"It's Like Chat Roulette for Hackers"
The coolest thing this week... wait, let me start again.
The coolest thing this year is Wei sinn3r Chen's brand new amazesauce, humbly named
webcam_chat. I know he just posted all about it yesterday, but I just want to reiterate how useful and hilarious this piece of post-exploit kit really is.
First off, it's entirely peer-to-peer. The communication channel is strictly between you and the compromised host; you're not bouncing your webcam stuff through Google Hangouts or GoToMeeting or anything like that. So already, you're kinda sorta OTR (off the record). True, the initial connection is mediated through an Internet-based service (which you can optionally set up yourself with the -s option), but the video is straight up mano a mano.
Second, as sinn3r intimated, permanent pen-testing staff can use this WebRTC component to gently... re-educate users about how not to get popped by real criminals. This is helpful when you can't get a meeting with your CEO about how he really shouldn't carve out firewall exceptions for his iPad. Not naming names.
This is not to mention the pure lulz factor of being able to play at "Hollywood Hacker." How many movies and TV shows feature a shadowy evil genius who can inexplicably pop up on whatever monitor the hero happens to be looking at, who then proceeds to make his demands known? There are literally Brazilians of examples. And that's a lot.
Of course, and hopefully this goes without saying, actually using a sudden video chat in production may carry with it some... slight privacy concerns. So if you happen to go down this road of being very hands-on with your target endpoints, please make sure that you have all the permission that you need ahead of time. Nothing kills a pen-test program faster than sudden wiretap statute violations. This is not to dissuade you from using this (and
record_mic, by the way) -- you should totally use them, with the advice and consent of your chosen target organization.
I am just beside myself with joy that this landed. Yeah, the Android WebView attack was cool, sure... but, WEBCHAT. You can't beat that with a stick.
Massive thanks to the brilliant folks over at WebRTC for producing and releasing such an amazing open source technology. You guys are the real heros. Keep these off-the-shelf invasive technologies coming!
Meterpreter is so easy a _____ can compile it!
Also this week, we saw a great HOWTO video from OJ TheColonial Reeves on how drop dead easy it is to download and compile Meterpreter on your own. The procedure documented here is pretty much exactly what I do when I'm testing changes to Meterpreter, and quite close to what we use in our in-house build process here at Rapid7.
If you're some kind of Victorian literate that prefers reading words that don't move, and you want to know how to roll your own Meterpreter binaries, then see OJ's accompanying blog over at Buffered.IO. The video is only four minutes and change, though, and the music is catchy. But hey, if you hate technology, then that's your thing. Don't let me tell you how to absorb information.
This week's release sees six new modules, including the mighty post module to enumerate Active Directory servicePrincipalNames, from serial AD enumerator Ben Meatballs Campbell. But, if I had to choose -- and I don't want to, because I love all Metasploit modules equally and unreservedly -- then I'd have to say that Meatballs' MediaWiki exploit is probably the hottest of the bunch.
MediaWiki has patches available (at least according to the OSVDB entry but there are zillions of MediaWiki installations, run by people who aren't slavish about security, so this is one of those platforms that you're a) likely to see on an engagement and b) you're like to see an old version live in production. Many IT organizations farm out that whole "Knowledgebase" infrastructure to individual business units and take a hands-off approach to them in the enterprise, so a penetration tester should have a good time hunting these down and snarfing decent intelligence via Metasploit shells.
Watering hole attack, anyone?
- Dexter (CasinoLoader) SQL Injection by bwall (Brian Wallace)
- MediaWiki Thumb.php Remote Command Execution by Ben Campbell, Ben Harris, Brandon Perry, and Netanel Rubin exploits CVE-2014-1610
- Oracle Forms and Reports Remote Code Execution by Mekanismen and miss_sudo exploits CVE-2012-3153
- Audiotran PLS File Stack Buffer Overflow by Philip OKeefe
- Easy CD-DA Recorder PLS Buffer Overflow by juan vazquez, Gabor Seljan, and chap0 exploits CVE-2010-2343
Auxiliary and post modules
- Windows Gather Active Directory Service Principal Names by Ben Campbell and Scott Sutherland
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.