I would like to look at this from a different angle for a second, the threat landscape angle and the trending.

It is very interesting to see the changes in Hackers approach from reversing protocols and platforms for vulnerabilities that are usually platform dependent, and relying more and more on overarching architectures such as Java and Flash etc, which are platform agnostic.

This creates an interesting threat landscape that has the multiplatform effect. It is very common to mistake reports that say that Microsoft platforms or others are now less vulnerable than in the past. I believe that its just a matter of Hackers changing focus.

Taking a deep look into industrialized hacking, it fits the model well, by hunting for the latest and greatest vulnerabilities and perhaps buying them from a vulnerability broker that deals with 0-days, Hacker groups are able to leverage indirect campaigns and hit large numbers of infections or data theft. just look at the latest Attack that hit Facebook, Twitter, Apple, Microsoft and others. it was defiantly not a directed attack but an attempt to hit numbers. interesting enough it used a Java 0-day as vector of infection. this hit many organizations with different platforms and methods of securing themselves.

Java is the thing that everyone now blame, but yesterday it was the Microsoft platforms, and tomorrow it will be something else. its not about what’s more secure, its about what Hackers focus on.. at the end of the day, we should always look at the shortest funnels to cash, just like Hackers do. until then… keep your cup of coffee clean.

Gave myself a speed-coding challenge. have to introduce fun into coding or I will never do it. so i wanted to create something for the community that will allow fast enumeration of a Tomcat application server via the Metasploit Framework. I set myself for 2 hours this time , since it required building an environment, testing several installations and wiping bugs myself ( I should teach my wife some Ruby ! ), challenge complete.

enum_tomcat, What does it do ?

enum_tomcat is a post exploitation module (in the MSF repository as post/windows/gather/enum_tomcat) that operates as an enumerator over a meterpreter session on Windows, and evaluates the server for existing Tomcat server installations, and then enumerates the ports, users and main application (ROOT). services will be reported to the service repository, and everything else to the loot repository.

How can you get a copy ?

As a Metasploit pen tester, you should have access to update the repository every now and then, and therefor a simple msfupdate should do the trick. In order to use the module, you need to first obtain a meterpreter session (I am not going to dive into that, that is part of the pen testing scope of work and knowledge), you then need to issue the following command : run post/windows/gather/enum_tomcat.

As always, This is an Open Source contribution to the project, and therefor is available to everyone who wishes to use it.

Alright, so over the weekend I had time to convert some of my old scripts into ruby, because you have to keep your mind sharp in some way or another … when it occurred to me that I haven’t contributed to any open source project in a long long looooooooong time. so with the help of some VMs and a few spare hours, I converted a script that I wrote back in the days which I used to use quite a lot for pen testing purposes in different projects. I have committed it into the Metasploit Framework repository and it is now publicly available for the community usage.

enum_db, What does it do ?

enum_db is a post exploitation module (in the MSF repository as post/windows/gather/enum_db) that operates as an enumerator over a meterpreter session on Windows, and evaluates which Database flavors are installed on the host, and which Instances and Ports are available on them.

It supports Mssql, Mysql , Oracle, Sybase, DB2. and uses the vendor specific methods of identifying database installations, instances and connection ports.

There are 3 outputs are available once databases are enumerated as expected – on screen results, loot of the enumeration process and a service report that adds the discovered services to the MSF service table.

How do I get it and run it ?

As a Metasploit pen tester, you should have access to update the repository every now and then, and therefor a simple msfupdate should do the trick.

In order to use the module, you need to first obtain a meterpreter session (I am not going to dive into that, that is part of the pen testing scope of work and knowledge), you then need to issue the following command : run post/windows/gather/enum_db.

Final Words

This is of course an Open Source contribution to the project, and therefor is available to everyone who wishes to use it. use for good not for evil.

have a read would you ? Link here.

The article explores the differences between classic Denial of Service, and Application Oriented Denial of Service in a simplified manner.

LinkedIn have admitted to have no individual holding a CSO/CISO title and managing security for what is currently the biggest online social network for work relationships and job hunting. This was quite a shock to me, since I really thought that any organization of such size ( in terms of consumers and customers ) will have someone officially taking care of the security role.

This creates an interesting gap, since LinkedIn is not regulated ( no current regulation for social networking, and perhaps something should be there to protect personal information ) but it means that when a hack like this happens, who do you blame ? who takes the fall ? or in other words … if data i hold as an employer is breached, who is responsible ?

