Thursday, May 3, 2012

ASP Shell (Remote File Upload) Part 1 – Building a practice VM


Recently, while performing some tasks for a customer, I was able to flex my information gathering skills quite a lot. The ensuing bit of investigation (which we’ll discuss more in-depth in the next post) led to me discovering that a customer’s main public-facing web server contained a remote file upload vulnerability and that an attacker could gain shell access to that server (behind their firewall) in a single easy step.


While it turned out this was very easy to investigate, identify the vulnerability and then exploit it, I realized that there aren’t a lot of tutorials out on the web to show in-depth or step-by-step what you can do with a remote file upload vulnerability.


In addition to the fact that in-depth tutorials are not plentiful, there seem to be very few instruction sets on where to find shells and what to do with them once you’ve determined you can gain access.


So, I set aside some time to put together a couple of tutorials over the next couple of weeks. The first scenario we’re going to deal with is an ASP.NET web application that has a remote file upload vulnerability. First, we’ll build a virtual machine to exploit and then, in the next couple of posts, we’ll exploit it and see what damage we can really do.


The reason I decided we were going to build a vulnerable virtual machine is because I have found numerous quick posts about how to exploit the vulnerability we’re going to showcase here and, unfortunately, they all have listed the Google Dorks (or web searches) you can use to find web servers that are vulnerable. While, I’m enough of a curious hacker to maybe play with one of these vulnerable servers while anonymized and connected to a Starbucks, I take some exception to this as “de facto” system of learning. If you’re going to want to learn how to exploit remote file uploads, standing up a virtual machine to play with accomplishes two things: a) you stay ethical (and that’s a good thing) and b) you can actually see what files are created, what logs are created, and what the residual damage is to the server, once you breach it. This, to me, helps reinforce the whole “hack to learn” mentality, then just finding someone else’s server to breach. Instead, you can take this example and learn from it so that maybe you see how a “defense-in-depth” approach helps fortify your server’s security.


Building the VM


The vulnerable web application we’re going to tinker with on this tutorial is dotnetnuke. It runs under ASP.NET, Microsoft SQL Server and Microsoft’s Web server, also known as IIS – Internet Information Services.


First, your best bet is to install Windows XP. The SP doesn’t matter because we’re not going to be penetrating this Virtual Machine at the OS level, we’re going to be attacking the web application stack.


Once you have Windows installed, you’re going to need to install Internet Information Services (IIS). In Windows XP, you can install IIS by inserting the XP CD, bringing up the “Add / Remove Programs” interface and choosing the “Add/Remove Windows Components” button on the left-hand side of the screen.





This will invoke the “Windows Components Wizard”. In this wizard, you should check off the checkbox next to “Internet Information Services (IIS)” and click the “Next” button. This will walk you through installing IIS on Windows XP.







Once you’ve completed installing IIS, you should be able to open a web browser on the XP box and navigate to http://localhost and you should see web pages that look similar to these:








Congratulations! You’ve now got a web server answering on your Windows XP machine.


Now, the next thing we’ve got to do is make sure the Windows XP Firewall is configured to pass data through the firewall to the IIS server. 


Windows XP Firewall


If you’re running a version of Windows XP that has the Windows Firewall as part of its application suite, then you’ll need to change its configuration (post IIS install) to allow Web Server traffic through the firewall. The easiest way to do this is by opening the “Windows Firewall” dialog from Windows XP’s “Control Panel”.



Clicking on the “Advanced” tab brings you to the “Network Connection Settings” setion.










Check the checkbox next to the network connection that is applicable (default is “Local Area Connection” in Virtual Machines, but this can vary from machine to machine) and click the “Settings” button.







By checking the checkbox next to “Web Server (HTTP)”, you’ll allow an exception through the firewall for all HTTP traffic. And for our purposes, HTTP (port 80) traffic is sufficient. Click “OK” and exit out of the “Windows Firewall” configuration screens.


Next, we’ll need to install ASP.NET on our Windows XP box.


Installing ASP.NET on Windows XP


There are a multitude of ways of installing ASP.NET on your Windows XP machine. The most modern technique is navigating a web browser to www.asp.net and installing the Microsoft Web Platform Installer. This will eventually get you ASP.NET installed, as well as some Visual Studio components. (NOTE: the web site states it only supports Windows XP SP3+, so if you’re running a lower version, this is not the way to go.)


If you want, please go ahead and follow the instructions on that web site to install the latest version of ASP.NET (at the time of this writing, the most current version available on their sites is 4.5).


