WiTi Board and OpenWRT

UPDATE 20160107: Witi patches got into OpenWRT mainline, but there is SD breakage in mainline, so I still do not recommend using OpenWRT master/trunk for WiTi. As soon as it gets fixed, it should be good to go. Until that moment, I recommend using my branch.

Just got my WiTi Router board today. I’ve supported WiTi project on Indiegogo and was lucky enough to get it on time. It is manufactured by MqMaker. It’s really nice device for running OpenWRT. The problem is that support for WiTi is still not in the OpenWRT mainline.

Original author (manufacturer) did not follow git workflow, but added patches to specific OpenWRT version, so it’s hard to check changes against OpenWRT mainline. He actually sent pull request to the Github page of Openwrt, but did not know they don’t accept pull requests from there (they will be ignored). His changes are available through his pull request.

Nitroshift had nice initative of having it in the OpenWRT mainline, but so far he have managed to submit few patches to the official OpenWRT mailing list. You can check his fork of OpenWRT here. OpenWRT page of this router is available here and forum discussion is here.

Being security consciousness, I wanted to see the differences from the mainline and go through them myself. In that process, I have managed to make witi branch on github which is fork from official OpenWRT mainline. It is basically nitroshift patch, but with few critical fixes in order to boot up board normally (no need for serial cable). You can check differences between OpenWRT mainline (master) and my patches here.

 

Read more of this post

Nmap 6.49BETA4 on Android

I’m working on Android port of Nmap for quite some time now. It was some time ago I did port Nmap 6.47 to Android and you can find that Android binaries here:
http://seclists.org/nmap-dev/2015/q1/45

Almost same process as 6.46 was used to compile 6.47:
https://k0st.wordpress.com/2014/08/17/nmap-6-46-on-android/

In the meantime, 6.49BETA4 got released, so I’ve managed to cross compile the new version as well.

For those who just wants the binaries, they are here (binaries should work on Android 4+ out of the box):
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-arm-bin.tar.bz2
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-i686-bin.tar.bz2
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-mipsel-bin.tar.bz2

Or if you don’t want to bother with this all, you can download Network Mapper application from Play store at following URL:
https://play.google.com/store/apps/details?id=org.kost.nmap.android.networkmapper

Since, I’m using completely different approach in building it from the source, it’s worth mentioning major changes: binaries are now dynamically linked (due to DNS issues) and compiled with PIE support (due to Lollipop support). Dynamic linking is done against minimal number of libraries for DNS to work (mostly libc).

Read more of this post

Identifying and exploiting IBM WebSphere Application Server

IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server.

I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I will also demonstrate basics of WebSphere exploitation.

Read more of this post

Atom package to support Nmap Scripting Engine (NSE) files

Sometimes I use Atom as my secondary editor. I’ve made atom package to support Nmap Scripting Engine (NSE) files. In short, it adds syntax highlighting and snippets to NSE and Lua files in Atom. It is specifically written for writing NSE scripts which are compatible according to Nmap coding style (indentation, soft tabs, etc).

Package is available from the following URL:
https://atom.io/packages/language-nse

Source is available at the following URL:
https://github.com/kost/language-nse

Atom language-nse package

Atom language-nse package

Read more of this post

Running commands on multiple meterpreter sessions

Recently I had a need of launching large number of meterpreter sessions in order to quickly scrape large number of computers. This is what I occasionaly need, but I always forget to document. So, this is also note for myself. Imagine scenario where you have domain admin privileges on large windows network or same exploit working on large number of computers and you want to launch keyboard sniffer on all of them. Another example would be if you want to launch specific command on all (or specific) meterpreter sessions.

Read more of this post

Identifying and exploiting rom-0 vulnerabilities

I will talk about simple, but dangerous vulnerability present on many network devices which are using RomPager Embedded Web Server. Attacker is able to get your ISP password, wireless password and other sensitive information by issuing single HTTP GET request to ‘/rom-0’ URI. Mentioned information disclosure is present in RomPager Embedded Web Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others. Vulnerability was published in 2014 (by looking at CVE), but I see lot of people don’t know about it: mainly because there was no hype about it and most of the popular vulnerability scanners failed in identifying it.

I still think that vulnerability is pretty dangerous: if administration web interface of router is exposed on Internet – that means that anyone on Internet is able to know your ISP password, wireless password and router password by single unauthorized http request. But attacker does not have to stop there – since it knows your router password, attacker can change router settings and redirect your network traffic as he likes (by changing route or DNS settings). Attacker can also expose your LAN to Internet or access your internal services or computers by abusing port forwarding features. So, I hope this vulnerability will get better treatment after this blog post and NSE script.

Read more of this post

Using bloom filter for hash database

Summary

For those who are short on time: This is way to shrink large hash database (bigger than 2 GB) into very small data set called bloom filter. You can test it out by issuing following command (check if MD5 is found in NSRL):
docker run --rm k0st/kfh 16f769bc1d37cc14e3093b9881cf1691
You can find image and build instructions on Docker Hub.

Read more of this post

Nmap 6.46 on Android

I’ve just cross compiled Nmap 6.46 on Android since I did not do it for a while. If you just need binary, it’s here:

http://ftp.linux.hr/android/nmap/nmap-6.46-android-arm-bin.tar.bz2

If you need details, go here:
https://secwiki.org/w/Nmap/Android

Building Nmap from source (without SSL)

If you want to build it from the source, process is pretty straightforward:

git clone https://github.com/kost/nmap-android.git
cd nmap-android
cp -a android ~/src/nmap-6.46/
cd ~/src/nmap-6.46/android
#(adjust paths if needed in Makefile)
make doit

Building Nmap from source (with OpenSSL)

I see many people try to cross compile Nmap with OpenSSL support. Since, I did not specify OpenSSL part of cross compiling, I see there’s lot of complicated ways people do it. For example, like Gorjan Petrovski here:

http://blog.umitproject.org/2012/05/cross-compilation-of-static-nmap-with.html

In short, compiling of whole Android tree is not necessary. You just need to use same compiler for everything. I’m assuming you have NDK installed and standalone toolchain in PATH.

