rpcinfo/showmount

RPC or Remote Procedure Call is a protocol on which services such as NFS, NIS, SAMBA are based. Essentially RPC facilitates the process of encoding and decoding requests between clients and servers. When a client tries to connect to an NFS service RPC take the control and maps the request to the port on which the service is listening. If we are looking for compromise this type of service, it will be necessary to analyze how RPC works, so in this lesson, we will examine this protocol.

Network File System And RPC

Wikipedia says:

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984,[1]allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The NFS is an open standard defined in Request for Comments (RFC), allowing anyone to implement the protocol.

As we can see NSF is a service that is based on RPC, so we will configure an NFS server in order to examine the operation of RPC.

Setup an NFS-Server (192.168.122.131)

We can use infosecaddicts ubuntu VM and install NFS-Server as continue:

sudo su
apt-get update
sudo apt install nfs-kernel-server

After install, we can check:

systemctl status nfs-server

Now, We will publish a directory for testing purposes, for that we need to edit /etc/exports and copy :

/home/infosecaddicts/backups 192.168.122.0/24(rw,sync,no_subtree_check)

Finally, Restart the VM.

Setup our local Machine

In our local machine install rpcbind and nfs-common (nfs-client) components:

sudo su
apt install rpcbind nfs-common

rpcbind allows us to run the rpcinfo command that helps us to get information about RCP services in a given system, rpcinfo makes an RPC call to an RPC server and reports what it finds.

With nfs-common, we get all the client tools to successfully connect to an NFS-Server.

Enumerating RPC services:

rpcinfo/showmount commands:

Once our lab has been configured, we can focus and  see what type of information we can obtain from the NFS-server:

Now, from our local machine run:

rcpinfo -p 192.168.122.131

After running rpcinfo command we get a lot of interest information:

  • All the services (RPC) that are running on the NFS-server (192.168.122.131).
  • The default port for RPC services (111).
  • The ports associated with each service.
  • The information about another RPC services (such as nfs, nlockmgr, quotad, mountd, etc.)
  • The protocol used by each service UDP, TCP.

If after doing a scan we detect port 111, we can say that in the target server there is a NIS, NFS, CIF or SAMBA type service waiting for remote connections. Also, rpcinfo tells us what service he is listening to. In the image above we can see that there is an NFS service running at port TCP/UDP 2049. When rpcinfo command run, the local host makes an RPC call to the NFS-server (port 111), Next, it consults with portmapper to determine where the RPC server is listening.

The most important thing is that through RCP we can list other services, in our case we see the NFS service and the ports in which it is waiting for connections.

with nmap we can scan and see a result similar to the previous one:

run:

nmap -Sc -p111 192.168.122.131

Finally, since that we have verified that an NFS service is running, we can deepen and see what else we can obtain.

run to export a list of directories:

showmount -e 192.168.122.131

Try to mount the directory:

sudo mount -t nfs 192.168.122.131:/home/infosecaddicts/backcups /tmp/nfs

Check for Files system mount on our local machine:

mount

As you have been able to analyze, examining RPC-type services allows us to obtain a lot of information not only from the network infrastructure, but also we can assemble a network folder and obtain the files that are there.

 

Dirb is a web content scanner

Dirb is a web content scanner, it’s principal features are scanning and attacking folder that is hidden within websites, Dirb makes this possible using dictionary based attacks against the servers mostly HTTP requests.

Dirb comes with default wordlists to easy the process of the attacks, the main purpose of Dirb is to be used in web application auditing, it helps the professional’s to test the security parameters included to protect websites, Dirb occasionally coves some holes that are not covered by the classic tools used to scan website vulnerabilities, the reason is that Dirb looks for specific objects located on the website. it doesn’t look for general vulnerabilities, it’s purpose is to look for web content that can be vulnerable.

How Dirb works:

Dirb has an internal wordlist file that by default has around 4000 words for brute force attacks. There are also a lot more updated wordlists available over the internet that can be used as well. Dirb makes a search of the words in its wordlist in each directory or object of a server or a website. It might be an admin panel or a subdirectory that is vulnerable to attack. The most fundamental thing is to find the objects as they are hidden.

How to acquire it?

Download Dirb via Sourceforge: https://sourceforge.net/projects/dirb/

Using Dirb:

First, you need to download Dirb.

