Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Monday, November 16, 2009

http browser autopwn

At the Defcon conference this year a new exploit was provided to the open source hacking community (Thanks to Egypt - Thank You), which allows one to fingerprint the victims browser/OS and patch levels prior to sending the exploit. Previously the exploit was chartered as a Cluster Bomb but is now known more of a guided missile.

I was able to test this exploit against a vulnerable microshaft IE 6.0.3 browser this afternoon and the payload exploited with out a hitch! If you like watching videos here is a good proof of concept you can develop your future exploits from off of youtube:

(PaulDotCom Enterprises, LLC)

Just run the Metasploit console and load the /auxiliary/server/browser_autopwn exploit module then set values for:

LHOST (IP victim will connect back to)

SRVPORT (port to run exploit on, can be 80 or 443 HTTPS)

URIPATH (directory to host exploit from)

run exploit, connect from victims vulnerable browser to http://(IP)/(URIPATH) and the exploit should launch, results should start to show over in MSF console window. Once a session is generated you are in using the privileges as the victim (now you can quickly escalate privileges to system/admin/root)

sessions -l (session ids should list)
sessions -i (session id), then type: hashdump, ipconfig /all, ifconfig -a (what ever)

if not then try again. I had some problems when the browser sent a response the server didn't know how to respond to (sent RST and 404 message back to client usually when victims browsers doesn't have a plugin installed), like apple quicktime, java or something like that). Take out those checks done by the exploit in the ruby code and you might have some success!!! I didn't test with a anti-virus scanner installed, but I have heard it can bypass/evade some of the scanners and generic IDS rules based on how you submit your exploit to the victim. This is definitely an effective means of getting inside through a phishing attack.


Recently I took on the challenge to write my own python DOM parser ,to take the output of an NMAP SYN scan and parse the results into a database of choice, like MySQL. After doing some preliminary checking of what is already out on the web I came across a tool developed by http://www.tssci-security.com that will handle just what I was looking for. Once you make some tweaks to the code to parse out the "ipaddr" for both the MAC and the IP addresses the python script "nmapxmlparse.py" works like a champ! It outputs the NMAP xml formated file into a ingestable .csv file, which can then be scripted to insert into your MySQL tables.