Browse Source

changed hostapd conf

Marius Schwarz 5 years ago
parent
commit
37fa756470

+ 1 - 0
.gitignore

@@ -1,3 +1,4 @@
 *.py[cod]
 __pycache__/
 gen-toc.sh
+.uuid

+ 6 - 2
cheatsheets/networking/mobile-hotspot-setup.md

@@ -25,6 +25,11 @@ ssid=sectest
 hw_mode=g
 ieee80211n=1
 channel=6
+auth_algs=1           # 1=wpa, 2=wep, 3=both
+wpa=2                # WPA2 only
+wpa_key_mgmt=WPA-PSK
+rsn_pairwise=CCMP
+wpa_passphrase=12345678
 ```
 
 * DNSmasq (`/etc/dnsmasq.conf`)
@@ -53,8 +58,7 @@ sudo hostapd /etc/hostapd.conf
 # Stopping
 sudo iptables -D POSTROUTING -t nat -o eth0 -j MASQUERADE
 sudo sysctl net.ipv4.ip_forward=0
-sudo service dnsmasq stop
-sudo service hostapd stop
+sudo service dnsmasq stop sudo service hostapd stop
 sudo service wpa_supplicant start
 ```
 

+ 93 - 0
cheatsheets/security/exploitation/embedded/embedded-command-injections.md

@@ -0,0 +1,93 @@
+---
+title: Finding Command Injections
+categories: [cheatsheets]
+tags: [exploitation,reversing, command injections, embedded]
+---
+
+# Finding Command Injections
+
+## Analysis system calls
+
+Common system calls the execute OS commands:
+
+* system()
+* exec()
+* execve()
+* ...
+
+Often, wrapper are build around those syscalls.
+Such as in the alphapd webserver from D-Link, where every command is executed in a call to `doSystem()`
+
+
+## Analysing Functions Calls
+
+### Method 1: Preloading hook
+
+* Hook the system calls by preloading a hooking library using `LD_PRELOAD`
+
+E.g hooking the `system()` functon:
+
+```c
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+typedef int (*orig_system_f_type)(const char *command);
+
+ int system(const char *command) {
+	printf("\n--------\nsystem(%s)\n---------\n", command);
+	orig_system_f_type orig_system;
+	orig_system = (orig_system_f_type)dlsym(RTLD_NEXT,"system");
+	return 0;
+ }
+```
+
+* When emulating the firmware with qemu (e.g. qemu-mipsel-static) the LD_PRELOAD env. variable can be passed
+using the `-E` flag as follows:
+
+```
+qemu-mipsel-static -E LD_PRELOAD=./hooking.so alphapd
+```
+
+### Method 2: Debugging and GDB Hooks
+
+Using qemu, a gdbserver can be spawned with the `-g <port>` parameter.
+In gdb, functions can be hooked and connected to scripts that get executed as soon as the breakpoint is hit.
+
+This method can be used to analyze the `system()` function as well.
+This can be accomplished using the following gbd scripting snippet:
+
+```gdb
+break system
+commands
+silent
+printf "[*] system(%s)\n", $a0
+continue
+end
+```
+
+Multiple of such scripts can be written in an extern script and loaded into gdb with the `--command <file>` parameter.
+
+
+## External Script Injections
+
+Parameters that are supplied via a web-app are often saved and re-used in shellscripts.
+Therefore, the method of using those parameters in the scripts and the scripts itself must be analyzed.
+
+### Searching shellscripts
+
+In the D-Link example, several shellscripts used parameters that are passed using nvram buffers.
+Those parameters can be detected by searching the filesystem of the firmware:
+
+```
+rg '=`nvram_get'
+```
+
+This commands outputs all parameters that are processed in scripts.
+Important are only those that are used as parameters for binary executions and are not-escaped.
+
+To detect vulnerabilities a connection between the user supplied parameter and the scripting execution must be found.
+
+
+

+ 77 - 0
cheatsheets/security/exploitation/embedded/embedded-exploitation.md

@@ -0,0 +1,77 @@
+---
+title: Embedded Exploitation
+categories: [cheatsheets]
+tags: [embedded, exploitation, reversing]
+---
+
+# Embedded Exploitation Notes
+
+As an example, the firmware of the device D-Link DC932L
+
+* Firmware available on the Web
+* Running on MIPS architecture
+
+## Firmware Unpacking
+
+* Binwalk is your best friend
+
+```
+binwalk -e <firmware.bin>
+```
+
+* Extract LZMA archives:
+
+```
+unlzma <file.lzma>
+```
+
+* Mounting CPIO Filesystems
+
+```
+cpio -idm --no-absolute-filenames < ../kernel
+```
+
+
+## Binary Analysis
+
+* Analysing `bin/alphapd`
+
+ -> qemu-mipsel-static to run the binary
+ -> Using  `chroot` to use the correct libraries
+
+```
+sudo chroot . ./qemu-mipsel-static /bin/alphapd
+```
+
+1. Problem: nvram iteams are needed:
+
+As we are emulating the binary, no real hardware is available. -> No nvram deamon is running.
+
+-> Fake nvram by preloading a nvram-faker library
+
+-> LD_PRELOAD is perfect for that
+
+```
+sudo chroot . ./qemu-mipsel-static -E LD_PRELOAD=/nvram-faker.so /bin/alphapd
+```
+
+**Important:** nvram library must be compiled on the same platform. A similar build setup as the vendor is needed.
+In this case it was possible to compile the nvram lib using `gcc-mipsel-gnu-linx`.
+
+-> Some libs of the target platform must be used to compile it properly (copy the libs from the fw /lib dir to the buildchain builddir)
+
+
+## Debugging
+
+* qemu can spawn a GDB server with `-g <port>`
+* to dbug, `gdb-multiarch` is needed (apt install gdb-multiarch)
+
+Connect to the GDB server:
+
+```
+gdb bin/alphapd
+gdb> target remote localhost:<port>
+```
+
+
+