To uncompress the compressed Dirb file, you can use the next command:

sudo tar -xvzf dirb222.tar.gz

The Dirb folder is now uncompressed, and you can see it with ls command:

Go to the dirb directory and make executable configure with next command:

chmod u+x configure

Run configure and then type make:

Dirb is now installed, and you can use it with next command:

./dirb URL

Testing for Special Vulnerable list:

Dirb can be used to test for specific vulnerable objects within particular types of web technologies. Every web technology has its unique vulnerabilities. They are NOT all the same. Dirb can help one search for specific vulnerable objects specific to the particular technology. Also, we should mention that these tests are often performed over the TCP ports that handled the web services, these ports are:

  • TCP/80 – HTTP
  • TCP/443 – HTTPs, SSL

Also by the time of an attack, these ports must be opened to host the web services so the firewalls cannot do much about it to prevent attacks directed to these ports.

Dirb has specific wordlists to search for these vulnerable often hidden objects. You can find them at:

cd  wordlists/vulns

Then list the contents of that directory:

ls -l

There are some files listed for each of the specific vulnerabilities to test. If your web server is Apache and you want to test it use apache.txt

To run

./dirb http://webscantest.com  wordlists/vulns/apache.txt

Bash Scripting. Shebang

Introduction:

The command interpreter or shell is a program that allows users to interact with the system, processing the orders that are indicated. The commands that can be invoked from the shell can be classified as internal (actually correspond to commands interpreted by the shell itself) and external (correspond to executable files external to the shell). In addition to commands, the shells offer other elements to improve their functionality, such as variables, functions or control structures. The set of internal commands and available elements, as well as their syntax, will depend on the concrete shell used.

In addition to using the shell from the command line (based on the prompt as the indication of the shell to announce waiting for a command from the user), it can be used to interpret shell-scripts. A shell-script or “command script” is a text file that contains a set of commands and commands interpretable by the shell.

In the S.O.’s Unix, there are multiple shell implementations (in Windows, the equivalent would be the “command.com” or “cmd.exe” programs). Attending the shell from which they come and their syntactic similarity (including their internal commands), the Unix shells can be classified into two large families (there are some additional shell, residual use and within the shells of the same family there are also differences, but much of its syntax is common).

What’s a bash script? What they are and what they do?

Simple, a bash script, allows you to execute commands from a “file”. What do we need to understand this? We need to understand that the “interpreter” is the shell. What do we mean when we say that the interpreter is the shell? Well, with a bash script, you can have unlimited functionality when it comes down to the Unix toolset, for example, if you are performing Python scripting, the whole idea of “modules” comes to mind, but, if we use bash scripting to create a script, it’s more convenient, because you won’t have to install dependencies, additional extensions or “modules”.

Is bash scripting better than Python scripting? Well, this point, depends on the background and perception of the programmer, but if you ask any system administrator, they will prefer bash scripting over Python, why?, because by comparing them, Python is less “reliable”
when it comes to “bashing”, on the other hand, in Unix, (remember, because the bash use the shell as an interpreter), the shell its build in on Unix, and will enable you to use the entire Unix toolset which means that you’ll be able to control sockets, just by typing each command on each line, this makes this process, very intuitive and easy to understand.

Running Bash scripts

Running a Bash script is fairly easy. Another term you may come across is “executing the script” (which means the same thing). Before we can execute a script it must have the execute permission set (for safety reasons this permission is generally not set by default). If you forget to grant this permission before running the script you’ll just get an error message telling you as such and no harm will be done.

Bash Scripting. Is the best… But, for what exactly?

Bash scripting allows system administrators to copy, update, and do backups of files, almost automatically. You can create bash scripts to do many tasks, that go from doing queries of data in an excel sheet file, up to compiling data, getting figures, and producing massive amounts of data. Of course, nothing is perfect, because when it comes to huge calculations that involve statistics and merging all the data types, it comes off short, Why? because the Shell its focus in running the system itself, but still is really useful for managing files, running scripts, programs, and especially, for automating tasks.

Lest create a simple bash script, as an example, and to understand the syntax and what do we mean by interpreting a file.

HELLO!

You can do this using any Unix/Linux operating system, and the editor (shell) of your choosing. Lest create a bash script that will display the word HELLO

echo hello

“echo” essentially is used to display the text “echoing” the tex back to you. This is basically a shell script. This is a command, that the shell will interpret when you press enter.

hello

You can see it interprets and the shell “understand” what you are trying to do. We can complicate things a little bit, for example, by scripting, essentially allowing you to execute a lot of this commands from a file, using the shell, a thing that, sometimes, many people forget, and how powerful this possibility is.

As we know, you can create the script on any text editor of our choosing.

Remember that the file that we are going to create must be saved as a Shell extension (.sh) and we can locate it, on any place we want. Lest create a file called Simple.sh and save it in our Desktop.