Now, i’m pretty sure that due to the publication of that fact, LinkedIn will resolve this soon enough, or at least they should. but it does make you think – where else did I put personal data online , and how is it protected if at all. are techies in charge of making my data safe ? or is there someone that actually holds that responsibility.

I encourage each and every one of you, who wish to put their data online, to make sure or at least check if those sites/companies are properly secured… hell… check in LinkedIn if they have a CSO

The game I chose to play is Diablo 3 ( I carry a flash drive with my favorites installed, everywhere ) and went into it. now … for those of you who dont know, games that involve getting items and collecting and improving characters online, usually also involve getting virtual gold. so you can then buy, repair, improve etc… but thats just game mechanics.

Virtual Gold becomes Real Money

Many of today’s games today, either if its betting games, or online multiplayer games (and maybe your favorite facebook games), enable users to purchase virtual gold for real money. and there is usually an agreed exchange rate.

This means that Virtual Gold gets an actual Dollar value and users can trade and sell/buy.

In come the Bots

By now, we all heard of people in the far east that play constantly just to harvest virtual gold, and then selling it for real money to the western i-wanna-improve-immidiatly gamers. and this took quite a lot of time, for what I would call medium level gain.

Now, from old times, even when I was a kid, we used to be able to write Bots that would play the game for us, or bend it in a way that we make more of that virtual gold faster and faster and making the game easy for us. When I looked into whats going on with people bending my latest favorite game, I came to realize how far have this industry gone…

Advanced and slightly more skilled Bot makers today, use easy to script tools such as AutoIt, in order to create bots that will actually walk the game, play it out, collect items and sell them later on, maximizing on virtual gold harvesting. this means that you can set a machine to harvest for virtual gold for 24/7 and then sell it !

Security Problems

Well, there are several security problems here. lets outline them

1. External Scripting is not manipulating the Game
2. Bot Nets

External Scripting is not manipulating the Game, Evades detection

Lets start with #1. in the old days, when Bots where written, they used to manipulate the in-game memory in order to change or reveal values. this meant that it was fairly easy for the game makers to create software to detect manipulation ( i believe that Blizzard, the maker of Diablo 3 – currently has the best manipulation detection software – warden, developed in-house ).

The way that AutoIt works, is just sending commands that can be based on nothing but pixel detection etc, and sending commands back to the game as if it is a set of keyboard and mouse. for example : Move mouse to (x,y) , Click mouse , Press “1″, wait for (500) ms.

Mitigating Bots

The problem this introduces is the potential inability for standard gaming software to detect such scripts by automation tools from running. and making those bots more common, and by that not just breaking the game for everyone ( unfair advantage ), but actually scamming the game for profit, which I believe is, or should be considered a crime.

This can be mitigated fairly easy. but then creates a problem to the gaming vendors, and the reason for it is that they then cross the line between a gaming product and a moderated security product that enforces rules, like a host IPS or AV, that can then say “if you run this tool in the background, the game wont start”.

I actually would encourage that approach for any game that involves Real Money interaction. it becomes quite popular to introduce Fraud Prevention to online systems such as Bank Accounting systems, and Online Brokering. I see no reason why Gaming should be any different, either if its Browser/Thin-Client based, or if its a desktop installed advanced game.

Bot Nets

There is a joke that mildly translates from Hebrew which says “the open-window, calls the thief” which i believe has a solid case here. Since if a platform introduces money exchange, hackers and organized hackers will find their way to exploit the system to gain profit. and are most likely to hurt both the game vendor and the players that pay to play and pay to improve their gear ( some games have millions of users that are considered addicts that will spend quite a lot of money to advance in a game ).

While Bots such as I mentioned are fairly simple, imagine the following scenario : Bot Net.

Imagine a shoe making factory, with many low paid workers making shoes for the man, which sells for profit… now imagine the Security world where an organized hacking organization can build a farm of computers, all running the game with a bot on it, farming for virtual gold on the games, and sending to a main computer that then sells it.

Imagine even worst… a Virus Bot that infests your own computer, and is then controlled by a C&C Bot Net that does just the same, leveraging your own computer , and your own account for profit.