However, since the end goal of this exercise is to build a vulnerable virtual machine, it is perfectly acceptable for us to do something a tad bit easier and maybe a little less secure than we would ordinarily like: you could install a version of ASP.NET that’s already on your Windows XP machine.


By opening a command prompt and navigating to the Microsoft .NET Windows directory, “C:\Windows\Microsoft.NET\Framework\v2.0.50727”, you will find two (2) executables that you can run from the command line, in order to install ASP.NET:


aspnet_regiis –i  and aspnet_regiis –c



This will register and install an older version of ASP.NET on your machine. For this exercise, though, that is fine. We are not building a machine for the purpose of hosting a real web application (where we may want the latest and greatest software). We are trying to build a vulnerable machine and there’s no need for engineering this machine for greatness.


Installing SQL Express


Download SQL Server 2005 Express from http://www.microsoft.com/en-us/download/details.aspx?id=21844







You’ll want to get the SQLEXPR.EXE file and run that.





Accept the license agreement and walk through the install.






Once SQL Server Express is installed, you won’t have to do further configuration of it, in order to install dotnetnuke. Dotnetnuke will auto-create any databases it needs.


Installing dotnetnuke


Once you’ve taken care of the pre-requisites (as outlined above), you’ll be ready to install dotnetnuke. But take care! You DON’T want to install the latest version of dotnetnuke. You want to install an older version of it and the archives are a little hard to find.


So, navigate to http://dotnetnuke.codeplex.com/releases/view/20945 and download the “DotNetNuke_04.05.01_Install.zip” file located at http://dotnetnuke.codeplex.com/releases/view/20945#DownloadId=52880 


This zip file contains all the files that make up DotNetNuke version 4.05.01, which is a version vulnerable to the remote file upload we’ll be exploring in later posts.


So, to begin, extract the contents of this zip file to a folder under the “wwwroot” folder located right below the “InetPub” folder on your machine.






Once you’ve extracted it, you will need to set up a few permissions first. In the Windows XP world, you need to locate the “C:\inetpub\wwwroot\dotnetnuke” folder (or if you renamed it, whatever you renamed it) and right-click on the folder and go to “Security”.


You need to add the ASPNET user account to the permissions list and give it “Modify” permissions (or you can give it the “Full Control” permissions – hell, it’s a vulnerable machine).

















You should also take the time to go into the “Advanced” button, select the ASP.NET Machine Account, check the box next to “Replace permission entries on all child objects” and click the “OK” button.




Next you’ll want to tell IIS (the web server) that you want to serve web pages from the dotnetnuke folder.


Configuring IIS to serve DotNetNuke


Run the IIS Manager console, by click on “Start”, then clicking on “Run” and typing in “inetmgr” and hitting enter.










Open the plus sign next to Web Sites and “Default Web Site”.
Right-click on “Default Web Site” and select “New” and then “Virtual Directory”. Make sure to set up the Virtual Directory the same as the illustration below:




And be sure that you give the “Application Name” a name in the “Application Settings” section (we set ours to dotnetnuke above). You should then see a Virtual Directory called “dotnetnuke” under your IIS Manager.





Click “OK” and once completed, you should be able to open a web browser to http://localhost/dotnetnuke 


At this point, dotnetnuke will walk you through the installation wizard.


Configuring DotNetNuke


First, you’ll be presented with this screen. Select “Typical” and click “Next (in the bottom right-hand corner).




Then, the next screen will test that your permissions have been set up correctly. We did this a few steps back.



Click the “Test Permissions” link and when you get the green, click the “Next” link. At the next screen, you’ll set up your database. You won’t need to change anything from the screen below, if you installed SQL Server 2005 Express. If you didn’t, you can find other instructions here (http://www.dotnetnuke.com/Resources/Wiki/Page/Install_DotNetNuke.aspx) :



If you followed our SQL Express instructions above, then just take the defaults and click “Test Database Connection”. Once completed, click the “Next” button.





Once you see the following output, you’re all set. Select the link at the bottom right that brings you into the Application (dotnetnuke).




Congratulations! You’ve now installed dotnetnuke!
The last thing we need to do before exploitation is making sure the application answers external http requests. We’ll do that now.