Now the first thing we must do it’s to declare what is the interpreter that we are going to use, in the file we just created.

Shebang

#!

This is called the “Shebang”, the reason it is called like this? because, this “#” is a “sharp” and this “!” is the bang, like the annotations you find in music sheets.
This characters #! are at the beginning of interpretable executable programs or scripts.
So, anything after the shebang line will essentially be used as the interpreter.

#!/bin/bash

In this case, the bash is going to be used as the interpreter of the script that we are going to create. Remember you can use any interpreter after the shebang:

#!/bin/python

For example, to create a reverse scripting for reverse shells on a client or the Shell when you want to perform a privilege escalation:

#!/bin/sh

The shell, remember, is different from the bash, given that the bash is considered a terminal instance, which will give you much more streamline experience when it comes down to using Unix/Linux operating systems, as for the shell, it is simply the interpreter of commands, and you know that this, won’t give you full access in terms of functionality.

We will use the bash.

In the following line we type the text we want to display between quotation marks, to make sure that everything in them, is printed out, but before we use our text editor to create the file Simple.sh, this can be visualized in the picture below:

Then we proceed to paste the following sentence into the new file

#!/bin/bash
echo “Hello world! This is the first shell script”

We save the script, now, let’s execute it.

We open our terminal and go to the location of the script we just created

cd root/Desktop

Lest make sure that we can execute the script giving to it “execute” permissions, using the chmod command:

/Desktop# chmod +x Simple.sh

Now to execute, we select the interpreter

/Desktop# ./

Where ./ is “telling” the terminal that he must use the specified interpreter indicated after the “Shebang” of the script we want to run.

Now we run it like this:

/Desktop# ./simple.sh

Getting the following result:

Hello world! This is the first shell script

This is a very simple example to explain the syntax behind this procedure. What do we mean with this? that now we can understand how we can execute a script (series of commands and bashes) from a file (in this case “Simple.sh”), how when we build a script we “instruct” it to be used by an interpreter.  To be able to know, by the Shebang present in a script, what is the interpreter you must use to run  it (if the script you are about to use was not created by you), or if you are creating one, leave the “instructions” for another user that will use the bash, to run it using the interpreter present in the Shebang with this command (./) without reviewing it. You can also set permissions in the script to be used only by certain users with the chmod command.

Easy HoneyPots – Canary Tokens:

Introduction:

The familiarity of web bugs maybe some image that tracks some users when they open an email, these features work using unique embedding URL in a page image which creates a TAG and generates an incoming GET request.

Those are the principles of Canary Tokens, the application of the previously described aspect applied to file reads or queries database, the execution of queries or maybe to detect a pattern within log files. Canary tokens can be used to implant traps in every area located within your structure or production system which is more efficient than just setting separate honeypots as a beacon.

Technical details:

Network breaches happen more often nowadays, this problem can affect small businesses even large mega-corps, what is trying to be protected and be avoided with the implementation of these tokens is to found out immediately which kind of users are attempting to break out into our system.

Canary tokens are available for free in http://canarytokens.org you can download your own token to send a notification to your personal email whenever someone is trying to reach or open any specific file that you put into your network.

How tokens work:

  1. You visit the website mentioned before and get a free token which can be used like an URL or a hostname depending in the type of Honeypot that you have selected
  2. If an unauthorized user or an attacker uses the token that you have placed into your network, Canary will give you an out of band email that the token has been opened.
  3. At last, Canary provides a variety of tools and hints that increase the possibility of an attacker to trip over the token.

Demonstration of Usage:

As we mentioned before you can visit the site: http://canarytokens.org and select which type of Honeypot you want to add into your workspace they can vary the options available from different options as it can be seen in the picture shown below:

After you select the type of toke you want to use, you can add a description for the notification that is going to be sent to your email and you can click into “Create my CanaryToken” for the token to be created. This process can be seen in the picture below:

After we click on Create my Canarytoken the page is going to show you the address for the token, in this case, we selected a Microsoft Word Document, the page will allow you download the file and change the name to be more appealing for any attacker which may access into our computer. The download page can be visualized in the picture below:

Now we download the file and change the name of the file to a name that represents the store of delicate data like the one shown in the picture below:

We open the file and see that’s empty but the token was already activated. We check into the email address that we selected to receive the notification to see if canary send a notification for unauthorized access to our token.

As we can see CanaryToken represents a free and easy solution to set Honeypots across your work environment and control the execution of some features within your network, it represents a helpful defensive tool against possible threats and helpful framework to keep a record of possible threats that may affect your data integrity or the privacy of your files.