Traditional Bot Net vs the Gaming Bot Net Potential

Many think that Bot Nets are meant for espionage, stealing credentials, looking into emails and maybe stealing credit card information. But what is the difference ? there is none!

Think of the goal : I want to make money off a bot-net. Which to me means, that the fact that you are farming via a game that allows it, or stealing credit card/transacting money is the same.

At the end, Awareness will be key here. Gaming vendors, HIPS/AV and Fraud Prevention vendors should look into it, making sure that they create content in time when these rise.

The thing that got me most interested was the growing interest from the Hacktivist community in such tools ( TONS and TONS of emails… ) , but also the fact that some researchers went to analyze for mitigation in case of someone abusing the tool for malicious usage. needless to say, I used a very easy to fingerprint ( for application aware security products ) library called urllib2 as this was designed for a lab experiment and not to break the laws of physics.

One individual has sent me a nice test that he’s done with the tool, using a virtualized grid, running the tool from 300 hosts in a rate-limited LAN ( to demonstrate bandwidth constraints of a wan link ) at a server cluster running apache, with an apache caching server in front and got the same results as I did.

I believe that the goal was achieved, an individual or a company that wishes to see how their application copes with application denial of service, can have a tool to run the check, while is also able to prevent anyone else from using it. I do believe that the only way to prepare and mitigate a threat, is knowing it exists, hope this helped.

In my line of work, I get to see tons of different nifty hacking tools, and traffic generation tools that are meant to either break and steal information off a system, or exhaust its resource pool, rendering the service dead and putting the system under a denial of service.

For a while now, I have been playing with some of the more exotic tools, finding that their main problem is always the same… they create repeatable patterns. too easy to predict the next request that is coming, and therefor mitigate. Some, although elegant, lack the horsepower to really put a system on its knees.

For research purposes, I decided to take some of the lessons I’ve learned over time and practice what I preach.

Enforcing Python’s engines, I wrote a script that generates some nicely crafted unique Http requests, one after the other, generating a fair load on a webserver, eventually exhausting it of resources. this can be optimized much much further, but as a proof of concept and generic guidance it does its job.

As a guideline, the main concept of HULK, is to generate Unique requests for each and every request generated, thus avoiding/bypassing caching engines and effecting directly on the server’s load itself.

I have published it to Packet Storm, as we do.

Some Techniques

• Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
• Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
• Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
• no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
• Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.

Results

Basically my test web server with 4gb of Ram running Microsoft IIS7 was brought to its knees under less than a minute, running all requests from a single host.

In the pictures below you can see the tool in action, where it first ( #1 ) executed against a URL, and then the tool starts generating a load of unique requests and sending over the target server ( host of the URL ), and second ( #2 ) we can see that the server at some point starts failing to respond since it has exhausted its resource pool.

Note the “safe” word is meant to kill the process after all threads got a 500 error, since its easier to control in a lab, it is optional.

Download

File : hulk.py ( via Packetstorm )

The tool is meant for educational purposes only, and should not be used for malicious activity of any kind.

[ Edit 25nov2012 : changed download link to packetstorm ]

To establish common ground, I would like to start by explaining some theory behind DoS attacks on the HTTP attack vector.

An HTTP DoS attack is usually not based on a vulnerability or known flaw in a web server or a service, instead – its the attempt to bring a server down by using all of its available resources and its service pool. That being said, the common HTTP DoS tools usually operate by generating massive amounts of requests to a specific set of URLs on a website in order to choke the resource pool and denying the service.

One very important element in the process, is locating the “Perfect URL”, which is the URL that causes the most load on the server when requested, requiring the server to process as much data as possible before presenting the output to the client. and because of that, the best vector is always to go for the website’s search engine, since that will always require some computation power.

Thesis

What i came to realize is that a simple engine can be written, to run a dictionary against a search engine, and by observing the amount of results presented back from the website for each keyword, one can determine using an automated tool – which is the best search term to create the most load on the server, and build the DoS URL based on that.

Ready, Get Set,  Go!

Lets break the idea into what we want to achieve. we want to run multiple requests to a web server on the search URL. Then, we want to run dictionary as the search term, and by parsing the response page for the place where the number of results is returned – to find the phrase that returns most results (max) and crown it as the “Perfect URL” for a DoS attack.

Using Python, I wrote such a tool that gets as input : search url, regex for finding the number of results and a dictionary file, and does what i wrote above, multithreaded of course ).