+ 0 - 40
cheatsheets/security/reversing/proxy-fatclients.md

@@ -1,40 +0,0 @@
----
-title: Proxy Fatclients
-categories: [cheatsheets]
-tags: [fatclient, reversing]
----
-
-# Proxy Fatclients
-
-Multiple possibilities to intercept fatclient applications.
-
-
-## C# (.net)
-
-* Every .net applications has a configuration file for the executable
-* For Example:
-```
-cmd> dir \myapp\
-* MyApp.exe
-* MyApp.exe.config
-```
-
-* add the following entry to the config file:
-```
-<system.net>
-  <defaultProxy>
-    <proxy
-      proxyaddress="http://<ip>:<port>"
-      bypassonlocal="false"
-    />
-  </defaultProxy>
-</system.net>
-```
-
-## Java
-
-## Native
-
-
-
-

+ 1 - 0
cheatsheets/security/secure-coding/secure-coding_dotNet.md

@@ -11,6 +11,7 @@ tags: [topic]
 
 ## ZIP Slip
 
+* Example ZIP Library: [https://github.com/icsharpcode/SharpZipLib](https://github.com/icsharpcode/SharpZipLib)
 * Vulnerable (but common) implementation
 * This is also recommended when using the SharpZIP Library
     - [https://github.com/icsharpcode/SharpZipLib/wiki/Unpack-a-Zip-with-full-control-over-the-operation](https://github.com/icsharpcode/SharpZipLib/wiki/Unpack-a-Zip-with-full-control-over-the-operation]

+ 13 - 2
cheatsheets/security/windows/internal-audits/internal-audit.md

@@ -84,6 +84,8 @@ SharpHound.exe -c All
 SharpHound.exe -c SessionLoop --MaxLoopTime 24h
 ```
 
+Custom Bloodhound Queries: [https://github.com/hausec/Bloodhound-Custom-Queries](https://github.com/hausec/Bloodhound-Custom-Queries)
+
 ### Local AD Accounts
 
 * check the local Serviec account if any AD account is used
@@ -186,7 +188,11 @@ lsadump::dcsync /domain:<domain> /all /csv
 #### Background (Kerberos TGT and TGS)
 
 1. A attacker authenticates to a domain and gets a ticket-granting-ticket (TGT) from the domain controller that’s used for later ticket requests.
-2. The attacker uses their TGT to issue a service ticket request (TGS-REQ) for a particular servicePrincipalName (SPN) of the form sname/host, e.g. MSSqlSvc/SQL.domain.com. This SPN should be unique in the domain, and is registered in the servicePrincipalName field of a user or computer account. During this request process, the attacker can specify what Kerberos encryption types they support (RC4_HMAC, AES256_CTS_HMAC_SHA1_96, etc).
+
+2. The attacker uses their TGT to issue a service ticket request (TGS-REQ) for a particular servicePrincipalName (SPN) of the form sname/host, e.g. MSSqlSvc/SQL.domain.com.
+This SPN should be unique in the domain, and is registered in the servicePrincipalName field of a user or computer account.
+During this request process, the attacker can specify what Kerberos encryption types they support (RC4_HMAC, AES256_CTS_HMAC_SHA1_96, etc).
+
 3. If the attacker’s TGT is valid, the DC extracts information from the TGT stuffs it into a service ticket. Then the domain controller looks up which account has the requested SPN registered in its servicePrincipalName field. The service ticket is encrypted with the hash of the account with the requested SPN registered, using the highest level encryption key that both the attacker and the service account support. The ticket is sent back to the attacker in a service ticket reply (TGS-REP).
 4. The attacker extracts the encrypted service ticket from the TGS-REP. Since the service ticket was encrypted with the hash of the account linked to the requested SPN, the attacker can crack this encrypted blob offline to recover the account’s plaintext password.
 
@@ -204,9 +210,14 @@ PS> Get-DomainUser -SPN
 
 * For all possible SPN's request tickets with powershell and extract them from memory with `mimikatz`:
 
+```
+Invoke-Kerberoast -OutputFormat hashcat | fl
+```
+
+* Manual
 ```
 PS C:\> Add-Type -AssemblyName System.IdentityModel
-PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
+PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<your SPN>"
 PS C:\> klist
 <tickets>
 ```