Configuring DotNetNuke for External HTTP Requests


So, a little explanation before we move forward. DotNetNuke is now installed and if you were to browse from the XP machine, using http://localhost/dotnetnuke, you’ll be presented with the application. This is great. But one of the things we want to do is use our non-virtual host to launch attacks against the web application. We want to do this to give us a “real world” example of how to exploit remote file uploads. So, the last thing we need to do is make sure that when we open a web browser on our main (non-virtual) host, we can put in a URL with the IP address of our virtual machine and the web server responds.


Currently, this is not the case. So, we’ll need to set this up.


Do accomplish this, open a web browser on the XP machine and navigate to http://localhost/dotnetnuke. You’ll see the application.




Next, open a command window (DOS box) and type in “ipconfig” and hit enter.





My NAT’d IP address is 192.168.163.129. When I’m on my host machine, I’ll be trying to access dotnetnuke by using http://192.168.163.129/dotnetnuke. However, we need to first tell DotNetNuke to answer to this IP address.


So, in the Web Browser, login using the username and password you were asked to set during setup. For instance, I log in as ‘host’ with my password.


Once logged into dotnetnuke, you need to navigate to the Portals page. Click the “Admin” menu, then select “Site Settings” from the “Admin” menu:







In the “Portal Alias” section of the page, click the “Add New HTTP Alias” link to create an alias for the Portal.





Here, you’ll want to put the IP address of your virtual machine and “/dotnetnuke” after, like so:




Click “Add New Alias” and you will have now enabled DotNetNuke to answer an external HTTP request, using the external non-virtual host.


To prove this out, get on your non-virtual host, open a web browser and point it to the Portal Alias you just created.







That’s it!
Congratulations!
You’ve now got a virtual Windows XP host, serving dotnetnuke externally to your non-virtual host machine.


Conclusion


Next Tutorial, we’ll start to exploit this bad boy a bit.
Stay tuned!

Tuesday, March 6, 2012

Securing Your (Mobile) Email: Thunderbird, GnuPG, Enigmail, AGP, Gmail and K9mail


While teaching my CISSP students the other day, we got to talking about cryptography. This lead to a discussion about implementing PGP on your personal email and how you could accomplish this.

In the past, I have used Thunderbird and the Enigmail plugin to help implement PGP on my personal email and, through this discussion with my students, I realized I’d dropped the capability almost as quick as I’d picked it up.

Why? Mostly because the only person I was trading encrypted emails with was my friend Mike in Chicago and I think we might have done that a grand total of once. So, it wasn’t a pressing technology at all. And when I wiped out my Ubuntu for Windows 7 (*gasp*!) I forgot to backup my encryption keys and promptly decided not to bother with it again.

But nowadays, I’m interfacing with many more people and the need for cryptography on my personal e-mail is growing. So, I thought I’d give a quick write up on using Enigmail with Thunderbird.

However, one thing I’ve always wanted to do was implement the same ability on my Android phone. I’ve got a Droid X (first generation) and, since I’ve still got another year on my contract with it, I like to keep myself from getting bored with such an antiquated phone.

So, this past week, I decided to re-implement Enigmail on Thunderbird. And when I was done with that, I wanted to find out how to USE THE SAME KEYS on my mobile device to encrypt email.

Since this is a “plug-it-all-together” kind of implementation, I thought I’d share with all of you. I’ll give you fair warning, though, there are quite a few (but easy) steps to this, so the write up could be long.

Thunderbird & Enigmail

I’m not going to write a tutorial on how to install Thunderbird. Grab it off Mozilla’s site and install it, if you don’t use it already. It’s a great e-mail client and it’s free. There’s nothing better than not paying a license to read your mail.

Once it’s installed and configured for your e-mail account (mine’s a gmail account), then you’re going to want to download and install Enigmail. Enigmail is an extension for Thunderbird that allows you to write and receive encrypted email. It does this by communicating with GnuPG, an open-source implementation of the OpenPGP standard.

So, the first thing we’re going to need to install is GnuPG for Windows (or GPG4Win, as it’s known). If you’re a linux user, you can download and install GnuPG as a package in your distribution. A little googling and you’ll find it. For those that are Windows users, follow the instructions below.

GPG4Win

So, for Windows users, download GPG4Win from www.gpg4win.org.


Since we’re savvy security folks, we’re going to check the file’s hash, since the developers were so kind to include it on our web site.

For this task, I use hashtab, a Windows Explorer extension found at http://implbits.com/HashTab/HashTabWindows.aspx


It’s a match, let’s install it. Installation is very straight-forward, so just remember the path that you installed it into in case Enigmail can’t find the executables later. Enigmail sometimes has problems finding GnuPG.