Usage looks something like :

python dos_recon.py http://www.site.com/search/?q= 'results\s\:\s(\d+)' wordlist.txt

The tool then opens several threads, each asking for a word out of the dictionary, and adds it to the search string. It then looks for the Regular Expression in the result page and grabs the number of results. Finally, it shows as output, the best URL that produced the highest number of results so far.

Looks something like this :

python dos_recon.py http://www.site.com/search/?q= 'results\s\:\s(\d+)' dictionary.txt
-- Loading Dictionary --
-- Loading Complete --
WORD:hug COUNT:471 URL:http://www.site.com/search/?q=hug
WORD:tree COUNT:13454 URL:http://www.site.com/search/?q=tree
WORD:woman COUNT:110565 URL:http://www.site.com/search/?q=woman
WORD:man COUNT:203721 URL:http://www.site.com/search/?q=man

As you can see. the result indicated that the word “man” has produced the most search results ( 203721 ) , and therefore the best URL to run an HTTP DoS attack against this site will be http://www.site.com/search/?q=man 

In a DoS attack scheme, this kind of tool will/should be used as part of the Reconnaissance phase, detecting a good attack URL ( or URLs ) and then running a DoS tool against it.

Download

I am sharing this as an educational tool, designed to only be used in lab environment and not in the wild, its is meant for research purposes only and any malicious usage of this tool is prohibited.

File : dos_recon.py ( zip file )

the interesting thing about the javascript flavor is the ability to then run it off simple devices such as mobile smartphones or tablets, rendering it more effective for the ease of getting one hacktivist on board with using it without running perl or downloading software.

Analysis

The way that Refref works, is by exploiting an SQLi in the front end web server, it injects an SQL command that effects an unprotected database server and exhausts if from its resources. as far as i know, it effects only mysql servers, however, they seem to be the majority of the backend db servers for many of todays websites, and least as the most upfront database tier.

the SQL command in use is the benchmark() function in mysql, that basically evaluates input for a number of times. normally that command should not be allowed to be executed by the database user that the application server is using, but in many many cases it remains unhandled and is in fact a vulnerability.

The payload code snippet out of refref.pl (source can be found here) :

sub now {
  print "\n[+] Target : " . $_[0] . "\n";
  print "\n[+] Starting the attack\n[+] Info: Control+C to stop attack\n\n";

  while(true) {
    $SIG{INT} = \&adios;

    $code = toma($_[0]." and (select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f))");

    unless($code->is_success) {
      print "[+] Web Off\n";
    }
  }
}

Looking at the payload we could easyly identify the function that is being injected as payload is

benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f)

The evaluation CPU time that is required to run the function is what generates the denial of service on the mysql server. When I tested this on a Mysql ( latest community version available today ) has brought my server to its knees in 2-3 seconds, rendering 99-100% CPU utilization and effectively denying it from serving any information to the client. so very very effective.

My Take

although refref in its current form is quite effective, the payload implementation works in a way that old DOS tools usually work which is to knock on the door until it breaks, but im uncertain if that is neccesary in an Application DOS attack, since refref is based on deploying a command to the server and making it busy.

I therefore have altered the payload function to the following form and ran the test again :

sub now {
  print "\n[+] Target : ".$_[0]."\n";
  print "\n[+] Starting the attack\n[+] Info : control+c for stop attack\n\n";
  $SIG{INT} = \&adios;
  $code = toma($_[0]." and (select+benchmark(99999999999,0x70726f62616e646f70726f62616e646f70726f62616e646f))");
  print "[+] Web Off\n";
  copyright();
}

All I did here is really just taking the loop out and making it into a single request attack.

The result was the same, the server got to 99-100% utilization on evaluating the request. I guess that the reason to include the original loop is to generate a normal traffic jam, to be added to the payload, but if used in the way that I have, you get to have a nice run-by attack, killing the service with just a single request. My guess is that when author wrote the original tool, he/she/they had either different experience or a larger environment where it mattered.

Mitigation

• (Frontend) So, my take is that a Web Application Firewall should be able to handle this tool using standard SQL Injection mitigation techniques, since the vector of attack is in fact SQLi to inject the function payload.
• (Backend) I would suggest hardening the Database by not allowing non-dba users to run the benchmark function, and also harden the user configured on the web front end to not be able to run any database function that is not necessarily for its operation.