For building zlib, I’m using following snippet:

export CCARCH=arm-linux-androideabi
CC="${CCARCH}-gcc" ./configure --prefix=/sdcard/opt/zlib-1.2.8
make
make install

For building OpenSSL, I’m using following snippet:


export CCARCH=arm-linux-androideabi
./Configure dist --prefix=/sdcard/opt/openssl-1.0.1i
make CC="${CCARCH}-gcc" AR="${CCARCH}-ar r" RANLIB="${CCARCH}-ranlib" LDFLAGS="-static"
make install

For building Nmap, I’m using following snippet:


git clone https://github.com/kost/nmap-android.git
cd nmap-android
cp -a android ~/src/nmap-6.46/
cd ~/src/nmap-6.46/android
#(YOU have to EDIT makefile to adjust NDK and OpenSSL paths)
make havendk

Note: If you plan to compile OpenSSL support, you need to edit Makefile before issuing make havendk in order to specify OpenSSL path.

You should have binaries in place after build. You can strip them and transfer to your Android device.

Rip or Pillage DVCS – story about git

I hope you have read Ron’s excellent post about .git on web sites and how you can take advantage of nmap script to find out if you have them. In the comments you can find even Google Dork to find out indexed ones. Problem about his approach was assuming that directory browsing is enabled which was not my case. Recent post on carnal0wnage also gives good tips about getting .git files on the web server. It’s hard to miss DVCS-pillage tool and Baldwin’s paper. It’s pretty good tool, but DVCS-Pillage did not support https for git (you can find patch on my github page) and it was also very slow due to repeatable “git log” usage.
Step further is git plugin for Metasploit. Still, they all hope they downloaded everything.

I really wanted to have support for other branches than master and make sure that I downloaded whole git tree, so I can get ALL files and do it fast. So, of course, I’ve made my own solution in Perl available here (only for git now):
https://github.com/kost/dvcs-ripper

You just need to say:
rip-git.pl -v -u http://www.example.com/.git/

rip-git.pl will download git repository, check what is missing and download that, so you can fully checkout the source.
Note that it will do “git checkout -f” for you as well. That assumes that you have git on the same machine as script as it is using git commands.

It also supports other branches (just specify -b branch for other than master).

One neat trick is that my tool is actually using “git fsck” to find missing entries and download them which is quite faster than using repeatable “git log”.

Let me know if it works for you!

Nmap 5.61TEST4 on Android

Since Fyodor released Nmap 5.61TEST4 version, I had to compile it for Android as well. Nmap works on both rooted and non rooted phones. On non rooted phones you will be limited to functions which are possible as non-root user (i.e. no OS fingerprinting, SYN scan, etc).

Google released android-ndk-r5b which have infamous output problem fixed. Therefore, nmap android binary now works perfectly. Also, new NDK implements (almost) all C++ – therefore Crystax is not needed any more. In short, that means that build process is much simplified.

Download

It is available at usual location:
http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-arm-bin.tar.bz2

Note that it is built for Android on arm architecture statically. Therefore, you should build from source if you’re using other platform than standard arm.

How you should install it?

  • extract nmap-5.61TEST4-android-arm-bin.tar.bz2 to opt directory of the root of storage location. That means /sdcard/opt
    cd /sdcard/opt
    tar xvjf nmap-5.61TEST4-android-arm-bin.tar.bz2
  • check that you have following directory structure: /sdcard/opt/nmap-5.61TEST4
    ls /sdcard/opt/nmap-5.61TEST4
  • As you cannot execute from sdcard by default, you have to copy nmap binaries from bin/ to somewhere where you can execute. If you did not root the Android – that probably means /data/data/jackpal.androidterm/nmap is good place as you will probably run nmap from terminal. Still, you can have data files and scripts on VFAT sdcard and you need to copy only nmap bin directory to somewhere where you have execute permissions (your phone, /sd-ext, /data/data/jackpal.androidterm depending on your type of phone/ownership, …).

    For example, on non-rooted Android you should do something like this (as cp is not possible on most of the Android phones):

    mkdir /data/data/jackpal.androidterm/nmap
    cat /sdcard/opt/nmap-5.61TEST4/bin/nmap > /data/data/jackpal.androidterm/nmap/nmap

  • run nmap
    /data/data/jackpal.androidterm/nmap/nmap 127.0.0.1
  • Compilation

    You need to have Linux based OS, as we have tested building it on Linux only. Scripts are for building arm based binary. You need to modify the build in order to compile it for other platforms.

    Download android helper Makefile and patches here:

    http://ftp.linux.hr/android/nmap/nmap-5.61TEST4-android-src.tar.bz2

    Extract it to Nmap dir. That means you should have android directory inside nmap directory. Go to to nmap-dir/android and run make.

    You can do “make doit” which will automatically download Android NDK (~40 Mb) and build nmap. or If you have NDK already installed, you should edit android/Makefile for NDK path and run “make havendk”.

    Note: patches are not perfect. Some of them are kludgy until nmap devs decide how they want to proceed with patches.

  • that’s it
  • Wiki

    I’ve made pages for Nmap on Android and Kindle on https://secwiki.org, so up-to-date information regarding these two ports you can always find there:

    https://secwiki.org/w/Nmap/Android

    https://secwiki.org/w/Nmap/Kindle

    Good luck and let me if it works for you!