Installing Enigmail

Prior to installing Enigmail, your Thunderbird menu bars will look something like this:

When we’ve installed Enigmail, we’ll have another menu item, called “OpenPGP”. We’ll show that in a few.

The first thing we want to do is download Enigmail from their web site: http://enigmail.mozdev.org/home/index.php.html


Once you’ve downloaded it, open up Thunderbird and click on the “Tools” menu and select “Add-Ons”.

You will be presented with the screen below. Click on the gear-shaped icon as shown in the detail below and select “Install Add-on From File …”


Browse to where you downloaded Enigmail (it’s a file with a .xpi extension and it’s usually named something like “enigmail-X.X.X-sm+tb-windows.xpi”) and Enigmail will install.

Once you’ve installed, it however, you will need to set up Enigmail. It’s also possible Thunderbird will need to restart after Enigmail’s install, so feel free to do that now.

Enigmail Setup

Once you’ve gotten Thunderbird restarted, it’s time to set up Enigmail. Setup is very easy, since there’s a wizard that walks you through it. However, we’ll go through the necessary steps below. It is also possible that Enigmail will not be able to find the GPG executables (because it’s looking for “gpg.exe” and GPG4Win provides you with a “gpg2.exe”), if this is the case and you are prompted to browse for your GnuPG files, simply browse to the directory where you installed GPG4Win and locate the “gpg2.exe” file.

If that’s all out of the way, let’s setup Enigmail.

Enigmail Setup Wizard

To launch the Setup Wizard for Enigmail, you should

Click the “OpenPGP” menu and select the “Setup Wizard”


On the first screen of the Setup Wizard, select “Yes, I would like the wizard to get me started”

On the second screen, choose which email account you’d like to create a key pair for. As I have several email accounts, Enigmail chose to ask me if I wanted to create key pairs for each of my accounts. Since I only want to do this for my fleec3@gmail.com account, I only checked off that one. You may not be presented with this choice if you have only one e-mail account.

On the next screen, you will be asked if you want to sign all of your outgoing e-mail by default. This is one of the best ways to get your public key out in the public (and that’s the intent of this exercise, isn’t it?) so, I chose “Yes, I want to sign all of my email”

On the next screen, you will be asked if your outgoing emails shall be encrypted by default. Since I don’t have in my possession a lot of my contacts’ public keys yet, I chose to answer “No, I will create per-recipient rules for those that sent me their public keys”

On the last screen of the Enigmail Setup Wizard, you will be asked if it is ok that Enigmail make some changes to Thunderbird for you. Those changes are:

“Disable loading IMAP parts on demand”
“Disable flowed text”
“View Message body as plain text”
“Use 8-bit encoding for message sending”
And lastly,
“Do not compose HTML Messages”

Personally, I don’t mind any of these changes, for the most part. However, I decided to uncheck “View message body as plain text” because most of the email I get is nicely created with HTML. So far, I haven’t seen too much of an issue with this setting remaining unchecked.

On the next screen, you will be prompted if you want to generate a new key pair or if you want to use an existing pair. If you’ve previously used another set of keys, this is where you could import them into Enigmail.

On the next screen, Enigmail will ask you for a passphrase to use when protecting your private key. It password-protects it and when you want to use your private key for decryption, it will prompt you for this passphrase. This means you’ll want to keep this passphrase handy (perhaps in Keepass?) or keep it something you’ll remember (and please, don’t make it “Password1”).

Enigmail will then generate the keys for you.


Here’s what the Setup Wizard will look like while it’s generating the keys …

Once key generation is completed, Enigmail will prompt you to generate a certificate you can use for revoking your key, when necessary. I recommend generating this certificate and leaving it somewhere you will remember.

Once you click “Generate Certificate”, it will prompt you where to save the Revocation Certificate. Please save it somewhere other than the GnuPG directory (the default location). It is something you should protect and leave somewhere secure.

Once you have completed the Setup Wizard, your e-mails from that account should have the “Sign Message” selection under “OpenPGP” checked off. If you have a public key from one of your e-mail contacts, then you should be able to Encrypt a message to that contact as well.


If your main goal was to install Enigmail on your computer/laptop to sign and encrypt mail in Thunderbird, you’re done!

For me, I wanted to go that extra step and use these same keys I generated for Thunderbird and use them to encrypt emails from my Android device. Luckily, there exists a way to do this.

