RSSGates

Oracle Web Hacking Part II

| November 22, 2011

oracle_airplane_in_web.jpgChris Gates, CISSP, CISA, GCIH, GPEN, C|EH

In the first article, Oracle Web Hacking Part I, I talked about scanning Oracle Application Servers for default content and how to use that content for information gathering.  A pentester can utilize that information to run SQL queries and to gain a foothold into the network. I also talked about iSQLPlus and some fun things you can do with that application, if you are able to guess credentials for it.  I also showed some Metasploit modules to help you accomplish all of it.

In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal).  I’ll focus on Oracle 9i and 10g up to Release 2.  With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series.  But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff.  So, let’s get to it.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Continue Reading

Oracle Web Hacking Part I

| April 21, 2011

oracle_airplane_in_web.jpgBy Chris Gates, CISSP, GCIH, C|EH, CPTS

Oracle applications are not what you’d call simple.  I think any DBA or Oracle Application Server Administrator will be the first to attest to that fact.  Oracle, with its great products, comes with some un-pleasantries.  These are:

1. Oracle applications are complicated (hopefully we all agree on this).
2. They come with loads of default content and no clear way to remove that content.  There is no IISLockdown equivalent for Oracle applications.  Content you don’t want must be removed manually.  Some of this content can be used to run database queries, read documents, gather information via information leakage on the pages or perform XSS attacks.
3. Users have to pay for patches and extended advisory information (even then, no Proof of Concept code is released by Oracle).
4. And lastly, you have a fairly complicated patch/upgrade process which leads to an "it’s working, don’t touch it" mentality by a fair amount of admins.

This provides a target rich environment for pentesters and bad guys. Let’s take a look.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Continue Reading

Maltego Part II – Infrastructure Enumeration

| April 6, 2009

maltegov2_logo.gifBy Chris Gates, CISSP, GCIH, C|EH, CPTS

Welcome Back! In Maltego Part I we performed Personal Reconnaissance with Maltego to see what we could find out on the net about our Editor-in-Chief, Don.  With the personal details tucked safely away in our notebook, lets see what we can gather in regards to his network infrastructure.

Any organization that has an Internet presence needs to have some form of infrastructure to support their presence. During Infrastructure Enumeration you attempt to discover how much of it exists, what type of infrastructure is used, where it is located, what technology is used and how it is structured. This type of information is interesting for:

    * Security assessments (as this is the first and most tedious phase of any external assessment).
    * Getting an idea of the organization’s Internet and geographical presence.
    * Gaining insight into the technology used by the organization.
    * Making connections between seemingly unconnected organizations (as they might be sharing common infrastructure).
    * Getting a list of brands or affiliations supported by the organization.

Be sure to catch Chris at ChicagoCon 2009s on May 9 as he presents Attacking Layer 8: Client Side Penetration Testing with Vince Marvelli (g0ne). Get Conference Details HERE!

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Continue Reading

Video: Client-Sides, Social Engineering and Metasploit, Oh My!

| February 3, 2009

phishing.jpgBy Chris Gates, CISSP, GCIH, C|EH, CPTS

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page.  This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website.  Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm,  as well as others.

**This isn’t to say that some fileformat exploits can’t be delivered via the web.  You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.

Continue Reading

Maltego Part I – Intro and Personal Recon

| July 3, 2008

maltegov2_logo.gifBy Chris Gates, CISSP, GCIH, C|EH, CPTS

According to their web site, “Paterva invents and sells unique data manipulation software. Paterva is headed by Roelof Temmingh who is leading a light and lethal team of talented software developers.” On May 6 2008, they released a new version of a very kewl tool named Maltego.

Maltego, is an open source intelligence and forensics application. It allows for the mining and gathering of information as well as the representation of this information in a meaningful way. Coupled with its graphing libraries, Maltego, allows you to identify key relationships between information and identify previously unknown relationships between them. It is a must-have tool in the forensics.security and intelligence fields!”

Chris Gates’ talk at ChicagoCon 2008s entitled “New School Information Gathering” touched on many tools and techniques. One of the tools he introduced to the audience is Maltego v2. This first in a two part series expands on this new tool with a basic introduction to Maltego followed by step-by-step personal recon tutorials. Part II will focus on infrastructure enumeration with Maltego.

 

 

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Continue Reading

Intro to XPath Injection

| March 14, 2008

xmlnot.jpgBy Chris Gates, CISSP, CPTS, CEH

WTF is XPath Injection?  Data can be stored in a XML file instead of an SQL Database.  To sort through complex XML documents, developers created the XPath language.

http://www.w3.org/TR/xpath

 

XPath is a query language for XML documents, much like SQL is a query language for databases.  Instead of tables, columns, and rows XML files have nodes in a tree.  And like SQL, XPATH also had the potential for injection issues if queries are not properly sanitized.

 

Why is XPath Injection so dangerous?
  • XPath 1.0 is a standard language. SQL has many dialects all based on a common, relatively weak syntax.
  • XPath 1.0 allows one to query all items of the database (XML objects). In some SQL dialects, it is impossible to query for some objects of the database
    using an SQL SELECT query (e.g. MySQL does not provide a table of tables).
  • XPath 1.0 has no access control for the database , while in SQL, some parts of the database may be inaccessible due to lack of privileges to the application.

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

Continue Reading

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 1

| April 28, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

metasploit_banner

Overview of Video

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running auxiliary modules against a server running MSSQL, and then we’ll take a look at using the MSFweb GUI to run the idq exploit with the meterpreter payload. What is unique about the idq bug is that it will NOT give you administrator or system on the box, but you can use the rev2self command in meterpreter to elevate your privileges from IUSR_MACHINENAME to SYSTEM. While we’re at it, we also dump the hashes using hashdump for a little extra fun.

Editor’s Note: Check your volume as the music may be a little loud. Chris is a wee bit of a headbanger! An "alternative" headbanger, but a headbanger nonetheless. Cool

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading

Video: Exploring Metasploit 3 and the New and Improved Web Interface – Part 2

| April 27, 2007

Active Image
Active Image del.icio.us

Discuss in Forums {mos_smf_discuss:Gates}

metasploit_banner

Overview of Video

In this video we explore the revised MSFWeb interface for the Metasploit Framework 3.0. We specifically take a look at running "browser" exploits where you have to get the victim to connect back to your listening Metasploit instance. We'll use the ie_createobject exploit via the MSFweb GUI, and then we'll use the wmf_setabortproc exploit using the built in msfconsole (a new addition in MSFWeb 3.0). We'll also take a look at using custom meterpreter scripts; first to see if the victim is running in vmware and second, to clear the event logs.

Clear Event Log Scripts

clearseclog.rb
clearalllog.rb

Enjoy and keep an eye out for future videos. Feel free to post comments and suggestions for future videos.

Thanks,
Chris Gates

Continue Reading