Wednesday, October 26, 2011

quick post: Converting shellcode to opcodes

Mainly as a note to myself, but other people might benefit from this as well.

Last night I was looking for a way to convert small bits of shellcode into the equivalent opcode. While there is metasm-shell to convert opcodes to shellcode, there is no shell to do it the other way around. Metasm has disassemble.rb, but that's only file based. A quick question in #metasploit resulted in the following one liner, which worked perfectly:

echo -ne "\xeb\xe0" |ndisasm -u -
00000000  EBE0              jmp short 0xffffffe2

Monday, June 13, 2011

Juniper $9$ the equivalent of Cisco type 7

Some time ago during a configuration review of a Juniper JUNOS device I noticed some sort of hash format starting with $9$. Wondering what format was being used I searched on Google and found a website that was able to get the password instantly. This means that the password is stored in a reversable format and is not a real hash, but some sort of obfuscation. This is similar to the Cisco type 7 password obfuscation, which use the Vinegere algorithm. While you can find many tools to decrypt Cisco type 7 password there are no offline tools you could use for Juniper $9$. After some more searches I found a convenient Perl library named Crypt-Juniper, which allows you to decrypt $9$ passwords. While I am not an experienced Perl coder I wrote th following proof of concept within 5 minutes:

#!/usr/bin/perl

use lib '/some/path/Crypt-Juniper-0.02/lib/'
Use Crypt::Juniper;

my $hash = $ARGV[0];
my $secret = juniper_decrypt($hash);

print "secret: $secret \n";

Using the script is straight forward:

$ perl juniper-decrypt.pl \$9\$U-iqf36A1cSTzRSreXxDik.Tzn/CuBI
secret: ju&iper123

The current 2.0 beta version of Nipper does not warn you about the $9$ format at all. This issue was reported to Titania and the upcoming release of Nipper will report use of the $9$ format. Of course the remediation is easy, use MD5 based hashes ($1$ format) on Juniper JUNOS where possible.

Wednesday, March 9, 2011

Deluge bittorrent webUI behind reverse proxy

Maybe not strictly security related, but this might by handy for other people who also want to put their Deluge bittorrent webUI behind a reverse proxy. There are several tutorials available on the internet describing how to do this, but none of them work for the latest stable version (1.3.1) of Deluge. The webUI uses a lot of AJAX and gzip compression for some parts, which makes the use of a reverse proxy more complicated. I've used Apache (2.2.16) with the following enabled modules:

authz_host_module
deflate_module
dir_module
filter_module
headers_module
mime_module
proxy_module
proxy_http_module
rewrite_module
ssl_module
unique_id_module

Not all of them are needed, but most are needed for this setup. Here is the vhost I have configured:

<VirtualHost *:80="">

Servername dmz

ProxyRequests off
ProxyHTMLExtended on
ProxyPass /deluge http://127.0.0.1:8112/
ProxyHTMLURLMap http://127.0.0.1:8112 /deluge

Header unset Server

<location /deluge>
        ProxyPassReverse /
        ProxyPassReverseCookiePath / /deluge/
        SetOutputFilter INFLATE;proxy-html;DEFLATE
        ProxyHTMLURLMap / /deluge/ ec
        ProxyHTMLURLMap /deluge /deluge ec
        ProxyHTMLURLMap ([^*])(\/[^*].*) $1/deluge$2 hRxL
        #ProxyHTMLLogVerbose On
        Order allow,deny
        Allow from all
</Location>

</VirtualHost>

The webUI is running on a python based web server on port 8112.  The "Header unset Server" line will remove the following banner that is normally displayed by the web server:

Server: TwistedWeb/10.2.0

The SetOutputFilter line will inflate the gzip compressed data, modify it and deflate it again. If this configuration stops working for a new version of Deluge the ProxyHTMLLogVerbose option can be uncommented to debug. Also make sure the system running the webUI is able to make outbound connections to torrent trackers in the torrent file you are uploading or the webUI will take forever to load a new torrent file. Happy dowloading!

Tuesday, January 11, 2011

Quickpost: Running Gentoo and looking for updated John the Ripper ebuild?

I've just written an updated ebuild for John the Ripper, that includes:
- Latest OpenMP patches
- Latest jumbo patch
- Full OpenMPI support
- MSCache2 support

You can find the ebuild in the Pentoo overlay, which contains a lot of usefull pentest tools. Enjoy!