Encrypted Email on Android OS

So, the very same way we used OpenPGP software on our Windows OS, we need to install the same kind of cryptography software on our Android OS. And the same way we used Thunderbird to send encrypted e-mails, we need to install an e-mail client on our Android OS that will allow us to use cryptography, as well.

Luckily, Android Privacy Guard (located here: http://thialfihar.org/projects/apg/ ) gives Android users the ability to implement GnuPG on their Android devices.

And, as luck would have it, an email client called k9mail (whose page is located here: http://code.google.com/p/k9mail/) has built-in integration for AGP. So, just like we used a plugin for Thunderbird to implement GnuPG, we can install k9mail and have it interface with AGP to provide us GnuPG functionality!

AGP

On your Android device, you can get AGP in the Android Market. Or you can go here: https://market.android.com/details?id=org.thialfihar.android.apg


K9Mail

On your Android device, you can get k9mail in the Android Market. Or you can go here: https://market.android.com/details?id=com.fsck.k9


Once you have both of those pieces of software installed, we can use Enigmail to export our public and private keys into AGP.

Enigmail Key Management
In Thunderbird, click the “OpenPGP” menu and select “Key Management”.


Then, the Key Management console will come up.

Now, it may look like you have no keys in Key Management, but you do. Check the checkbox next to “Display All Keys by Default” and you will now see the keys that were generated from our Enigmail Setup Wizard.

In order to export your keys to files, right click the identity you want to export and select “Export Keys to File”.

Enigmail asks if you want to include the Secret Key in your export file. Answer yes to this by click “Export Secret Keys”.

Your export file with both your Public and your Secret key will want to be exported to an ASCII file (.asc).
Hold onto this file because we’re going to copy it to our Android device momentarily.

Copy your public and secret key export file to your Android device

At this point, plug your Android device into your laptop, make sure your USB connection is set to “USB Mass Storage” and copy your export file(s) to your Android device. I highly suggest that you copy them to /mnt/sdcard/AGP, as AGP will be looking in there for .asc files by default.
If you’ve successfully copied your .asc files over to your Android device, you can unmount the USB mass storage, eject the USB device and you’re ready to rock.

Importing keys into AGP
From here on in, we’ll be working solely on the Android device.

To import keys into AGP, you’ll need to fire up AGP.

Next, hit the “Menu” button to bring up AGP’s menu.

Select the “Manage Public Keys” button.
AGP will give you a dialog to browse for the .asc files we’ve copied over. Hopefully, you’ve copied them to the SD card’s AGP directory (or made one and then copied the files in). Because AGP asks for that location by default. Save yourself some browsing around and just copy the files into the /mnt/sdcard/AGP folder.

If you use Android’s File Explorer to browse to the .asc files, you will most likely get returned to the dialog with this type of content:
Now, you may be asking “What is all THAT!?”
Don’t worry. The scientific answer is: “It’s all gobbledy-gook”. Seriously. We don’t need it all and I’m not going to use my Google-searching minutes finding out what it really is. So just do this: cut out everyting BEFORE “/mnt/sdcard…..”

So that it instead looks like this:
Go ahead. I’ll wait. Just click in there and make sure you keep the leading backslash (“/”) before mnt and hit the backspace button to remove everything before it.

Now click “OK” and AGP will import your public keys.
When it’s completed, you should see a screen like this:

At this point, you need to repeat this step as we have already done, but instead, this time, you’re going to perform these steps and select the “Manage Secret Keys” button, instead.


Setting Up K9Mail
Now, I set up k9mail to use my fleec3 gmail account. You may have another email provider. Know your Incoming and Outgoing server settings (you probably needed to find them in order to set up Thunderbird).

For those of you using google mail, your server settings will most likely be close to those below. K9mail has a wizard that will help you set up the account, but if you don’t get it set up at first, you can edit your account settings.


Incoming server settings (Under “Fetching Mail”):

Outgoing Server settings (Under “Sending Mail”):

Once you have your account set up, you can tell k9mail to use AGP to encrypt emails (Under “Cryptography”):

  1. Under the “OpenPGP Provider” option, select APG.
  2. Check the checkbox next to “Auto-sign”


That’s it. At this point, you can send and receive encrypted emails on your Android device or on your laptop/computer using Thunderbird. Either way, you’re using the very same keys.

Conclusion

I hope this walk-through helped you set up encrypted email both on your computer as well as on your mobile Android device. If you have any questions, feel free to ask either in the comments below or hit me up on Twitter.