s talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.
Its abstract is intriguing:
A Resident in My Domain
Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.
No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.
Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb.
There’s some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is “a horribly serious issue that affects all browsers and is currently not fixed on any of them”.
Direct inquiries in security circles I’m member of did not bring anything less ectoplasmic on the table.
Therefore, all the juice we’ve got so far is a couple of photos authorizing only the following statements:
If you can summon anything useful, you’re very welcome!
As the second Tuesday of the month will be with us next week, Microsoft have provided advance notice of the patches that they expect to release on that day.
This month there are four patches scheduled for release, three Critical patches, and one Moderate. The three Critical patches address remote code execution risks in Office (2) and Windows (1), with the Moderate patch addressing a Denial of Service vulnerability affecting Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft Forefront Security. It is important to note for OS X users that Microsoft will be issuing Critical updates for Office 2004 and 2008.
What is probably most surprising is the patch to be released for the Microsoft Jet Database Engine, a technology which was widely reported that it would not be receiving any further updates from Microsoft.
